4 min read
A residential care group operating 8 care homes across the Midlands. Each home had its own SharePoint site for policies, procedures, staff records, and operational documents. Access to these sites was managed manually, with IT processing individual requests whenever someone joined, transferred between homes, or left the organisation.
Service: Managed IT Sector: Residential care
SharePoint access was managed entirely by hand. When a new care worker started at the Nottingham home, someone in IT had to manually add them to the correct SharePoint groups. When a senior carer transferred from the Derby home to a role at the Mansfield home, their permissions had to be updated manually. When someone left, their access had to be removed manually.
In practice, this meant permissions were often wrong. New starters waited days for access to essential policies and procedures they needed from their first shift. Leavers retained access to sensitive resident information long after they had gone. Staff who transferred between homes accumulated permissions from every location they had worked at, ending up with access to far more than their current role required.
For an organisation handling safeguarding records, care plans, medication administration records, and personal data for vulnerable adults, this was a serious compliance risk. If CQC asked who had access to what and why, there was no clear answer. The principle of least privilege was impossible to enforce when every permission change depended on someone remembering to raise a ticket and IT finding time to action it.
The IT team was spending disproportionate time on routine manual work - creating accounts, adjusting permissions, chasing managers for approval - instead of supporting the technology that care staff actually depended on.
We implemented Azure AD Dynamic Groups to automate SharePoint access based on three attributes already held in the directory: job role, department, and care home location.
The logic maps directly to how care homes operate. A Registered Manager at the Nottingham home is automatically granted full read and write access to that home's SharePoint site, including policies, incident records, and operational documents. They also receive read-only access to the group-wide policy library and HR document templates. Care workers receive access to their home's operational documents - rotas, handover notes, training materials - on their first day.
The same model was applied across all 8 homes. Senior carers have access to care planning documents. Administrative staff have access to HR files and invoicing. Each home has its own structure, and cross-site visibility is granted on a read-only basis where the group needs consistency - safeguarding policies, medication protocols, and CQC preparation documents are shared centrally.
When HR updates someone's role or location in the directory, SharePoint access adjusts automatically. A care worker transferring from the Derby home to the Mansfield home loses access to Derby's documents and gains access to Mansfield's - without anyone raising a ticket.
We documented the entire access policy formally, creating a clear audit trail that maps every SharePoint permission to a business rule. The document is structured so it can be presented during CQC inspections or information governance reviews without any additional preparation.
SharePoint access is now fully automated across all 8 care homes. New starters get the right permissions within minutes of their HR record being created. Leavers' access is revoked automatically when their account is disabled. Staff transferring between homes receive correct permissions without IT intervention.
The principle of least privilege is enforced consistently - every user has access to exactly what their role requires, nothing more. The accumulation of permissions from previous roles and locations, which had been a persistent problem under the manual system, no longer happens.
The access policy is documented, auditable, and available for CQC compliance reviews whenever needed. For a care group handling sensitive resident data across multiple homes, this is a significant improvement over the informal, undocumented approach that was in place before.
The IT team no longer processes individual access requests. The time previously spent on manual permission management is now spent on work that actually improves technology for care delivery.
Automated access across 8 care homes · Permissions assigned by role, department, and care home · Automatic provisioning for starters, leavers, and transfers · Read/write and read-only tiers based on role · Documented, auditable access policy for CQC compliance · IT freed from manual permission management
Related service: Managed IT