Docy Child

AUTH-4 Least Privilege Access

Estimated reading: 2 minutes 548 views

What is this control about?

Access to data must be given according to roles and responsibilities. Not everyone needs access to all data. This process has to be carefully planned and thought out.

  • The least-privilege principle requires that users and programs should only have the necessary privileges to complete their tasks
  • Role-based access requires that user and programs get access to data based on their roles and responsibilities
  • Administrative access principle requires that the organization divide users into ordinary users with basic access and administrators. The administrators must be few and have elevated access to perform critical tasks

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below, because we haven’t personally used them.

Authentication Tools
Azure AD

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

  • N/A – no templates recommendation

Control implementation

Implement a process to enable different roles and rights on each systems. There is no mandatory way of doing this, as long as there is a clear distinction between those with privilege rights and those without.

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

Provide a screenshot of the system user configuration settings showing the different roles.

  • For each role, provide a screenshot of the access rights (read, write, etc.)
  • For each role, provide the list of users with that specific role
  • For any system or group account, provide the users within that group

Evidence example

From the suggested action above, an example is provided below.

  1. Providing a screenshot of the system user configuration settings showing the different roles.

Example demonstrates the users and their roles and rights for a system:

Google search

AUTH 467 screenshot1

Provide all users within a group

AUTH 467 screenshot2


Join the conversation

Twitter Facebook LinkedIn

❤️  Joyfully crafted by a 100% distributed team.