Users can only perform the transactions and functions their job requires.
What it actually means
Getting in the door isn't the same as having the run of the house. Each role should be able to do only what that job needs — least functionality, enforced through role-based access control in your identity provider and applications. The goal an assessor checks: permissions map to job duties, and they're documented.
Pass or fail — an assessor needs a "yes" to each
- Roles (or per-application permissions) are defined and mapped to job duties.
- Users are assigned the minimum permissions their role requires.
- Role definitions are documented and reviewed periodically.
What to have ready
- Role/permission matrix tied to job functions
- Identity-provider role assignments and app permission settings
- Evidence of periodic access review
Where teams trip up
- Everyone is an admin or has broad blanket access
- Permissions accrete over time and are never pruned
- No documentation of what each role is allowed to do
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →