What Is Identity Management? IAM Explained for SMBs

Q: What is the difference between authentication and authorisation?

Authentication answers the question 'Who are you?' — it verifies a user's identity, for example through a password, badge or fingerprint. Authorisation answers the question 'What are you allowed to do?' — it determines which resources and functions an authenticated user can access. Both concepts are fundamental to effective identity management.

Identity management — known in the industry as IAM — governs who in an organisation is allowed to access which resources. It encompasses all the processes, technologies and policies that ensure only authorised individuals gain access to systems, data and devices.

For many small and medium-sized businesses, this sounds like a topic reserved for enterprises with thousands of employees. Yet reality shows that SMBs are particularly vulnerable to security gaps caused by a lack of identity management. Shared passwords, unsecured MFPs and missing audit logs are everyday occurrences in many offices — and potential GDPR violations at the same time.

This article explains the fundamentals of identity management, highlights the differences between authentication and authorisation, and describes how businesses of any size can get started with simple, practical steps.

What Is Identity and Access Management (IAM)?

The three core questions IAM answers

Identity and Access Management (IAM) is a framework of policies and technologies that answers three fundamental questions:

Identification: Who is this person? (User account, employee ID)
Authentication: Is this person really who they claim to be? (Password, badge, fingerprint)
Authorisation: What is this person allowed to do? (Access to systems, printers, folders)

In practice, this means: an employee logs in with their identity (e.g. via badge at the MFP), the system verifies whether the identity is valid, and then grants exactly the functions assigned to that employee — nothing more, nothing less.

IAM in one sentence: Identity management ensures that the right people, at the right time, for the right reasons, can access the right resources — and no one else.

Authentication vs. Authorisation

Two concepts that are often confused — yet fundamentally different

The terms authentication and authorisation are frequently used interchangeably in everyday language. For effective identity management, however, understanding the difference is critical:

Criterion	Authentication	Authorisation
Core question	Who are you?	What are you allowed to do?
Timing	Before access	After authentication
Method	Password, badge, PIN, biometrics	Roles, groups, policies
MFP example	Employee taps badge on card reader	MFP displays only permitted functions (e.g. scan yes, colour print no)
Administration	User directory (Active Directory)	Permission matrix, group policies

Both concepts work together: without authentication, the system does not know who is accessing it. Without authorisation, every authenticated user has access to everything. Only the combination of both creates a secure identity management system.

Why SMBs Need Identity Management Too

The GDPR applies to every organisation — regardless of size

Many SMBs underestimate the relevance of identity management. The argument is often: "We're only 30 employees, we all know each other." But the GDPR does not differentiate by company size. Article 32 requires "appropriate technical and organisational measures" to protect personal data — and this applies to a company with 10 employees just as much as to a large corporation.

Typical Risks Without IAM

The following scenarios are commonplace in many SMBs — and simultaneously potential data protection violations:

Shared passwords: Multiple employees use the same login for the printer or scanning system. In the event of an incident, it is impossible to determine who was responsible.
Unsecured MFPs: Multifunction devices are accessible without login. Personnel files, payslips or client documents sit unprotected in the output tray.
No audit trail: There is no record of who printed, scanned or copied what and when. During a data protection audit, no evidence can be provided.
Missing offboarding processes: When an employee leaves the company, their access to devices and systems often remains active.
No role separation: Every employee has access to all functions — the intern can print the same documents as the managing director.

Fine risk: GDPR violations can result in fines of up to 20 million euros or 4% of annual global turnover. Even SMBs have already received five-figure fines for inadequate technical measures.

The Four Components of an IAM System

What makes a functioning identity management system

1. User Directory (Active Directory)

The user directory is the central database of all user identities. In most organisations, Microsoft Active Directory (AD) serves this role. User accounts, group memberships and organisational structures are managed here. AD is the "single source of truth" — all other systems synchronise their user data from it.

2. Authentication

The authentication layer verifies a user's identity. Depending on security requirements, various methods are available:

Knowledge: Password, PIN code
Possession: NFC badge, smartphone, token
Biometrics: Fingerprint, facial recognition
Combination (2FA): Badge + PIN for enhanced security

3. Permissions (Authorisation)

After successful authentication, the permissions system determines which resources the user may access. This is typically implemented through Role-Based Access Control (RBAC): users are assigned to roles, and each role has defined permissions. For example: the "HR" role can scan personnel files; the "Marketing" role cannot.

4. Logging (Audit Trail)

A complete audit trail documents all access: who performed which action, when and at which device? This logging is essential not only for GDPR compliance but also for internal transparency. In the event of a security incident, it is possible to trace exactly what happened.

Getting Started: Badge System at the MFP

Identity management begins at the multifunction device

For many organisations, the multifunction device is the ideal starting point for identity management. The reason: MFPs process confidential documents daily — from personnel files to contracts to client records. At the same time, implementing a badge system at the MFP is relatively straightforward and cost-effective.

How It Works

An NFC card reader is installed at the MFP. Employees tap their company ID card or NFC card on the reader to authenticate. After successful login, their personal scan profiles, print jobs and permissions are loaded automatically. Uncollected print jobs are automatically deleted — so confidential documents no longer sit unattended in the output tray.

Benefits at a Glance

Immediate security: No unauthorised access to print, scan and copy functions
GDPR compliance: Traceable audit trail for all device access
Cost efficiency: NFC cards cost 2-5 euros each; existing access cards can often be reused
User-friendliness: Tapping a badge takes less than a second — faster than any password
Active Directory integration: Users and permissions are synchronised automatically

Practical tip: If your organisation already uses access cards for building security, you can use the same cards for MFP authentication. One card for door access, printer and canteen — this simplifies administration and reduces costs.

IAM in Practice: Three Scenarios

How identity management transforms daily workflows

Scenario 1: Law Firm with 15 Employees

A law firm processes client files containing highly sensitive data daily. Without IAM, any employee can print or scan any file at the MFP. With a badge system, each lawyer sees only their own scan profiles and print jobs. The assistant has access to general functions but not to other lawyers' case files. The audit trail documents every access — essential for client confidentiality.

Scenario 2: Mid-Sized Company with 80 Employees

The HR department regularly prints payslips. Without IAM, anyone can see these in the output tray. With pull printing, payslips are only printed when the HR employee personally authenticates at the MFP. Additionally, colour printing is restricted to the marketing department — saving toner costs.

Scenario 3: Government Agency with Public Access

In a local authority, MFPs are distributed across different departments. Without IAM, a visitor in the waiting area could use an unattended device. With access control, every device is locked and only unlocks after badge authentication. Different departments have different permissions — the registry office can process different documents than the planning department.

Experience Identity Management in Practice

Docuflair Access Control and Identity offer badge authentication, pull printing and GDPR-compliant access control for MFPs of any size. Schedule a free demo and see IAM in action.

Request Free Demo Discover Access Control

Frequently Asked Questions

Answers to the most important questions about identity management

What is the difference between authentication and authorisation?

Authentication answers the question "Who are you?" — it verifies a user's identity, for example through a password, badge or fingerprint. Authorisation answers the question "What are you allowed to do?" — it determines which resources and functions an authenticated user can access. Both concepts are fundamental to effective identity management.

Do small businesses need identity management?

Yes, because the GDPR applies regardless of company size. Even an unsecured MFP where personnel files or payslips sit unprotected in the output tray can constitute a data protection violation. For SMBs, a badge system at the MFP provides a simple and cost-effective entry point into identity management.

What risks arise without identity management?

Without IAM, significant risks emerge: shared passwords make individual access untraceable, unsecured MFPs allow unauthorised access to confidential documents, and without an audit trail, it is impossible to demonstrate who accessed what data and when during a data protection audit. In the worst case, GDPR fines of up to 20 million euros may apply.

How can businesses get started with identity management?

The simplest entry point is a badge system at the MFP. Employees authenticate via NFC card, the device only unlocks after login, and print jobs are only released after identification. This protects confidential documents, provides an audit trail and meets GDPR requirements — without complex IT projects.