Build your first access matrix in an afternoon

The simplest step in access management is also the most important: write down who has access to what. Here's the recipe for a workable first version in under four hours.

Many SMBs kick off access management by jumping straight into comparing tools. That's the wrong first step. Start with a matrix: a simple grid that shows at a glance who has access to what. Build time: one afternoon, if you follow the recipe below.

Step 1: List of people (20 minutes)

Open a spreadsheet. Put everyone on the payroll in column A. Add a "type" column: employee, contractor, or external (e.g. an accountant with access to Exact). Add a status column: active, scheduled, inactive.

Tip: start from your HR system — or, if you don't have one, the list from your accounting package. Don't forget former employees from the past year. We'll run into them later as "orphaned access".

Step 2: List of systems (30 minutes)

Now the other axis: which systems process sensitive or business-critical data? Don't start with everything. Start with this list:

• Email / Microsoft 365 / Google Workspace
• Your CRM (Salesforce, Pipedrive, HubSpot)
• Accounting (Exact, Moneybird, Twinfield, TeamLeader)
• Cloud infrastructure (AWS, Azure, GCP)
• Code repositories (GitHub, GitLab, Bitbucket)
• Password vault (1Password, Bitwarden)
• Communication (Slack, Teams)
• File storage (Dropbox, OneDrive, Google Drive)

You can expand to tier-2 systems later (design tools, marketing tools, specific SaaS). See also: Setting up a SaaS inventory.

Step 3: Fill in the cells (2 hours)

For each person × system combination, enter one of four values:

• has_access — has access, you're certain
• no_access — no access, you're certain
• needs_review — uncertain, needs checking
• unknown — never thought about it

Try to fill it in from memory first. Then go through each system and check what the admin interface shows (see M365 governance for how to do this in Entra). Where you're unsure: needs_review. That alone will fill another afternoon.

Step 4: Flag the anomalies (30 minutes)

Go through the matrix once, row by row. Ask yourself: "does this person have access to anything that seems off?" Typical findings in a first matrix:

• Someone who left 8 months ago still shows has_access for Dropbox — offboarding gap
• The marketer is Global Admin in M365 "because it was easier" — see least privilege
• Your external accountant has access to an HR mailbox that shouldn't be in scope — classify this as privileged access

From spreadsheet to tool

After a few months you'll notice the spreadsheet is getting out of hand: versions floating around in email, a tab for every year, nobody knowing which one is current. That's the moment to move to a tool. Start with something that has the same structure (person × system × status + note) — like AccessGuard — so you don't have to start from scratch.

You can see your first matrix in action in the public demo, with 6 employees × 6 systems and 2 automatically flagged risks.