When you have fifty employees, managing access in a spreadsheet is annoying but workable. When you have two hundred, it becomes a genuine security risk. People leave and keep their logins. Contractors get blanket access because nobody has time to set up scoped permissions. An auditor asks who accessed what, and the answer takes a week of digging through multiple systems.
That is usually the point when businesses start looking at identity and access management software. The problem is that most off-the-shelf tools solve the general case, not yours.
We build user access management systems that match how your organisation actually works — your approval chains, your role structures, your compliance obligations. You pay once, you own the code, and you are not locked into someone else’s per-user pricing model.
Where off-the-shelf access management falls short
SaaS platforms like Okta, Microsoft Entra ID and OneLogin work well enough for standard setups: a few hundred users, mainstream SaaS applications, simple role structures. But as your organisation grows or your requirements get more specific, the cracks appear.
Per-user pricing scales against you. Okta charges £5-14 per user per month. At 500 users, that is £30,000-84,000 a year in licensing alone — and the cost grows linearly with every hire, contractor and seasonal worker. Azure AD is cheaper if you are already paying for Microsoft 365, but the premium tiers (P1, P2) still add up, and the feature boundaries between tiers are genuinely confusing.
Approval workflows are rigid. Most platforms support a simple manager-approves chain. If your business needs parallel approvals (manager plus security team plus budget holder), or conditional logic (step-up approval for access above a certain sensitivity level), you are either writing workarounds or submitting feature requests that never ship.
Legacy integrations cost a fortune. If you run a system that does not support SAML or OIDC — and many ERP, case management and industry-specific tools do not — the SaaS vendor will sell you a connector for £10,000-50,000, or tell you it is not supported. Each legacy integration assumed to take a week typically takes three to four.
Compliance features are generic. The audit trails are there, but they log “user accessed healthcare app”, not which patient records were viewed. Access review automation sends emails to managers, and 30% never respond. Segregation of duties violations get flagged but not corrected. Your compliance officer ends up reformatting generic exports into the specific evidence your auditor actually needs.
You are trusting someone else with your most sensitive system. Your identity platform controls access to everything. If the SaaS provider suffers an outage, every SSO-dependent application goes down. If they suffer a breach, your entire organisational structure and employee data is exposed. And if you ever want to leave, the proprietary export formats and migration costs (often £100,000+ in consulting) make switching painful.
These are not theoretical problems. They are the reasons most businesses we work with still manage permissions in spreadsheets alongside the software they are paying for.
What we build instead
We start with your actual processes. Before writing any code, we map how your team handles onboarding, permission changes, offboarding and access reviews. The system we build encodes those workflows rather than replacing them with generic templates.
You pay once and own the software. No per-user licensing. A 100-person company and a 1,000-person company pay the same hosting costs. The development investment is fixed, and your per-user cost falls to near zero as you grow.
Your data stays where you need it. We can host on Azure UK South, AWS London, your own data centre, or a combination. Identity data never has to leave the UK — which matters if you are subject to NHS, FCA or banking regulations that mandate UK data residency.
Compliance is specific, not generic. We build audit trails formatted for your actual certifying body: ISO 27001 access review evidence, ICO-ready provisioning and deprovisioning logs, PCI DSS quarterly review workflows, or HIPAA-grade patient record access tracking. Not a generic log export that your compliance team has to reformat.
It connects to what you already use. We integrate with Active Directory, LDAP directories, HR platforms, cloud services and business applications using SAML, OAuth 2.0, OIDC and SCIM. For legacy systems that lack modern protocols, we build custom bridges rather than telling you the integration is not available.
It grows with you. Need to add passwordless authentication, a new department structure, or a privileged access management layer next year? The system is modular. You extend it without waiting for a vendor’s roadmap or paying for a tier upgrade.
What the system includes
Every build is different, but these are the modules we deliver most often.
Single sign-on (SSO) One login across your critical applications — SAML, OIDC or LDAP depending on what each application supports. Session management with configurable timeout policies. Single logout so closing one application does not leave others open.
Role-based and attribute-based access control Permissions assigned by job function, department, seniority, location, or any combination your organisation needs. RBAC for straightforward structures, ABAC when you need more nuanced rules — for example, “regional managers can approve expenses in their region only.”
Multi-factor authentication TOTP authenticator apps, SMS, WebAuthn hardware tokens, or biometric options depending on your security requirements. Adaptive MFA that steps up the challenge based on risk — unfamiliar device, unusual location, or access to sensitive resources.
Joiner-mover-leaver automation When HR marks someone as hired, their accounts are provisioned automatically with the right role-based defaults. When someone changes department, their permissions update. When they leave, access is revoked across all connected systems — no tickets, no delays, no forgotten accounts sitting active for months.
Self-service portal Staff reset passwords, set up MFA, and request permission changes without calling IT. Requests route through whatever approval chain you define. Password resets that took five steps in your old system take one.
Approval workflows Multi-level, parallel, or conditional approval chains for access requests. Manager plus security team plus budget holder, if that is what you need. Escalation rules so an approver on holiday does not block an entire team. Full audit trail of every decision.
Audit logging and compliance reporting Every access event logged with who, what, when, where and why. Configurable retention (typically one to two years for ICO and ISO 27001). Tamper-evident logs for regulated industries. Pre-formatted compliance reports rather than raw log exports.
Temporary and time-limited access Scoped permissions for contractors, project teams, or cross-department work. Access revokes automatically when the period ends. Emergency “break glass” access for critical situations, with mandatory incident logging.
Privileged access management Password vaulting for admin and service accounts. Just-in-time privilege escalation with approval workflows. Session recording for privileged actions. Automatic credential rotation on a schedule you control.
Usage analytics and security monitoring A dashboard showing who is accessing what, failed login patterns, inactive accounts, and permission usage. Impossible travel detection and unusual access alerts. Metrics on onboarding velocity and access review completion rates.
Integration connectors Connections to your HR platform, Active Directory, cloud services, SaaS applications and business systems. Custom API bridges for legacy tools that lack modern protocol support. Webhook-driven event automation for real-time provisioning.
How the build works
Discovery and planning (2-4 weeks) We audit your current access management setup — the systems, the spreadsheets, the workarounds. We document your role structures, approval chains and compliance requirements. We identify which integrations are standard and which need custom bridges, and scope the MVP.
Phase 1: Core system (8-12 weeks) SSO for your critical applications, user directory integration, basic RBAC, audit logging and an admin console. You get a working system that handles authentication and core access control. Regular check-ins throughout so you can steer the build.
Phase 2: Automation and governance (8-12 weeks) HR integration for joiner-mover-leaver automation, MFA, approval workflows, access review cycles and extended application integrations. This is where the system starts saving your IT team real time.
Testing and deployment (2-3 weeks) Security testing, penetration testing on the authentication layer, and user acceptance trials with real staff before a phased rollout. We do not flip the switch all at once — we deploy department by department so issues surface in a controlled way.
Training and handover End users get SSO and MFA training (one to two hours). IT administrators get hands-on training covering provisioning, policy management and reporting (two to five days). Managers learn the approval workflow. Documentation and recorded sessions provided.
Ongoing support 12 months of support and updates included. Most systems are designed so your administrators can adjust roles, policies and approval chains without developer involvement. Optional annual maintenance contracts after the first year.
Most projects go live with a core system in three to four months, with the full feature set delivered in five to seven months.
What it costs
Custom development costs more upfront than a SaaS subscription. But unlike SaaS, the cost does not grow with your headcount.
A core system (SSO, RBAC, audit logging, admin console) typically costs £25,000-60,000. A standard build with HR integration, automated provisioning, MFA and governance features runs £60,000-120,000. Complex deployments with privileged access management, extensive legacy integrations and detailed compliance reporting can reach £120,000-250,000+.
After that, hosting and infrastructure costs £3,000-8,000 a year. There are no per-user fees, no integration surcharges, and no premium support tiers.
For comparison, a 300-user organisation on Okta Essentials pays roughly £50,000 a year in licensing — before setup costs, integration add-ons and API overage charges. Over three years, that is £150,000+ for software you do not own and cannot modify. A custom build at £80,000 with £5,000 a year in hosting costs £95,000 over the same period, and the gap only widens as you grow.
Custom is not always the right answer. If you have fewer than 100 users, a simple SaaS application stack, and basic compliance needs, Okta or Azure AD Free will serve you well. But once your access logic gets specific, your headcount crosses 150-200 users, or your compliance requirements go beyond tick-box exercises, a bespoke build starts to make financial sense.
Book a free consultation and we will give you an honest assessment of whether custom is worth it for your situation.
Industries where bespoke access management makes the most difference
Healthcare Patient data access restricted by staff role, care location and clinical specialty. Break-glass emergency access with mandatory incident logging. Audit trails that track which patient records were viewed, not just which application was opened. Automatic deprovisioning when clinicians leave. Integration with legacy EMR systems that lack modern SSO support.
Banking and financial services Segregation of duties enforced by the system — no one can approve their own trades or transactions. Risk-based authentication that steps up MFA for high-value operations. Privileged access vaulting with session recording. Quarterly access review workflows with signed-off certification for PCI DSS and SOX. API key management with automatic rotation.
Legal and professional services Matter-based access control where partners see only their clients’ files and junior staff get temporary access scoped to specific matters. AML and KYC audit logging. Automatic deprovisioning when staff rotate off a matter. Integration with case management systems like LexisNexis or Thomson Reuters without expensive SaaS connectors. Regulatory-ready reports for surprise inspections.
Education Student lifecycle management tied to the academic calendar — automatic provisioning on enrolment, deprovisioning on graduation. Parent and guardian portals with scoped, read-only access to their child’s records. GDPR data deletion automation. Term-based access across multiple campuses with separate rules for staff and students. Integration with legacy learning management systems.
Manufacturing Shift-aware access that grants and revokes permissions based on assigned shifts. Offline-capable authentication for production floors without reliable internet. Badge reader integration tied to the IT identity system. Audit trails formatted for ISO 9001 and supply chain compliance. Integration with ERP and manufacturing execution systems.
Charities and non-profits Volunteer access to donor databases and CRM systems with automatic expiry dates. Scoped permissions so volunteers see only the data relevant to their role. GDPR-compliant data handling for donor and beneficiary records.
Property management Tenant portals with document sharing controls and maintenance request routing. Regional manager access scoped by property portfolio. Temporary credentials for contractors and vendors with automatic revocation.
Local government Citizen-facing service portals with internal delegation and escalation. Multi-site access control across departments with different security requirements. Audit trails formatted for public sector accountability standards.
Common Questions About Custom User Access Management Systems
How does custom development cost compare to SaaS access management?
SaaS platforms like Okta charge £5-14 per user per month, which means a 300-person organisation pays £18,000-50,000 a year in licensing alone. Over three to five years, that compounds well past the cost of a custom build. Our projects typically start from £25,000 for a core system, with hosting costs of £3,000-8,000 a year after that. The crossover point where custom becomes cheaper is usually around 150-250 users, and the gap widens as you grow because per-user costs disappear entirely.
What's the typical development timeline?
A core system covering SSO, RBAC, audit logging and an admin console takes 8-12 weeks. A standard build adding HR integration, automated provisioning, MFA and approval workflows runs 12-16 weeks. Complex deployments with privileged access management, legacy system bridges and detailed compliance reporting can take 16-24 weeks. We deliver in phases so you get a working system early, then extend it.
Can you integrate with our existing systems?
Yes. We regularly integrate with Active Directory, Azure AD, HR platforms like BambooHR and Workday, and business applications via SAML, OAuth 2.0, OIDC, LDAP and SCIM. For legacy systems that lack modern protocols, we build custom bridges — typically taking two to four weeks per system. We also connect to cloud platforms like AWS and Azure for infrastructure-level access control.
What about UK GDPR and data residency?
UK GDPR compliance is part of the core build: data subject access requests, right-to-be-forgotten workflows, consent management and configurable retention policies. Audit logs are retained for one to two years as the ICO expects. We can host entirely within the UK — on Azure UK South, AWS London, or on your own infrastructure — so identity data never leaves the country. For organisations subject to ISO 27001, Cyber Essentials or sector-specific standards like PCI DSS, we build the audit trails and access review workflows your certifying body needs.
What happens if the identity system goes down?
Because your identity system controls access to everything else, uptime matters more than most software. We design for high availability from the start — redundant infrastructure, database replication and fallback authentication routes. Unlike SaaS platforms where an outage at the provider's end locks out your entire organisation, a self-hosted system means you control the uptime, the maintenance windows and the failover.
Do you provide training for our team?
Yes. We train end users on SSO login, password reset and MFA setup (typically one to two hours via video and documentation). IT administrators get hands-on training covering user provisioning, policy management, auditing and reporting, usually over two to five days. Managers are trained on the approval workflow. All training materials, including documentation and recorded sessions, are provided for future reference.