IG3

Define and Maintain Role>Based Access Control

Control Group: 6. Access Control Management

Asset Type: Data

Security Function: Protect

Description

Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Define access control requirements based on least privilege

7

Implement role-based access control (RBAC)

8

Configure access review and recertification process

9

Monitor and audit privileged access usage

Tool Recommendations

SailPoint Identity Security Gartner MQ Leader, IGA 2024

Identity governance and administration platform with access certification, lifecycle management, and AI-driven access intelligence

SailPoint · Per-identity subscription

Microsoft Entra ID Gartner MQ Leader, Access Management 2024

Cloud identity and access management with SSO, MFA, conditional access, and identity governance

Microsoft · Per-user subscription (P1/P2)

Okta Workforce Identity Gartner MQ Leader, Access Management 2024

Cloud identity platform providing SSO, adaptive MFA, lifecycle management, and API access management

Okta · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Privilege Creep Leading to Unauthorized Data Access

Confidentiality

Without defined role-based access, users accumulate permissions over time as they move between teams, eventually holding excessive access that violates least privilege principles.

Insider Threat Amplified by Undefined Access Boundaries

Confidentiality

A malicious insider exploits vaguely defined access rights to access data and systems far beyond their actual job requirements, since no RBAC model restricts them to necessary access.

Compliance Failure from Undocumented Access Rights

Integrity

Regulatory auditors find access rights are not documented by role, making it impossible to demonstrate least-privilege compliance with frameworks like SOX, HIPAA, or PCI DSS.

Vulnerabilities (When Safeguard Absent)

No Role-Based Access Control Model Defined

Without defined roles mapping job functions to required access rights, permissions are granted ad-hoc based on individual requests rather than standardized role requirements.

No Recurring Access Privilege Review Process

Without annual or more frequent access reviews validating privileges against role definitions, accumulated permissions are never identified or revoked.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Record	Access review/recertification records with sign-off	Quarterly
Technical	Access control configuration evidence (RBAC settings, group memberships)	Reviewed quarterly
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Privileged Access Management Policy

Control 5, Control 6

Related Safeguards in Control 6

6.1 Establish an Access Granting Process

6.2 Establish an Access Revoking Process

6.3 Require MFA for Externally>Exposed Applications

6.4 Require MFA for Remote Network Access

6.5 Require MFA for Administrative Access

6.6 Establish and Maintain an Inventory of Authentication and Authorization Systems

6.7 Centralize Access Control