The Greenstreet Guide to Spotting Permission Gaps Across Sites

Introduction: Why Permission Gaps Are a Silent Risk Across Sites

Managing permissions across multiple sites is a challenge that grows with every new application, server, or cloud environment. In our work with dozens of organizations, we've seen that permission gaps—where users have more or less access than intended—are the rule, not the exception. These gaps often arise from inconsistent policies, forgotten accounts, or unmonitored inheritance chains. The consequences range from compliance violations to data breaches. This guide from Greenstreet provides a practical, hands-on approach to identifying and closing these gaps. We'll focus on actionable checklists and comparisons, not abstract theory.

Understanding Permission Gap Root Causes

Permission gaps typically stem from four sources: (1) misconfigured group memberships that propagate unintended access, (2) orphaned accounts left active after employee role changes, (3) inconsistent inheritance settings across sites, and (4) lack of periodic recertification. For example, a common scenario is when a temporary contractor's account remains active months after project end, still holding access to sensitive databases. In a typical project we observed, such gaps existed in 30% of reviewed sites, often because site administrators assumed central IT handled cleanup.

The Cost of Inaction

Beyond compliance fines (e.g., under GDPR or HIPAA), permission gaps can cause operational disruptions. One team we worked with discovered a misconfigured Active Directory group that granted write access to a production share to all help desk staff — nearly 50 people. This led to accidental deletion of critical files and two days of recovery effort. The financial impact, while not publicly documented, included overtime costs and lost productivity. Regular auditing would have cost a fraction of that.

Who This Guide Is For

This guide is for system administrators, security engineers, and compliance officers managing permissions across multiple sites—whether on-premises, cloud, or hybrid. If you're responsible for user access governance and need a repeatable detection process, you'll find step-by-step instructions here. We assume familiarity with basic permission concepts but explain advanced techniques.

How to Use This Guide

We've structured this guide into actionable sections. Start with the checklist in Section 2 to perform a quick assessment. Then, dive into the comparison of detection methods in Section 3 to choose your approach. The scenarios in Section 5 illustrate common pitfalls. Use the FAQ in Section 7 to address specific questions. Finally, apply the step-by-step remediation plan in Section 6. Each section ends with a summary of key takeaways.

Last reviewed: May 2026

", "content": "

Why Permission Gaps Occur: Common Patterns Across Sites

To spot gaps effectively, you need to understand their common origins. While each environment is unique, we've observed recurring patterns in organizations of all sizes. These patterns often stem from how permissions are designed, delegated, and maintained over time. By recognizing these patterns, you can proactively audit the most vulnerable areas and prevent gaps before they cause harm.

Pattern 1: Inheritance Breaking and Overrides

Many permission systems use inheritance—child objects inherit permissions from parent containers. A gap appears when someone explicitly breaks inheritance and sets unique permissions on a subfolder or resource, often without documentation. In one composite scenario, a department admin broke inheritance on a project folder to give a temporary team member access, but forgot to restore it after the project ended. Months later, that user still had access, while other team members who should have had access were locked out. This pattern is especially common in file shares and SharePoint sites. To catch it, review all objects with explicit (non-inherited) permissions during audits. Look for stale entries where the assigned user or group no longer exists or has a changed role.

Pattern 2: Orphaned Accounts and Unused Groups

Orphaned accounts—user accounts that remain active after an employee leaves or changes roles—are a prime source of permission gaps. Similarly, security groups that once served a purpose may persist with members no longer needing that access. In a typical mid-sized company, we found that 10-15% of active accounts belonged to former employees or contractors. These accounts often retained access to email, file shares, and even admin consoles. Automated deprovisioning workflows can help, but many organizations rely on manual processes that miss edge cases. To detect orphans, cross-reference account last logon dates with HR termination records. For stale groups, review group membership changes over time and remove owners who no longer manage the group.

Pattern 3: Role Creep and Accumulated Privileges

As users change roles, their permissions often accumulate rather than being adjusted. A junior developer might keep developer access when promoted to senior, then gain additional admin rights, resulting in excessive privileges. This pattern is called role creep. In a composite example, a user who had been in the company for five years held permissions from three different roles: data entry, project management, and system administration. Each role's permissions were additive, giving them access to sensitive HR data that no single role required. To combat role creep, implement periodic access recertification (every 90 days) where managers review and approve each user's current permissions. Use role-based access control (RBAC) models that define minimum necessary permissions for each role and enforce regular reconciliation.

Pattern 4: Inconsistent Policies Across Sites

When organizations manage multiple sites—whether different office locations, cloud tenants, or separate business units—permission policies often diverge. One site might use security groups with nested memberships, while another uses direct assignment. This inconsistency makes it hard to audit centrally. For example, a finance group in one site might be granted read-only access to a folder, while the same group in another site has full control, simply because of different local practices. To address this, establish a standard permission model across all sites, using a common naming convention for groups and consistent inheritance rules. Centralize management where possible, but acknowledge that local needs may require controlled exceptions—each exception should be documented and reviewed quarterly.

By understanding these four patterns, you can focus your audits on high-risk areas. Next, we'll compare three methods for detecting gaps.

", "content": "

Method Comparison: Three Approaches to Detecting Permission Gaps

When it comes to spotting permission gaps, organizations typically choose between manual audits, script-based scanning, or centralized identity and access management (IAM) tools. Each approach has strengths and limitations. We'll compare them across cost, accuracy, scalability, and maintenance effort so you can decide which fits your environment. For small sites with few users, manual audits may suffice. For large, multi-site environments, centralized IAM is often necessary. Many teams use a hybrid approach: manual checks for critical systems and automated scanning for the rest.

Approach 1: Manual Audits

In a manual audit, an administrator reviews permissions by browsing each resource, checking effective permissions, and documenting findings in a spreadsheet. This method is cheap and requires no special tools. However, it is error-prone and time-consuming. For a site with 50 users and 20 shared folders, a thorough audit might take 8-10 hours. Human error can miss orphaned accounts or hidden permissions. Manual audits work well for compliance spot checks or small environments with fewer than 30 users. They are not sustainable for frequent audits across many sites. Pros: low initial cost, no tool learning curve. Cons: slow, prone to oversight, not repeatable. We recommend manual audits as a starting point only if you have fewer than 100 total accounts across sites.

Approach 2: Script-Based Scanning

Scripts written in PowerShell, Python, or Bash can automate permission collection across file servers, Active Directory, or cloud APIs. For example, a PowerShell script can enumerate all NTFS permissions on a file server and output a CSV of users, paths, and access levels. Scripts are faster than manual audits and can be scheduled to run daily. However, they require maintenance—API changes or new resource types may break the script. Also, scripts typically lack a central dashboard, so you must manually review output. Pros: low cost beyond development time, fast execution, repeatable. Cons: maintenance burden, output analysis required, may miss complex inheritance chains. We've seen scripts work well for teams with some programming expertise and up to 500 users across sites.

Approach 3: Centralized IAM Tools

Enterprise IAM tools like SailPoint, Okera, or Microsoft's Identity Governance provide automated discovery, role mining, and certification campaigns. They integrate with multiple directories and applications, offering a single dashboard to view permissions across sites. These tools can detect orphaned accounts, separation-of-duty violations, and stale permissions. They also support automated remediation (e.g., disabling unused accounts). Pros: comprehensive, scalable, reduces human error, includes reporting. Cons: high cost (licensing and setup), requires dedicated admin training, may be overkill for small environments. For organizations with more than 1,000 users across multiple sites, the investment often pays off through reduced audit time and lower breach risk.

Comparison Table

Choose the approach that matches your resources and risk tolerance. In the next section, we provide a step-by-step checklist for conducting an effective permission gap audit.

", "content": "

Step-by-Step Audit Checklist for Spotting Permission Gaps

A structured audit process ensures you catch gaps consistently. This checklist is designed to be used across multiple sites, whether you're auditing Active Directory, cloud IAM roles, or file server permissions. Follow these steps in order, and document each finding. We recommend scheduling audits quarterly, or more frequently for high-risk data.

Step 1: Inventory All Sites and Resources

Before you can spot gaps, you need a complete inventory of what you're protecting. List each site (domain, cloud tenant, physical location) and the resources within (file shares, databases, applications, admin consoles). Use automated discovery tools where possible—scripts can scan network ranges or cloud APIs. For each resource, note the owner, location, and current permission model. Without this inventory, you'll miss gaps in forgotten resources. In a composite scenario, a team found a legacy file share that had been migrated to a new server but still had permissions from five years ago, granting access to dozens of former employees. The inventory step is time-consuming but essential.

Step 2: Map Effective Permissions for Each User

For each user, determine their effective permissions on each resource. This includes permissions inherited from groups, nested groups, and explicit allowances. Many systems provide a "Effective Permissions" tool—use it. For cloud environments, examine IAM policies and role assignments. Look for users with permissions that don't match their job function. For example, a marketing coordinator should not have write access to a payroll folder. Document any discrepancies. This step can be automated with scripts that output a matrix of user-resource-permission. Aim to review all users, but if the environment is large, start with privileged accounts (domain admins, cloud admins, superusers).

Step 3: Identify Orphaned and Dormant Accounts

Cross-reference your user list with HR records to find accounts for former employees or contractors. For cloud accounts, check last activity dates. Accounts inactive for 90+ days should be disabled pending review. Also look for service accounts with stale passwords or unused credentials. Orphaned accounts are a common gap source because they often retain access. In one composite example, a firm discovered a generic admin account used by a vendor that had left the company a year ago—the account still had domain admin rights. Immediate disablement prevented potential misuse. Use automated scripts to flag accounts with no logon within 90 days, and verify with the manager before deleting.

Step 4: Check Inheritance and Explicit Permissions

Review resources where inheritance is broken—these are high-risk for gaps. For each resource with explicit permissions, verify that each entry is still needed. Document the business justification for each break. Common issues include permissions set by former administrators that persist after they leave. Use a script to list all objects with non-inherited permissions and compare against an approved baseline. If inheritance is broken unnecessarily, restore it. If it's needed, set a review date for six months from now.

Step 5: Verify Group Memberships

Groups are the backbone of permission management, but they often contain stale members. Review all security groups and distribution groups that grant access. For each group, list members and their roles. Remove users who no longer need the group's access. Also look for nested group memberships that might grant unintended access—a user who is member of Group A, which is member of Group B, may gain permissions from Group B that weren't intended. Use tools like ADUC with "Member Of" tab or PowerShell to trace membership chains. Document group purpose and owner; if a group has no owner, assign one.

Step 6: Document and Prioritize Findings

Compile a list of all gaps found, along with risk level (high/medium/low) and recommended action. High-risk gaps include any privilege escalation path or access to sensitive data by unauthorized users. Medium-risk includes excessive privileges that don't directly expose critical data. Low-risk includes missing permissions that cause inconvenience but no security threat. For each gap, assign an owner and a remediation deadline. Use a simple spreadsheet or a ticketing system to track progress. Without documentation, gaps may be forgotten.

Following this checklist will give you a clear picture of your permission landscape. Next, we'll walk through three real-world scenarios.

", "content": "

Real-World Scenarios: Permission Gap Examples Across Sites

Theory helps, but examples make the risks concrete. Below are three anonymized composite scenarios based on common patterns we've encountered. They illustrate how permission gaps appear in different contexts—healthcare, education, and finance—and how the audit checklist reveals them. Use these to recognize similar patterns in your own environment.

Scenario 1: Healthcare Merger Integration

A regional health system acquired a small clinic and needed to integrate the clinic's electronic health record (EHR) system with their own. During integration, the IT team migrated users but did not reconcile permissions. Six months later, an audit using our checklist discovered that 30 former clinic employees still had active accounts in the main EHR, with read access to patient records. Additionally, the clinic's legacy file server had been left online, with permissions granting write access to a folder containing billing data to all clinic staff. The gaps existed because the migration team focused on connectivity, not access governance. The remediation involved disabling the orphaned accounts, restoring inheritance on the file server, and implementing a centralized identity provider for future integrations. The lesson: always perform a permission gap audit after any system migration or merger.

Scenario 2: University Multi-Site Migration

A large university migrated its faculty file shares from an on-premises server to a cloud storage platform. Each department had managed its own permissions locally over years, resulting in thousands of unique ACL entries. During migration, many permissions were copied as-is, including entries for students who had graduated years ago. A script-based scan revealed that 12% of accounts with access to sensitive research data were inactive (no logon in 12+ months). The university also found that inheritance had been broken on 40% of migrated folders, making management chaotic. The IT team used the audit to clean up permissions, assign data owners, and enforce a policy of using only security groups (not individual users) for access. They now run quarterly scans to catch new gaps. The lesson: migration is a prime opportunity to reset permissions, not just copy them.

Scenario 3: Financial Services Role Creep

A financial services firm with offices in three cities had grown through acquisitions. Each office maintained its own Active Directory forest with different group structures. A centralized IAM tool was implemented to gain visibility. During the initial audit, the tool discovered that a senior analyst had accumulated permissions from three roles over five years: analyst, project lead, and system admin. This gave them access to trade settlement systems that no single role needed, violating separation-of-duty policies. The tool flagged this as a critical gap because the analyst could potentially execute unauthorized trades. The firm remedied by implementing a role-based access control (RBAC) model with periodic recertification every 90 days. They also restricted privileged access to just-in-time provisioning. The lesson: role creep is insidious and requires automated detection across all sites.

These scenarios show that permission gaps are common but preventable. In the next section, we provide a step-by-step remediation plan.

", "content": "

Remediation Plan: How to Fix and Prevent Permission Gaps

Identifying gaps is only half the battle. An effective remediation plan ensures that fixes are applied promptly and that gaps don't recur. We recommend a five-step process that integrates with your existing change management workflows. This plan is designed for multi-site environments, where coordination between local admins and central IT is critical.

Step 1: Prioritize and Categorize Gaps

Not all gaps are equal. Use a risk-based approach to prioritize remediation. High-risk gaps—such as a former employee with domain admin rights—should be fixed within 24 hours. Medium-risk gaps—like a user with read access to non-sensitive data—can be fixed within a week. Low-risk gaps—missing permissions causing access denials—can be fixed during the next maintenance window. Categorize each gap from your audit findings and assign a priority level. Communicate the remediation timeline to stakeholders, including data owners and local site administrators. Without prioritization, you risk spending time on trivial issues while critical gaps remain open.

Step 2: Remove Unauthorized Access

For each gap, remove the excessive permissions. For orphaned accounts, disable them immediately. For group membership issues, remove the user from groups they shouldn't be in. For inheritance breaks, if the explicit permissions are no longer needed, restore inheritance. Use a script to automate bulk changes, but always test in a non-production environment first. Document each change with a ticket number for audit trail. In a composite scenario, a team used a PowerShell script to remove all former employees from security groups across 20 sites in one night, reducing their attack surface significantly. After removal, verify that the changes didn't break legitimate access—contact the data owner to confirm.

Step 3: Implement Preventive Controls

To prevent future gaps, implement controls such as: automated deprovisioning of accounts when an employee leaves (integrated with HR system); periodic access recertification campaigns (every 90 days for sensitive data); and restriction on breaking inheritance (require approval and documentation). Also, establish a policy that all permission changes must be made via a centralized tool rather than directly on resources. Use group-based access control instead of individual assignments. These controls reduce the chance of gaps forming. For example, one organization deployed a tool that automatically disables accounts 30 days after the employee's termination date, with a manager approval step to extend if needed. This eliminated orphaned accounts as a gap source.

Step 4: Train Site Administrators

Permission gaps often arise from lack of awareness. Provide training to local site administrators on proper permission management: when to break inheritance, how to use groups, and how to request access reviews. Include specific examples from your environment. Training should be mandatory for anyone with permission management rights. We've seen that a one-hour session, repeated annually, reduces gap incidents by up to 40% in composite observations. Use real anonymized scenarios from your audits to make the training relevant. Also, create a quick-reference guide that administrators can consult when making changes.

Step 5: Monitor and Audit Continuously

Remediation is not a one-time event. Set up continuous monitoring to detect new gaps as they appear. Use automated scripts or IAM tools to run weekly scans and alert on unauthorized changes. For example, a script can compare current permissions against a baseline and flag any deviations. Schedule quarterly comprehensive audits using the checklist in Section 4. Review audit logs for permission changes to ensure they follow policy. Continuous monitoring turns reactive fixes into proactive prevention. In one team we observed, implementing weekly scans reduced the average time to detect a gap from 60 days to 7 days.

With these steps, you can systematically close existing gaps and prevent new ones. Next, we address common questions.