Every law firm believes it knows who can access client data. In practice, very few can prove it.
Over time, Active Directory groups multiply. Matter folders are copied and reused. Temporary access granted for urgent cases is never revoked. Partners move, assistants change teams, mergers happen, and permissions quietly accumulate in the background. What starts as a structured access model slowly becomes a web of inherited rights and nested groups that no one fully understands.
The real risk isn’t whether someone accessed a file yesterday. It’s whether you can confidently answer a far more important question:
Who could access this client matter at any point in time, and why?
For firms built on trust, confidentiality, and regulatory accountability, that gap is dangerous. When access rights drift away from policy, the firm is exposed, not just to data breaches, but to reputational damage, compliance scrutiny, and client loss.
In this blog, we’ll examine how access ambiguity develops inside law firm environments, why traditional auditing approaches fall short, and what firms can do to regain clarity and control over who truly has access to sensitive case data.
Why Access Works Differently in Law Firms
In most organizations, access is determined by department. Marketing groups utilize marketing tools; finance works with financial systems. These arrangements stay the same for long periods of time. A law firm’s work revolves around cases, not departments. Each case requires a new team to work on it, so access needs vary depending on how far along a case is. Associates frequently switch from one practice area to another, partners assume multiple responsibilities, and conflict management teams need consistently managed visibility.
As a result of these considerations, we find many law firms experiencing the following situations:
- Access needs change on a fairly regular basis based on how the case is progressing.
- The same person may require different access levels at different times for different cases.
- Powers of access are frequently assigned temporarily but are not documented with a designation as to when they will be removed.
- Technical controls must be in place to ensure ethical walls do not fail.
- There are professional and legal implications associated with historical access records.
- Access management models that work well in other settings (classic access management) struggle with the reality of the quickly changing nature of cases.
There is, in all likelihood, an increasing mismatch between how long it takes to obtain available access and/or have it taken back when you are no longer working on a matter.
Access Intent vs Access Reality
Most law firms have a defined access model.
There is a documented process for onboarding staff, granting matter access, and aligning permissions to roles. Partners approve access. IT implements it. Policies exist. On paper, everything is controlled.
That is Access Intent, the access the firm believes it has granted.
Access Reality, however, is something different. It reflects the effective permissions enforced by NTFS on file servers, driven by Active Directory group memberships, nested groups, and inherited rights. It represents what a user can actually access, not what policy says they should.
Over time, Intent and Reality drift apart.
Not because of one catastrophic mistake, but because of normal operational activity:
- Nested groups that create indirect access paths
- Inherited permissions from reorganized folder structures
- Legacy permissions that continue after a job change
- Temporary access grants that become permanent by default
- Higher permissions granted than the role consists of
Each individual change appears logical. Each request is approved for a reason. But collectively, they create cumulative overexposure.
In law firms, where matter teams change frequently, restructures are common, and ethical walls must be enforced, this drift happens faster than most expect.
The danger is subtle.
It’s not a single broken permission.
It’s the widening gap between what the firm intended to allow and what the environment actually allows.
And the longer that gap exists, the harder it becomes to confidently answer a critical question:
Who truly has access to this matter, right now, and through which path?
How Nested Groups Create Unintended Access
The use of Active Directory groups simplifies access rights. Access is granted on a per-group rather than per-user basis and when someone wants access, they simply join the group.
Things can get complicated when groups can contain other groups, which in turn can contain other groups, etc. Also, since folder inheritance can cause a nested tree of groups and inheritance, effective access rights can reach users that may not have been intended.
An example of this would be the following:
An associate becomes a member of a “Mitchell Matter Team” group to work on a specific case. The “Mitchell Matter Team” group is nested within the “Commercial Litigation – Active Matters” group to share resources. The “Commercial Litigation” group has read access to a shared research repository. When the research repository was reorganized last year, it was moved to a parent folder that had inherited broader permissions.
Since the associate is a member of both the “Mitchell Matter Team” group and the “Commercial Litigation – Active Matters” group, he has access to resources that were not intended for him by anyone with explicit rights to grant access to the “Mitchell Matter Team” group’s resources. This is not a configuration error, but is how the system is supposed to work with legitimate changes to a user’s effective permissions, due to the combination of several legitimate configurations.
Each individual decision was reasonable. The associate needed Mitchell matter access. The Commercial Litigation group required shared resources. Folder reorganization served operational needs. But the combined effect is access no one explicitly intended to grant.
This becomes particularly problematic when reconstructing historical access. Answering “why did this user have access to this folder on a specific date?” requires understanding not just current group memberships, but the state of nested groups and inherited permissions as they existed at that time.
Ethical Walls Don’t Fail, They Erode
An ethical wall is a set of rules and technical controls that stop one group of people from seeing another client’s files. It can be a policy, a set of folders with strict permissions, or group rules in Active Directory. Law firms implement ethical walls carefully. When representing clients with competing interests, IT creates separate groups, separate folders, and strict access controls based on documented policies. Then operational changes occur over time
- A paralegal moves from one practice group to another. Their main group membership is changed appropriately, but they are still in multiple administrative groups that still keep permissions that access the former ethical wall.
- While a matter is closed, the group structure of the matter continues to be open, because matters will continue to depend on the prior matter. New access rights assigned to the former matter group structure can impact the access profile for the closed matter in ways that didn’t occur when the matter was opened.
- A partner assumes a management role requiring visibility across practice areas. They join a coordination group. That group has permissions that cross established ethical walls, not through intentional policy violation, but because the group was created after the wall and access models had evolved.
Socially speaking, ethical walls do not fail overnight. Ethical walls erode gradually as the result of normal business day-to-day operation. The policies and their intent are documented. However, over time, each change made to an ethical wall can lead to a violation of its boundaries.
Current Access Doesn’t Tell the Whole Story
Most access reviews will answer a single question: who currently has access to this resource? While this is still informative, it does not address the types of questions that frequently arise in the legal context:
“Can you prove that no one from the ABC team had access to XYZ’s documents during the time period between March and June?”
“What date did this user first access this folder, and through what type of group membership?”
“Has anyone outside of the assigned team accessed this client’s data during the past 12 months?”
These are all historical questions. Historical access records are of great importance to law firms because:
- Log access types, users, and duration of access for purposes of privilege log compliance;
- Confirm that ethical walls are enforced throughout representation when conducting conflict checks
- Identify potential access points during breach investigation processes.
Professional liability defense also relies on demonstrating that access controls have functioned as intended. According to the American Bar Association, lawyers must make reasonable efforts to protect client confidentiality and avoid conflicts. This obligation appears in the Model Rules of Professional Conduct, including Rule 1.6 on confidentiality and Rule 1.7 on conflicts of interest. Firms are expected to take reasonable steps to safeguard client information.
Why Permission Reviews Create False Confidence
Most firms conduct regular access reviews on a quarterly or monthly basis. A report generates a list of users and their access. Managers confirm whether team members still require their current permissions. The process completes.
This creates confidence that access is appropriately controlled.
However, standard access reviews typically don’t reveal:
- How users obtained their current access (which nested groups or inheritance paths granted it)
- When access was first granted, and whether it was intended as temporary
- Whether access derives from explicit assignment or automatic inheritance
- What changes occurred between review periods
- Whether the structure of permissions has shifted since the last review
Reviews validate the present state without examining how that state came to exist. More significantly, reviews are snapshots. They reflect access on the day the report runs. In law firms where access changes continuously between reviews, this approach validates a different access structure each time without visibility into interim changes.
This explains why firms can conduct diligent access reviews while still experiencing access drift. The reviews aren’t incorrect. They simply answer a narrower question than the environment requires.
How Firms Address This Problem
Organizations that successfully manage this challenge typically follow a similar progression.
First, they establish comprehensive visibility. This means understanding not just current access but how access is structured. Which groups grant access to which resources? How those groups are nested. Where inheritance creates unintended access paths. What the effective permissions actually are versus what was explicitly granted.
Native Active Directory tools show group membership but don’t reveal the complete picture of nested groups, inheritance chains, and effective permissions that result from their interaction.
Second, they prioritize explainability. When someone asks, “Why does this user have access?”, the answer needs to be complete. Not just “they’re in a group with permissions,” but the full chain: this specific group, nested within this parent group, granted through this permission set, assigned on this date, modified when this structural change occurred.
This matters for audits, investigations, and professional confidence. It also matters operationally. If IT cannot explain why access exists, they cannot make informed decisions about modifying it.
Third, they monitor for drift. Access should change for documented reasons. When new access is granted, the cause should be clear. When groups are nested, the implications should be understood. When inheritance creates new effective permissions, those should be visible to the appropriate stakeholders.
The most effective approach shifts from periodic reviews to continuous visibility. Not because reviews lack value, but because in environments where access changes constantly, point-in-time checks miss too much.
How Firms Operationalize Directory and Data Security
Some firms address these requirements using specialized tools built specifically for Active Directory visibility and auditing.
Lepide Auditor, for example, provides real-time tracking of Active Directory changes and maintains a complete audit trail of all modifications. It maps effective permissions, including nested groups and inheritance chains, showing not just that a user has access but why they have it and through which path. The platform maintains historical records, enabling firms to answer questions about who had access at specific points in time. Like most auditing solutions, it builds its historical view from the point it is deployed, creating a reliable and defensible record going forward rather than relying on manual reconstruction. When someone asks, “Who could access this folder six months ago?”, Lepide can provide the answer based on actual historical data rather than reconstruction attempts.
The system monitors for changes continuously, alerting security teams when permissions are modified, groups are restructured, or inheritance patterns change in ways that affect access. This enables proactive management rather than reactive discovery during audits or investigations.
This has practical implications for law firms, i.e., a conflicts attorney can check the validity of the ethical wall in place at a given time by checking historical access logs; an IT administrator can account for an associate’s access to a particular file folder by following the complete nested group path for that associate; and security teams looking into strange behaviour can see who had effective access to a record on the day of the incident.
