An authorization concept is a precisely defined set of rules. It defines the access rights to the data and functions of an IT system. The individual processes required to implement the authorization concept are also generally described. This applies, for example, to the creation and deletion of users and the specifications for password creation.
The importance of an authorization concept
Many companies already protect their IT systems very well against unauthorized access from outside. Firewalls and intrusion detection systems play their part in a secure IT landscape. In contrast, the threats to data security from within the company are often underestimated. This is where the authorization concept fits into the company’s security architecture. Ideally, only those employees who need access to certain data for their work should have access to it.
In principle, an authorization concept is the result of individual planning. If the defined rules are too strict, this can lead to a reduction in productivity. However, if the specifications of the concept are not strict enough, this can lead to problems with data security.
Basic concept and role
A basic concept defines which resources may be accessed by which users. The type of access is also defined here. For example, certain users may be allowed to read a data record, but not to change it. Due to the large number of possible combinations of users, resources and rights, this type of concept can very quickly become confusing.
Roles are now defined to ensure clarity and simple management of access rights. These form a precisely defined group of authorizations that can be assigned to a user. As a result, users only have access to the data they need to perform their tasks.
The importance of the authorization concept from the perspective of the GDPR
Until now, the following principle has often applied when designing an authorization concept: people should only be able to access data that is intended for their inspection. Conversely, they must not have access to data that is not intended for them. This is changing with the implementation of the GDPR. A corresponding concept must now be expanded to include the principle of purpose limitation. This means that an employee may only access the data that they absolutely need to carry out their work and for the purpose of the original data collection.
There is also the documentation obligation. In future, every company must not only record the authorization concept, but also document its concrete implementation in a verifiable manner.
As a concrete application example, no files with personal data should be sent as attachments by email. Instead, these files should be stored in folders on the server that are protected by the authorization concept. The release link can then be sent to the relevant colleagues by email.
Further reading:
- https://www.datenschutz-notizen.de/fehlendes-berec…
- https://erp-news.info/augen-auf-bei-der-omnichanne…
Legal notice:
The free and freely accessible content of this website has been created with the greatest possible care. However, we expressly point out that we assume no guarantee or other responsibility for the accuracy, currency or completeness of the journalistic guides and information provided on this website.
The content on this website is not intended as legal advice for your company on which you can rely for compliance with the legal regulations on data protection – in particular the GDPR – nor can it replace individual legal advice.
Furthermore, by accessing this free and freely accessible content, no contractual relationship is established between us and you as a user of the website in the absence of a corresponding legally binding intention on our part.
