Go to kintent.com

Docy Child

Updated on February 28, 2023

AUTH-6 Role Based Access

Estimated reading: 2 minutes 545 views

What is this control about?

Access to data must be given according to roles and responsibilities. Not everyone needs access to all data. This process has to be carefully planned and thought out.

  • The least-privilege principle requires that users and programs should only have the necessary privileges to complete their tasks
  • Role-based access requires that user and programs get access to data based on their roles and responsibilities
  • Administrative access principle requires that the organization divide users into ordinary users with basic access and administrators. The administrators must be few and have elevated access to perform critical tasks

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below, because we haven’t personally used them. 

Authentication Tools
Okta
Duo
Auth0
Azure AD

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

  • N/A – no templates recommendation

Control implementation

Implement a process to enable different roles and rights on each systems. There is no mandatory way of doing this, as long as there is a clear distinction between those with privilege rights and those without.

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

Provide a screenshot of the system user configuration settings showing the different roles.

  • For each role, provide a screenshot of the access rights (read, write, etc.)
  • For each role, provide the list of users with that specific role
  • For any system or group account, provide the users within that group

Evidence example

From the suggested action above, an example is provided below.

  1. Providing a screenshot of the system user configuration settings showing the different roles.

Example demonstrates the users and their roles and rights for a system:

Google search

AUTH 467 screenshot1

Provide all users within a group

AUTH 467 screenshot2

 

Logical Access - Previous AUTH-4 Least Privilege Access Next - Logical Access AUTH-13 Automatic account lockout

Join the conversation

ON THIS PAGE
SUBSCRIBE
FlightSchool
SHARE THIS ARTICLE
Twitter Facebook LinkedIn
FlightSchool by TrustCloud

FlightSchool is the fun way to learn about compliance, trust, and TrustCloud’s products.

© 2023 TrustCloud Corporation. All rights reserved.
TrustOps® is a registered trademark of TrustCloud Corporation.

FlightSchool RSS Feed

TOPICS

Platform

ABOUT US

AICPA
Monitored by TrustCloud

❤️  Joyfully crafted by a 100% distributed team.