Access Control Policy (RBAC/ABAC)

Document ID: ACP-001
Version: 1.0
Effective Date: ____________________
Approved By: ____________________
Last Review Date: ____________________
Next Review Date: ____________________

1. Purpose

The purpose of this Access Control Policy is to ensure that access to organizational systems, applications, data, networks, and physical resources is granted only to authorized individuals based on legitimate business needs.

This policy establishes a consistent framework for managing identities, permissions, authentication, authorization, and access reviews while supporting the principles of least privilege, separation of duties, and zero trust.

2. Scope

This policy applies to:

All employees
Contractors
Temporary workers
Consultants
Vendors
Third-party service providers
Managed Service Providers (MSPs)
Interns
Board members
Any individual granted access to company resources

This policy applies to:

Cloud services
SaaS applications
Internal applications
Databases
File storage
Email systems
End-user devices
Servers
Network equipment
VPNs
Identity providers
Physical access systems

3. Policy Statement

Access to company resources shall be granted only when required for legitimate business purposes and approved through established authorization processes.

Access permissions shall be assigned according to organizational roles and business responsibilities and shall be regularly reviewed to ensure continued appropriateness.

No user shall receive greater access than necessary to perform assigned job duties.

4. Guiding Principles

The organization adopts the following access control principles:

Least Privilege
Need-to-Know
Zero Trust
Default Deny
Separation of Duties
Continuous Verification
Accountability
Periodic Access Validation

5. Access Control Models

The organization may implement one or more of the following authorization models depending on business requirements.

5.1 Role-Based Access Control (RBAC)

Access permissions are assigned according to predefined organizational roles.

Examples include:

Human Resources
Accounting
Marketing
Sales
Customer Service
IT Support
System Administrator
Executive Leadership

Each role shall have a documented set of approved permissions.

5.2 Attribute-Based Access Control (ABAC)

Where greater flexibility is required, access decisions may also consider attributes including:

User Attributes

Department
Job title
Employment status
Clearance level
Employment type

Resource Attributes

Data classification
Application type
System owner
Sensitivity level

Environmental Attributes

Time of day
Geographic location
Network location
Device health
VPN status
Multi-factor authentication status

Access decisions may combine multiple attributes before granting access.

6. Identity Management

Every individual shall have a unique identity.

Shared accounts should be avoided whenever technically possible.

Identity records shall include:

Full name
Employee ID (where applicable)
Department
Manager
Employment status
Assigned roles
Access approvals

7. User Account Lifecycle

7.1 Account Creation

Accounts shall be created only after:

Identity verification
Management approval
Business justification
Completion of onboarding requirements

7.2 Account Modification

Access shall be updated whenever:

Job responsibilities change
Department changes
Promotions occur
Temporary assignments begin or end
Organizational restructuring occurs

7.3 Account Disablement

Accounts shall be disabled promptly when:

Employment ends
Contractor engagement ends
Vendor contracts expire
Extended leave requires suspension
Security concerns arise

7.4 Account Deletion

Accounts may be permanently removed after:

Required retention periods
Legal requirements
Business needs
Audit requirements

8. Authentication Requirements

Users shall authenticate using approved authentication mechanisms.

These may include:

Username and password
Multi-factor authentication (MFA)
Smart cards
Passkeys
Biometrics
Certificate-based authentication
Hardware security keys

MFA shall be required for:

Administrative accounts
Remote access
VPN access
Cloud administration
Privileged systems
Financial systems
HR systems

9. Authorization

Authorization shall occur after successful authentication.

Access permissions shall be assigned based on:

Approved role
Business need
Data sensitivity
Risk level
Compliance requirements

10. Privileged Access

Privileged accounts require enhanced controls.

Examples include:

Domain administrators
Global administrators
Database administrators
Network administrators
Cloud administrators
Security administrators

Additional safeguards include:

MFA
Justification for elevated access
Logging
Monitoring
Periodic review
Separate administrative accounts

11. Temporary Access

Temporary elevated access shall:

Have documented justification
Receive management approval
Have defined expiration dates
Be automatically revoked when no longer needed

12. Third-Party Access

Third-party access shall be limited to:

Contractual requirements
Approved business purposes
Approved systems
Defined timeframes

Vendor access shall:

Be monitored
Be reviewed regularly
Require MFA where feasible
Follow least privilege principles

13. Remote Access

Remote access shall require:

Secure authentication
MFA
Approved devices where applicable
Encrypted communications
VPN or equivalent secure access
Compliance with endpoint security requirements

14. Physical Access

Physical access controls shall protect:

Offices
Data centers
Server rooms
Network closets
Records storage
Restricted workspaces

Physical controls may include:

Key cards
Biometrics
Visitor logs
Security cameras
Security personnel

15. Access Reviews

Managers and system owners shall periodically review user access.

Reviews should verify:

Appropriate permissions
Role accuracy
Unused accounts
Dormant accounts
Privileged access
Third-party accounts

Access reviews should occur:

At least annually
After organizational changes
Following security incidents
During audits

Higher-risk systems may require more frequent reviews.

16. Segregation of Duties

Critical business processes shall separate incompatible responsibilities.

Examples include:

Creating vendors and approving payments
Requesting purchases and approving purchases
Creating users and approving users
Software development and production deployment
Financial transactions and reconciliation

17. Logging and Monitoring

Access activities shall be logged where technically feasible.

Events may include:

Successful logins
Failed logins
Privileged access
Account creation
Permission changes
Account lockouts
Administrative actions
Access denials

Logs shall be protected from unauthorized modification.

18. Emergency Access

Emergency access (“break glass” accounts) shall:

Be documented
Be tightly controlled
Require executive approval where feasible
Be monitored
Be reviewed after each use
Be secured with strong authentication

Emergency credentials shall be stored securely.

19. Access Requests

Access requests shall include:

Business justification
Requested resources
Requested permissions
Manager approval
System owner approval where applicable

Requests shall be documented and retained according to organizational record retention requirements.

20. Compliance

Access controls shall support applicable legal, regulatory, contractual, and organizational requirements, including customer obligations and industry standards where relevant.

21. Exceptions

Exceptions to this policy require:

Documented business justification
Risk assessment
Management approval
Information Security approval (where applicable)
Defined review period
Compensating controls when appropriate

Approved exceptions shall be reviewed periodically.

22. Roles and Responsibilities

Executive Management

Approve access control governance
Support policy enforcement
Allocate appropriate resources

Managers

Approve access requests
Validate employee access
Notify IT of personnel changes
Participate in periodic access reviews

Human Resources

Notify IT of hires, transfers, leaves, and terminations
Support timely onboarding and offboarding processes

IT Department

Provision and deprovision accounts
Manage identity systems
Implement technical access controls
Maintain authentication infrastructure
Conduct periodic access reviews

Information Security

Define access control standards
Monitor privileged access
Investigate access-related incidents
Assess policy compliance

Employees and Users

Protect authentication credentials
Use only authorized accounts
Report suspected unauthorized access
Comply with this policy

23. Policy Violations

Violations of this policy may result in:

Removal of access
Corrective action
Disciplinary measures
Contract termination
Legal action where applicable

24. Policy Review

This policy shall be reviewed at least annually or following:

Significant organizational changes
Regulatory changes
Security incidents
Technology changes
Audit findings

25. Related Policies

Information Security Policy
Identity and Authentication Policy
Password Policy
Multi-Factor Authentication (MFA) Policy
Privileged Access Management (PAM) Policy
Acceptable Use Policy
Remote Access Policy
Third-Party Risk Management Policy
Joiner, Mover, Leaver (JML) Policy
Data Classification Policy
Incident Response Policy
Logging and Monitoring Policy

This policy is written to be vendor-neutral and suitable for organizations of varying sizes. It can serve as a foundational access control policy and be extended with technical standards (e.g., for specific identity providers, RBAC role definitions, or ABAC rule sets) as the organization’s access management program matures.