Workspace 365

Authorization management: Setting the appropriate permissions

Written by Kelly van der Horst | Sep 10, 2020 10:00:00 PM

In any digital workspace you have to ensure that people have the right level of access to applications. When these 'authorizations' are right you are able to offer a smooth employee onboarding, you improve daily operations and maintain security standards. Permissions are not uniform from application to application and there can be a lot of detail to navigate. That is why we will look at aspects of authorization management. We discover why it is important, some practical tips on writing a 'delegation of authority' matrix, and other critical factors to consider.

What is authorization management and why is it important?

Authorization management can be considered to be the approach and practices that are applied to ensure people have the correct level of access to different applications, so that they can carry out their role while also maintaining the integrity of organisational and IT policies relating to security, data privacy and more.

We recently looked at the wider issue of managing permissions and access across a digital workspace. This established a number of reasons why having a robust approach in this whole area, including authorization management, is important, including:

  • Minimising risks to security and privacy: the consequences of breaching legal and regulatory commitments can be very serious, including leading to serious reputational damage.
  • Maintaining digital workplace governance: IT and digital workplace teams often need to apply some level of governance and control to a digital workspace, for example locking down the use of particular tools.
  • Individual application governance: to ensure the good management of different tools, managing authorizations, particularly on who has administrator-level access, is important.
  • The fluidity of access: people within organisations change rapidly with a high turnover of staff, contractors and temporary staff - authorizations need to be managed to keep up with the changes and allow everyone to work successfully.

Additionally, an application may have some licensing conditions relating to the number of people who are authorized to have full administrator access, for example, and this may also need to be tightly managed.

What factors need to be taken into account to define authorization management?

There are multiple factors that need to be considered to help define the detail of the authorization you set for different apps. These include:

  • The security policies of your company and IT function that are driven by legal, regulatory and technical considerations.
  • The structure of your organisation and how IT is supported, which may dictate different levels of authorization e.g. a central team, a regional team and then a local team.
  • The resourcing levels of the central IT or digital workspace team, and the relative resourcing of power users and admins throughout the business, which can influence whether certain tasks are carried out centrally or locally.
  • The level of expertise required to carry out certain tasks with an app and the relative experience of local admins.
  • How individual apps are set up and the level of granularity that can be applied to permissions to do different tasks (e.g. it might not be possible to give local admins many authorizations because the way the app is built gives too many rights to them).
  • The extent to which the app is adopted - for example, a highly specialist app that is only used by one business team may not even come under the scope of authorization management policies.
  • The business value of granting authorization to different roles.
  • The bigger picture around digital workspace governance and adoption that can influence transferring more power to local admins to help drive a more sustainable digital workplace.

All this may sound complex and detailed, but once you start working through the details of your authorization management, it is more straightforward than you think. A great place to start is using the concept of the 'delegation of authority' to work out the levels of access roles need, and then define an authorization matrix.

What is a delegation of authority?

In a wider business sense, a 'delegation of authority' is a policy or control, usually written as a statement, that defines the responsibilities and level of authority of a particular role.

In particular in terms of business processes and tasks they can carry out and decisions they can make. These are used, for example, to ensure corporate governance is in place, and to minimise business risk.

The delegation of authority is a useful concept to consider when working out the authorizations you grant in particular applications.

One of the mega-trends over the past two decades in how IT departments support the rest of the organisation, is how more and more power has been gradually transferred throughout the organisation. This decentralisation of IT has meant that now power users, local admins and even end users throughout an organisation are authorized to perform more and more tasks and operations.

Example of power delegation

For example, a power user on a particular application within a particular team, might be authorized to set up collaboration sites and invite users to join them. In larger, more complex and global companies, this 'decentralisation' sometimes happens on multiple levels, with central IT teams, local IT teams in a particular country, and then power users, all being authorized to perform different tasks.

Match policies to the delegation authority

The policies of 'who can do what' for each application can be matched to a 'delegation of authority', where you are defining which roles in the organisation are authorized to carry out which tasks within a particular application, effectively delegating the responsibility from central IT and management, and trusting and empowering people and the business to manage and use applications.

Therefore, if you spend time on defining a delegation of authority for different roles, you can then work out the specific permissions across applications that need to be defined for those roles.

Realistically, central IT and digital workspace teams will need to work with local business stakeholders and contacts throughout the organisation. Here, having a template in Word or Excel that helps detail the delegation of authority for different roles across different divisions, can help. This should cover:

  • Major tasks relating to different applications (e.g. invite a local user to the app)
  • The roles that have the authority to carry out those tasks in that division (e.g. Team Lead, Executive Assistant, Power User network member)
  • The names of any corresponding individuals or Active Directory groups
  • The level of access within the app that corresponds to the level of authority (e.g. Local administrator access)

What levels of authority are there in applications?

Different apps will have different levels of permissions depending on what they do, but at a high level this can be:

  • Central administrators who usually have global access to change enterprise-wide settings, usually within the IT function
  • Divisional administrators who may be able to grant settings for their particular section of the organisation and define who power users are
  • Power users, or local or team administrators, who then may have more rights and work with either site owner or end users for their section
  • Site owners, who run a particular group or site, if applicable
  • Normal end users
  • Read only users

Obviously, these will vary from organisation to organisation, and from application to application. Typically, the elements which are important to consider in all of the above is:

  • The ability to set global settings that reflect IT policies
  • The ability to add new administrators and new users
  • The ability to view particular sites or information
  • The ability to interact with different elements of the app.

Creating a delegation of authority matrix or authorization matrix

When you have all this information you can start to bring it all together in an authorization matrix or delegation of authority matrix that means you can match the permissions required for each app to the roles in each division. For a central IT or digital workspace team you may only need be capturing the higher-level admin access in this, because the access at a local level is decided by local administrators.

So, even though what we have described in this article sounds potentially complex and very detailed, your authority matrix is likely to actually be a lot far more simple when you actually detail it. Often, for example, you may just have a set of local administrators or power users for most tasks. 

In our experience, the matrix is usually best captured on a spreadsheet. You may have different tabs for each application. There is no standard format, but a sheet might capture:

  • The different divisions or locations in your organisation e.g. HR, Brussels Office
  • The key tasks relevant to the app and the associated level of access e.g. Set up new users (Local Admin access)
  • And then the associated roles across each division or location
  • Potentially the names of the people in that role too.

Making authorization management sustainable

Several approaches can help you to make your approach to authorization management more sustainable. These include:

  • Keep documentation up to date that shows the levels of authorization available for each app
  • When new apps come into use within the business add them to your authorization matrix
  • Allow everyone to view your authorization matrix, for example via the IT team's intranet page. This allows for transparency and encourages you to keep it up to date.
  • Have a clear process for when a user wants to request admin access to an app
  • Map training on specific apps to roles and responsibilities in the authorization matrix
  • Have a process in place to update authorizations when people leave and join the company.

Authorization management in Workspace 365

Recognising the importance of authorization management, we reflected this in Workspace 365, and covered it recently in our article about managing permissions. Workspace 365 settings have the granularity to match the detail of your authority matrix.

For example, it is very simple to set who has access to a particular app accessed through Workspace 365. In the App Store, each individual app has settings, including a powerful Conditional Access feature, that allows IT teams to set policies relating to individual app access based on different criteria, such as device type or network.

In Workspace 365 there are also robust controls about who can control various aspects of each workspace. Permissions can be easily set for various different capabilities, including the ability to edit your own workspace, create apps in the app store, create and manage announcements and so on.

See authorization management in a demo

Authorization management can get quite detailed and complex, but using the right tools and approaches means it can be far more straightforward. Using an authority matrix based on delegation of authorities is a good place to start.

If you'd like to understand how permissions and authorization management works in Workspace 365 then arrange a free demo.