SER Blog  Customer Stories & Use Cases

Authorization concepts: Nobody wants them but everybody needs them

With authorization concepts, businesses can control and decide who has access to data and documents. This ensures that information is protected at all times and processes are compliant. This article shows why you need authorization concepts, how you can set them up, and how to import them to third-party systems.

What is an authorization concept?

An authorization concept is defined as the sum of all authorization rules across the entire business. Or, in other words, an authorization concept determines under which circumstances an employee can view specific information. 

As a rule, authorization concepts are stored in digital applications. If, based on the authorization concept, the employee is authorized to view the information, then they can access the file. The system rejects unauthorized requests.

Why do companies need an authorization concept?

Authorization concepts aim to manage access rights efficiently. Not every employee has access to every document. And there are good reasons for this as you’ll find out below: 

Reducing the flood of information 

An authorization concept can help you to reduce information overload. Large amounts of data make it difficult for employees to find the right information. When the flood of information continues to grow, the search for the right resources is even slower – especially when employees don’t know how to leverage this information. 

If there is an authorization concept, an HR employee will not see the document. Instead, they get access only to information that they need to do their job. This helps employees to focus on what is relevant. 

Example: If an HR employee sees a document with sales figures, they might interpret the data incorrectly and conclude that the business is doing poorly. This can make employees feel insecure. In fact, the sales figures are an unfinished working document. The annual financial statements have not yet been finalized, and many deals that would turn the result into a positive have not yet been included. 

Protecting data privacy  

Another important point of authorization concepts is that not everyone in the company can – or should – see everything. Pay statements, for example, are considered personal data. These have to be treated confidentially. Business are bound to do so by GDPR laws. In addition to pay statements, this applies to much more data from employees and customers. 

Authorization concepts designate the employees who are allowed to view personal information – namely only those who need it for their work activities. Limiting access also serves to ensure data security. 

Records management: Managing HR documents according to EU GDPR

Personal data is everywhere — and SAP is no exception. Read all about how to store, protect, transmit and delete your SAP data in compliance with the EU GDPR.

Watch the product video now

Safeguarding confidentiality agreements 

Security requirements for data increase even further when third-party data are involved. When dealing with outside organizations, your business will often receive information that is confidential. Confidentiality agreements require that the business takes special care to protect this content. Authorization concepts map out these agreements internally. 

Protecting trade secrets 

Resources that have the greatest influence on a company’s business success also require high levels of protection. Authorization concepts protect business secrets from the eyes of employees and primarily competitors. This means that only a select group of people can access sensitive information. 

How are authorization concepts organized?

Authorization concepts are either person-related, role-related, or document/information-related. 


Person-related authorization concepts determine which employee is permitted to have access to which information. Because authorizations are created individually for each employee, this process is complex to manage. You always have to update the authorization concept when something changes in the company on the employee side – particularly, whenever an employee leaves the company, joins the company, changes their position, or takes on new tasks in the organization. 

For this reason, the authorization concept based on persons is recommended only for small companies with few employees. The administrative effort in such cases remains manageable. 


Role-related authorization concepts are less complex. Instead of creating an authorization concept for each employee, every role has its own authorization concept. It defines the access authorizations that match the position and the relevant areas of responsibility. Once role concepts have been created, they are transferred automatically to new employees who join the company or change their internal role or department. 

Document or information-related 

As an alternative, you can create authorization concepts based on documents or information, i.e. independently of people. There are several options for this scenario: 

  • At file level: decide which files employees can access. For example, only HR employees and the employee themselves are allowed to view the employee file. 

  • At folder level: decide which subfolders in files employees can view and which they cannot. For example, an HR employee may be permitted to open supplier files and view the folder with master data, but they are not permitted to access the invoice folder. 

  • At document type level: decide which document types employees are allowed to view in the folders for the respective file. For example, a recruiter may view an employee’s master data, but not sick notes or vacation requests. 

Step-by-step guide to the authorization concept

Once you have decided how you want to organize the authorization concept, you can create it. 

Step 1: List every file, subfolder, and the document types for every file 

In this first step, you list all the files for which you want to create an authorization concept. Divide each file into multiple subfolders. You can then fill these with all the documents related to the folder. 

For example, you can create an employee eFile based on the following: 

Master data 

  • Personal information forms 

  • Application 

Employment contract 

  • Employment contract 

Working hours 

  • Certificates of incapacity to work 

  • Timekeeping records 

  • Vacation requests 

  • Evidence of special leave 

Certificates and training 

  • Further training certificates 

  • Certificates 


  • Annual reviews 

  • Salary negotiations 

  • Exit interview 

Salary records 

  • Pay statement 

Step 2: List the roles and persons with access rights 

In the next step, you define the roles concept. To do so, list all the roles and persons that have access rights. An example from the HR department would include the following: 


  • Vice President, HR 

  • HR Manager 

  • Payroll Manager 

  • HR Generalist 

  • Trainer/Personnel Developer 

  • HR Analyst 

  • Recruiter 

  • The employee with their own employee eFile  

Step 3: Assign authorizations for every role 

The next step is to assign access rights. You decide which role has what access, for example: 

  • CPO/CHRO, Vice President HR, and HR Manager have access to everything. 

  • The Payroll Manager may only access the results of salary negotiations and pay statements. 

  • The recruiter may access the employee file until the employment contract has been concluded. 

  • And so forth. 

The beauty of this solution is that there is no right or wrong when creating an authorization concept. Each business creates its authorization concept completely individually, depending on its own requirements.

Authorization concepts in the ECM

You benefit when you implement authorization concepts in digital tools. You can make changes to the concepts directly in the software. Document-specific authorizations are retained, for example, even when the document moves from the filing system to the archive. 

As an enterprise content management system (ECM system), Doxis is highly customizable and configurable. This also makes it possible to create very complex authorization concepts. If you integrate third-party systems in the ECM system via interfaces or vice versa, the authorizations also carry over. This means that your authorization concept applies automatically to the entire connected system landscape. 

Authorization concepts between Doxis and SAP SuccessFactors 

Doxis also features an interface to SAP SuccessFactors. Through system integration, SAP accepts all authorization concepts from Doxis. In other words, Doxis transfers all authorization concepts so that they automatically take effect in SAP SuccessFactors. If the authorization concept in Doxis indicates that an employee is not allowed to view pay statements, the employee will also not be able to access them in SAP SuccessFactors. 

How SmartBridge from Doxis accelerates document-related work in SAP through automation and enables fast access to documents.

Read now

Does AI also comply with authorization concepts?

Whether artificial intelligence (AI) also follows authorization concepts depends on two questions: 

  • How is AI integrated in the system? 

  • Does the AI program share a data pool with the ECM system? 

In Doxis, the AI program Doxi complies with the stored authorization concepts and rules. When a request is made (prompt), Doxi first accesses the Doxis data pool. Only then does it forward the prompt to a language model. 

For example, if an employee asks for sensitive data that does not match their access rights, they will not get this information from Doxi. Doxi only responds with information that an employee is authorized to access. The basis for Doxi’s response is the stored authorization concepts. This means that there are no risks associated with using AI. 

Protect information with cross-system authorization concepts

With authorization concepts, organizations can protect their data and reduce information overload. When used correctly, these concepts increase productivity, strengthen security, and make it easier to quickly access information. ECM systems ensure compliance with access rights across systems. Once the authorizations are stored in Doxis, they are available via the interfaces in every third-party system. This enables you to manage authorization concepts efficiently. 

FAQs about authorization concepts 

What belongs in an authorization concept?
An authorization concept is related to the person, role, or information to which this authorization applies. Part of the concept is who has access to what information and up to which point.
Can authorizations be imported to other systems?
You can transfer authorizations in Doxis to multiple systems using interfaces. Once implemented, these authorizations are active in every connected system. Regardless of the system selected, users only see the data for which they have access rights.
Why is an authorization concept important?
An authorization concept ensures data such as trade secrets or personal data are protected in compliance with legal regulations such as the GDPR. Authorization concepts also reduce information overload, and they ensure that users only see the data relevant to them and for which they are authorized.

You might also be interested in

The latest digitization trends, laws and guidelines, and helpful tips straight to your inbox: Subscribe to our newsletter.

How can we help you?

+49 (0) 30 498582-0
Please add 9 and 5.

Your message has reached us!

We appreciate your interest and will get back to you shortly.

Contact us