AUTH-6 Role-based Access Control

Estimated reading: 2 minutes 1821 views

What is AUTH-6 role-based access control about?

Role-based Access Control talks about how access to data must be granted according to roles and responsibilities. Not everyone needs access to all the data. This process has to be carefully planned and thought out.

  • The least-privilege principle requires that users and programs only have the necessary privileges to complete their tasks.
  • Role-based access requires that users and programs get access to data based on their roles and responsibilities.
  • The administrative access principle requires that the organization divide users into ordinary users with basic access and administrators. The administrators must be few and have elevated access to perform critical tasks.

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below, as we haven’t used them. 

Authentication Tools
Okta
Duo
Auth0
Azure AD

Available templates

TrustCloud has a curated list of templates, internally or externally sourced, to help you get started. Click on the link for a downloadable version:

  • N/A – no template recommendation

Control implementation

To implement this control,

Implement a process to enable different roles and rights on each system. There is no mandatory way of doing this, as long as there is a clear distinction between those with privileged rights and those without.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

  1. Provide a screenshot of the system user configuration settings, showing the different roles.
    • For each role, provide a screenshot of the access rights (read, write, etc.).
    • For each role, provide the list of users with that specific role.
    • For any system or group account, provide the users within that group.

Evidence example

For the suggested action, an example is provided below:

  1. Provide a screenshot of the system user configuration settings, showing the different roles.
    The following screenshot shows the users and their roles and rights for a system:
    Google search
    AUTH 6 Role based Access Control 01
    The following screenshot shows all users, their roles, and their rights within a
    group.
    AUTH 6 Role based Access Control 02

 

Join the conversation

ON THIS PAGE
SHARE THIS PAGE

SUBSCRIBE
FlightSchool
OR