We are considering to report or additionally manage permissions on personnel mailboxes? Is this something that would be helpful for your end users? Is reporting of permissions sufficient or is management of the permissions helpful as well? In second case, which permissions (e.g. calender access, send on behalf) would be good to manage?

Do your end users need reporting or management of permissions on Personnel Mailboxes?

When employees start in a new department, permissions are assigned via Access Manager. This includes all file server and SharePoint permissions as well as memberships in AD groups, teams or distribution lists. If the department additionally works with functional mailboxes, this access is often forgotten during the first rights assignment. This leads to inconsistencies and hidden costs, as employees cannot work smoothly from the beginning. Therefore, owners should be able to maintain access permissions to functional mailboxes.

Management of Exchange Functional/Shared Mailboxes [Exchange Online]

There may be circumstances in which an employee's information changes, such as relocating to a different city or changing their last name due to marriage. It is important that these changes can be made and are accurately reflected in the User Access Management (UAM). 

UAM: Update employee information

Managing approval processes can often be cumbersome and inefficient, especially when multiple approvers are involved. Therefore it would be nice to have a possibility to have multi-level approval workflows which can be configured as needed.

Multi-level approval workflows

Development of an interface for User Account Management (UAM) that is seamlessly connected to HR systems. This extension of the REST APIs enables:

UAM: RestAPI Extension

When managing user access across various systems, it would be nice to have comprehensive reporting capabilities. The User Account Management (UAM) should provide an overview of identities and their user accounts.

UAM: Reports - Overview of identities

At the moment the curent UAM supports the creation of an identity when a new employee joins the company. It would be nice to have configurable tags for each identity, so that they can be distinguished. This is expecially helpful for externs but also for temporary identities (e.g. interns, working students).

Configurable tags for identities (e.g. extern, temp)

It is currently unclear to end users which profiles are used for what purpose, e.g. due to vague names. Providing a description for each profile would help to clarify this for users who wish to request a profile membership.

Self Service: Description for profiles

When an employee moves to a new site or department, the User Account Management (UAM) automatically updates their user account(s) with the necessary permissions and access rights for their new position. 

UAM: Mover process

When you are working with different systems, there are a lot of processes that still have to be triggered manually in separate systems. To ensure a seamless integration between UAM and external systems, it would be nice to be able to automatically trigger processes in external systems during a user lifecycle process (e.g. joining/leaving the company).

UAM: Trigger Processes in external Systems

When an employee leaves the company, there should be a process to deactivate the accounts/mailboxes/etc. of the identity, so there won't be any security concerns.

UAM: Leaver process (and temp absence)

Within organizations there are different level of sensitive data where permissions require reapproval on a regular basis. As in highly sensitive data permissions need to be controlled more often than in less sensitive data it would be great to have different intervals for each security class.

Reapproval - Different time intervals for different sensitivity levels

The Access Manager is able to execute scripts in a job. Currently this is only possible to be executed once. Afterwards the system forgets the script. With script management it shall be possible to manage scripts centrally and within the Access Manager. This enables administrators to 

Centralized Script Management

Managing AD accounts can be a time-consuming and complex task, especially when dealing with multiple accounts for a single employee. Our new feature addresses these challenges by allowing you to:

UAM: Create Multiple AD Accounts with customizable Account categories and naming conventions

Currently it is possible to assign AD OUs and profiles as a resource to the organigram in the UAM. It would be nice to be able to assign scripts as well.

UAM: Assign scripts to organigram units as a resource

Previously, a user with the "Assistance" role had to request permissions for several users individually. To simplify this process, this release allows authorizations to be requested for multiple users at the same time. All information such as expiration date, authorization, comment is entered once for all users and then automatically duplicated for the individual requests. A separate request is generated for each requested authorization, but the person responsible only receives one email with all requests.

Assistance: Request permissions for multiple users

The self-service portal enables end users to autonomously perform a variety of operational actions, such as requesting permissions or profilememberships, without having to contact the IT department or help desk, even without in-depth technical knowledge. In order to ensure a more intuitive and smooth user experience, some UI improvements could be beneficial. 


The following pages will be enhanced and improved:

Self Service: UI Improvements

Digitizing identity workflows helps a lot to reduce efforts in IT department, but if there are dependencies between accounts of one or more target systems, it must be ensured that as-is state corresponds to the to-be state.

target/actual comparison for accounts

Previously, permissions could only be assigned to profiles directly by resource responsible or profile administrator. It has not been possible to request permissions for a profile via the self-service portal. In order to request permission on a specific resource for a profile the “request permission” dialogue has been enhanced for users with assistance role. 
Now, in addition to user permissions, you can also request permissions for one or multiple profiles, or exclusively for profiles. The information provided for permissions and comments applies to both profiles and users (if users have also requested permissions), expiration date applies to user permissions only. If multiple permission requests are submitted, the responsible person receives an email containing all the requests, but requests are approved individually. 

Assistance - Request rights for multiple profiles

Currently the Credential Provider of AMPR only allows the following authentication methods:

It would be great to use 4 eyes principle here as well.

allow 4 eyes principle in credential provider

Following the introduction of centralized logging with Grafana Loki in Access Manager version 2023.1, this release adds logging with Splunk for more flexibility.

Several new logging settings have been introduced as part of this. For example, the log level of the agent can be set to Warning with 

. Descriptions of the other new settings can be found in the user manual.

Logging with Splunk

Strong passwords are quite important to prevent unauthorized access and thus secure sensitive data.

Therefore, password policies often include specific characteristics to increase the password security. I as administrator would like to ensure that those password policies apply during password resets in self service.

Increase Password Security in Password Reset (AMPR)

Based on the organizational structure companies apply different meta data on accounts. To ensure correct application and due to this reduce errors in manual tasks it would be great to store those information in an organizational structure.

more flexible organisational structure

When a new company joins the group, often users of this company receive a new account in the group domain, but do have the old account with existing permissions and roles in Access Manager. To remove old user accounts in a later state, those permissions and roles shall be transferred to the new account.

Support for User Permissions & Roles Migrations

User should have the possibility to request 3rd Party items in Self Service. Therefore naming conventions shall be configured and applied to new AD Groups.

Request new AD Groups with Naming Conventions

With this release 2023.1, centralized logging with Grafana Loki is offered. With this, administrators have an easier and faster way to view messages through extended search and filter options. If other systems are maintained that also support centralized logging, this can also be bundled in Grafana Loki.

Centralized Logging with Loki

REST API is available for BAYOOSOFT Access Manager. 

REST API

Until now, AMPR could only be used via the web interface and thus access to a browser was necessary when forgetting one's own Windows password, which was very inconvenient. To increase user acceptance, this version now allows the user to reset the password directly on the login page using the credential provider if the logon password has been forgotten. After successful authentication, the user can assign a new password according to the password policies, the password is reset directly and one can log in immediately with the new password. The TAN procedure or the token procedure can be selected as authentication procedure.

Credential Provider for Password Reset

The popular authentication method based on the four-eyes principle has reached the limits of its applicability in times of mobile working. To be able to continue to obtain the support of colleagues in the event that a password reset is required, a new authentication method enables a four-eye principle by splitting the password, which does not require the physical presence of the colleagues:

For-eyes-principle for remote work

The new identity management module can be used to map so-called joiner, mover, leaver processes (life situations) within an organization. Identities are created, modified or deleted within the framework of standardized workflows.

The workflows are available to the new Access Manager role "Personnel Manager" as well as to the administration.

No-code Identity Management - Ask for a demo now

AMPR end users can now edit the attributes of their own AD accounts and the data in AMPR in the Self Service in the personal settings area. After selecting an AD user account assigned to the user, the stored AD data is displayed and can be changed. In the administration area, it is possible to define which AD attributes, such as name, job title, e-mail or similar, can be edited by the end user.

Active Directory in Self Service

With Password Reset in Self Service, employees can reset their forgotten passwords autonomously. Besides a high user acceptance, this allows to significantly reduce the service desk costs due to corresponding tickets. This is particularly successful when the organization's central applications are covered in the Self Service Password Reset.

In addition to common environments such as Active Directory, Azure AD, SAP, or individual databases, in the hospital environment this is primarily the respective hospital information system. Therefore, AMPR now offers the option to connect M-KIS - the hospital information system from Meyerhofer - as an additional target system.

For further information, please visit one of our open webinars or arrange your individual product presentation [

AMPR - New Target System: Meierhofer KIS

With 2023.1 you can manage MS Teams memberships together with other authorizations in BAYOOSOFT Access Manager for the first time. The new extension module uses the proven authorization management from the base module for the active administration of MS Teams authorizations. Thus, even more authorizations can be managed centrally in one place.

MS Teams Management - test it now

Until now, employees in other countries have only been able to use the Access Manager in German and English. From now on, other language packages can also be integrated on request. The system always remembers the last language set for the user interface for the employees and also sends the mails in this language.

Multi-Language-Supported User Interface

To increase the acceptance of a Password Reset in Self Service within the organization, the availability of easy authentication methods is of particular importance. The less configuration is required in advance, the more successful the introduction of such a self-service solution will be. Authentication via colleagues has proven particularly successful in this context. However, if colleagues are in home office, the so-called “four-eyes principle” is tricky. A new authentication method “TAN2colleague” will therefore allow to involve co-workers across different locations. If I have forgotten my password, I enter my colleague's contact details. They receive a TAN and transmit it to me, e.g. by phone, so that I can authenticate myself and reset my password. 

TAN2Colleague - new authentication method in Password Reset (AMPR)

There is always the constellation that the assignment of authorizations is to be audited, but an explicit approval by a data controller is not mandatory. In this case, the authorization can be automatically assigned to the requesting person.

For this purpose, the BAYOOSOFT Access Manager now provides the option for IT administration as well as owners to make 3rd party elements publicly accessible. If permissions on this element are requested via the Self Service Portal, they are automatically accepted by the system and documented as usual.

Public Items: Automatically approve requests on 3rd Party Items

With Password Reset in Self Service, employees can reset forgotten passwords on their own. In addition to a high level of user acceptance, this makes it possible to significantly reduce costs at the service desk due to corresponding tickets. Nevertheless, many employees reach for the phone in this acute situation - either because the number of the service desk is known, or the appointed trusted persons are not available. To be able to continue to relieve the service desk by means of password resets in self-service, AMPR now offers the option of being able to run through routines for unlocking user IDs and resetting passwords by telephone.

In this way, you can check whether the call is for the designated function before putting the call through to a service desk employee. Callers are identified by specifying the user ID and checking the transmitted phone number and are then guided through the process with voice support. The following options are available for authentication:

Password Reset via Phone Call

The module Easy Desktop offers end users even more convenience in self-service: The Microsoft WindowsTM Explorer plug-in EASY DESKTOP enables the most important functions to be executed directly via the context menu of the respective directories. 

Directories managed by the Access Manager and visible in Self Service are marked by an orange symbol directly on the folder. Right-clicking on such an authorisation folder opens its context menu and the following functions are directly available:

Easy Desktop: Self Service in Windows Explorer - test it now

AD Group Management enables you to manage memberships in existing AD security groups, meaning the access management of the Fileserver Management basic module can also be applied to third-party services such as remote applications, print sharing or internet access.

Integrating third-party permissions with Access Manager provides you with comprehensive identity and access management – fully retraceable and auditable at all times.

AD Group Management - test it now

A new setting UserTaggingGroups enables you to tag user accounts in the system with icons. in the system. For this purpose, AD groups can be stored whose members are to be tagged.

User Tagging

For highly sensitive data, it may be advisable to carry out pre-authorization, e.g. in the form of anti-sabotage or confidentiality training, in addition to complying with the need-to-know principle. At the same time, it is important to ensure that only those employees who have completed this pre-authorization are granted access permissions.

In order to technically map such organizational protective measures, it is now possible to define AD groups for data protection classes that contain the pre-authorized employees.

If a resource is marked with this data protection group, the system guarantees that only those permissions are transferred to the target system that have been authorized by AD group membership. Unauthorized users are highlighted in the user interface. If they are later added to the group, the permission is transferred to the target system during the next job run.

Protect sensitive data with additional user pre-authorization

BAYOOSOFT's expertise in automation of access rights management began in 2008 and has continued to develop ever since.

Besides continuous feature development and improvement the following milestones could be achieved:

Previously in History

To increase the acceptance of a Password Reset in Self Service within the organization, the availability of easy authentication methods is of particular importance.

Therefore, a wide range of authentication methods are helpful. Therefore, I as a administrator would like to allow users to authenticate with their 

Microsoft verified ID as Authentication Method in Password Reset (AMPR)

As a profile responsible (normally is also responsible for some resources) would like to be able to manage the resources of my profiles.

But as administrator I don't want that profile responsible are able to assign permissions to their profiles for resources they are not responsible for. 

Therefore, it would be great if profile responsibles (or another role) are able to assign and manage profile permissions as well, but restricted to resources they are responsible for as well.

Restricted Profile Management

More and more Data are moved from Microsoft onPremise Servers zu Azure Files (as a file system). Some customers already think about replacing all local servers by Azure Files. Therefore it would be great if the Fileserver Module would support this.

Azure Files

Our administrator team does have a single mail address. To ensure that not every admin needs to check an error message from Access Manager (and thus reduce unnecessary efforts) it would be great to define a central mailing address for administrative mails.

Central Mailing Adress for Administrators

Currently Access Manager provides permission management for Active Directory groups, SharePoint groups and EntraID groups that are related to MS Teams. 

There are a lot more groups managed in EntraID where it would be helpful to manage them with Access Manager as well (including profiles, reapproval etc).

Manage EntraID Groups

After working with individual permissions switching the approach to profiles is huge effort. Current steps are:

Therefore it would be nice to easily identify profilable permissions and use those to create profiles.

Mass Operations - Transfer from individual to profile permissions

As administrator currently it is quite laborious to mange profiles as every profile has to be considered separately:

In order to start or adapt profile management quickly we are considering to provide import and export functionality. But how would a import/export file would be most helpful for you? We would love to hear your feedback.

Import and Export of Profiles and Profile Permissions

As a user I do have more than one account (either two AD Accounts or AD Account and Entra Account). As my responsibilities are mapped to a specific account I would like to be able to login with any of these accounts and decide for login which account should be used. 

Also I would like to be able to switch between my existing accounts.

Authentication and Login with different Accounts

As administrator I would like to have a function to automatically add users as members to Access Manager profiles.

Assignment Logic shall be processed on a regular basis and shall contain user attributes like company, mail or group memberships.

Extended Profile AD Synchronization

We are currently investigation if Self Service for Public Folders would be helpful in your environments? Are you using public folders? Which permissions do you manage for access (read, write or something else)?

Would Self Service for Public Exchange Folders be useful in your environment?

As a user I would like to manage permissions of systems that are unique for my organization and can not be handled by ad groups. Therefore I would like to configure an item collection that is not connected to active directory, but I am able to create scripts that will be performed instead when creating a new item or updating permissions.

Item Collection for custom target systems

As administrator I sometimes wonder if resources and the included data are still required and used or if they could be archived. Therefore, it would be great to have a reapproval process for resource owners to check the resource.

reapproval of resources

It happens that rights folders need to me moved within a share. The current approach is quite complex:

Move Resources (e.g. Rights Folder)

In multi agent environments the update is quite laborious as every agent needs to be updated on its own. It would be great to provide an automated update.

Automated Agent Update

As more and more organizations are moving their infrastructure to the cloud, managing access rights and roles in environments like AWS cloud is becoming increasingly important.

Vote now and let us know what cloud strategy your company is pursuing!

What are your thoughts on AWS cloud?

Management of Exchange Functional Mailboxes (on Premise)

Currently permissions of users and profiles on a specific resource can be checked during reapproval. This allows to remove permissions that are not needed any longer. In some cases employees change departments or projects and due to this the permissions (provided by the profile) are not required any longer. In this case it is currently not possible to remove this memberships during reapproval.

→ It would be great to regularly check if members of the profile still need to be a member.

Reapproval of profile memberships

In some situations a one person approval of workflows is not suitable for the required security level. The following use cases require a two-staged approval workflow:

Which of the use cases apply to your environment? Are there any further use cases for multi staged approval that would be helpful for you? We would love to hear your feedback.

Shall we provide additional approval stages for requests?

Within our organization we do have fix folder structures for different situations (e.g. team folder, project folder). Some subfolders also require permission management. 

Currently those structures can be configured by administrators, but also only used by administrators using the following steps: 

These are a lot of steps and additionally, this can not be done by endusers who now already that a specific structure shall apply. 

Therefore it would be great to combine this functionality in one steps and make end users be able to request folders with this structure.

Folder Templates - Create folders with substructure by administrators, data owners and end users

As administrator I would like search and filter for specific actions in audit and error logs. 

Additionally, it would be great to export data so that I am able to use them together with other systems.

Search, Filter and Export in Audit and Logs

As more and more organizations are moving their infrastructure to the cloud, managing access rights and roles in environments like Microsoft Azure is becoming increasingly important.

Vote now and let us know what cloud strategy your company is pursuing

What are your thoughts on Microsoft Azure?

Currently only Administrators can process requests from the Self Service Portal. In cases where the responsible is not available (and there's no substitute set), the workload for administrators rises. 

It would be nice, if all module administrators receive this capability for their respective module, so that they can handle the requests as well.

Process requests as a module administrator

Folders are marked as 'dirty' in the AM when they are e.g. deleted in the file system. 

Currently, an administrator must navigate through the permission tree to identify each individual dirty folder and implement corrective actions which can be time-consuming.
Therefore it would be nice to have a filter for dirty flags.

Filter for dirty flagged folders

Please note: It's a roadmap, not a promise. Items might be subject to change without notice.