Who Has Access to What?

The short version

Right now, every app at your company has its own login, admin, and idea of who should have access. Access control connects them all to one system. One login. One place to grant access. One place to revoke it.

That system is called an identity provider. We deploy Okta or Microsoft Entra ID depending on your stack. The result is fewer passwords, faster onboarding, instant offboarding, and a clear audit trail for every access decision.

Most companies with fewer than 50 people do not need to buy a new platform. If you use Microsoft 365 or Google Workspace, you already have a built-in identity provider. You just are not using it. We help you configure what you have first, and only recommend dedicated tools when complexity justifies it.

This is for you if

Someone left your company last month and you are not certain all their access is revoked

New hires wait days for accounts because someone sets them up manually

More than one person has admin access to everything

An auditor or customer asked about your access controls and you did not have a confident answer

Your team shares passwords for tools that do not support individual logins

You are on Microsoft 365 or Google Workspace platform, but your team still has separate logins for every app

Where most companies are

You do not need to start at stage four. Most of our clients start at two or three. The right approach depends on how many people you have, how many apps you use, and whether compliance is on your radar yet.

Stage 01Any size

Password manager and MFA

Use a password manager like 1Password or Bitwarden. Enforce MFA on everything that supports it. This costs little and solves 80% of the problem.

Stage 02Starting out

Use what you already pay for

If you use Microsoft 365, Entra ID gives you SSO and MFA out of the box. Google Workspace includes SAML SSO. Connect your core apps. This is a configuration project, not a platform purchase.

Stage 03Growing teams

Dedicated identity platform

This is where a platform like Okta makes sense. You have enough apps, joiners and leavers, and compliance pressure that operational savings cover tooling costs.

Stage 04Scaling operations

Full lifecycle automation

HRIS-driven provisioning. Access reviews on a schedule. Compliance evidence is generated automatically. Your identity system runs itself.

What it actually costs you

Every password reset costs your help desk £15-50 in staff time and lost productivity. Factor in employee downtime and each reset easily costs £50. If your IT person handles ten resets a week, that is £8,000-26,000 a year on a problem SSO eliminates entirely.

Every day a former employee can still log into your CRM is a day your customer data is exposed to someone you no longer control. Most companies take days to revoke access after someone leaves. Some take weeks. That is a liability you did not need.

Three days of a new hire sitting idle while accounts are created is money. At £300 a day fully loaded, that is £900 per hire before they do anything useful. Multiply that by every person you onboard this year.

When a prospect asks for your SOC 2 report and you do not have one, you lose the deal. When an auditor asks who has access to what and your answer is a spreadsheet, you fail the audit. Access controls remain a technical checkbox. They stand between you and the contracts you want to win.

Your team reuses passwords. Everyone does. The same password across Slack, their CRM, a project management tool, and that SaaS app they signed up for last year. When one of those services gets breached, attackers do not hack you. They log in.

There is also the SSO tax. Many SaaS vendors lock single sign-on behind their most expensive plan. That means doing this properly requires someone who knows which apps support SSO on which tier, and how to work around the ones that charge extra for it. We handle that as part of scoping, so there are no surprises.

What you probably already have

If you are on Microsoft 365 Business Premium, you already have Entra ID. It supports SSO, MFA, and conditional access policies. You are paying for it. You are just not using it as an identity provider. Most of the access control your company needs is already included in your subscription.

If you use Google Workspace, SAML SSO is built in. Your team can sign in to supported apps with their Google accounts. You just need someone to configure it.

We configure what you already have before recommending anything new. If your existing stack covers your needs, we will tell you. If not, we will explain exactly why and what the alternative costs.

What changes

One login per person, across every app

New hires get access on day one, automatically

Leavers lose access the moment HR confirms departure

Every access decision is logged and auditable

For the technical detail on how we deploy this, see our IAM service page.

Did you know?

We can connect your identity provider to your devices too. That means the same login your team uses for email, Slack, and every other app also unlocks their laptop. No separate machine password. And the industry is moving towards passwordless authentication, where biometrics and hardware keys replace passwords entirely. We will configure that for you as soon as it is viable for your stack.

Everything is documented and production-ready

We build your identity configuration as code: version-controlled, documented, and repeatable. When an auditor asks for evidence, the code itself is the evidence. Your team can reference and maintain configurations without reverse-engineering anything.

How long, and will it hurt?

Most rollouts take four to eight weeks. We connect one app at a time, so there is no big-bang cutover and nothing breaks. Your team barely notices the change until they realise they have stopped resetting passwords.

Access Control FAQ

Do I need to understand any of this technically?

No. That is our job. We explain what we are doing and why in plain English. You make the decisions, we handle the implementation.

How disruptive is the switch?

Barely noticeable. We roll out app by app, tested before going live. Most users see less friction, not more, because they stop juggling multiple logins.

What if we already have something in place?

We work with what you have. If your current setup is partially there, we build on it. We do not rip anything out unless there is a good reason.

How much does this cost?

It depends on the size and complexity of your environment. We quote per project, not per hour. Book a 20-minute call and we will give you a ballpark before you commit to anything.

What happens after it is set up?

We either hand over with full documentation or stay on for ongoing managed support. Your choice. Either way, nothing depends on us being around.

Is this only for large companies?

No. If you have more than 10 people and 5 or more cloud apps, you benefit from centralised access control. The tooling scales down just fine.

We only have 20 people. Is this worth it?

Yes. If you are on Microsoft 365 or Google Workspace, you already have SSO and MFA included. The cost is configuration, not a new platform. The question is not whether you need it, but whether you can afford not to have it when your first enterprise client asks about your security posture.

What is the SSO tax and will it affect us?

Some SaaS vendors charge more for SSO support, locking it behind enterprise plans. We know which apps do this and how to work around it. Part of our scoping process is identifying where the SSO tax applies so there are no surprises.

Ready to get started?

Book a free 20-minute call. We will tell you what you need, what you do not need, and what it costs.

Book Free Call View IAM Services

Access Control