PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.

Access permissions for users to the organization’s systems shall be defined and managed.
- key measure -
Guidance
The following should be considered:
- Draw up and review regularly access lists per system (files, servers, software, databases, etc.), possibly through analysis of the Active Directory in Windows-based systems, with the objective of determining who needs what kind of access (privileged or not), to what, to perform their duties in
the organization.
- Set up a separate account for each user (including any contractors needing access) and require that strong, unique passwords be used for each account.
- Ensure that all employees use computer accounts without administrative privileges to perform typical work functions. This includes separation of personal and admin accounts.
- For guest accounts, consider using the minimal privileges (e.g. internet access only) as required for your business needs.
- Permission management should be documented in a procedure and updated when appropriate.
- Use 'Single Sign On' (SSO) when appropriate.

Where feasible, automated mechanisms shall be implemented to support the management of user accounts on the organisation's critical systems, including disabling, monitoring, reporting and deleting user accounts.
Guidance
Consider separately identifying each person with access to the organization's critical systems with a username to remove generic and anonymous accounts and access.

Account usage restrictions for specific time periods and locations shall be considered in the organization's security access policy and applied accordingly.
Guidance
Specific restrictions can include, for example, restricting usage to certain days of the week, time of day, or specific durations of time.

It shall be identified who should have access to the organization's business's critical information and technology and the means to get access.
Guidance
Means to get access may include: a key, password, code, or administrative privilege.

Employee access to data and information shall be limited to the systems and specific information they need to do their jobs (the principle of Least Privilege).
Guidance
- The principle of Least Privilege should be understood as the principle that a security architecture should be designed so that each employee is granted the minimum system resources and authorizations that the employee needs to perform its function.
- Consider to:
- Not allow any employee to have access to all the business’s information.
- Limit the number of Internet accesses and interconnections with partner networks to the strict necessary to be able to centralize and homogenize the monitoring of exchanges more easily.
- Ensure that when an employee leaves the business, all access to the business’s information or systems is blocked instantly.

Separation of duties shall be ensured in the management of access rights.
Guidance
Separation of duties includes, for example:
- dividing operational functions and system support functions among different roles.
- conducting system support functions with different individuals.
- not allow a single individual to both initiate and approve a transaction (financial or otherwise).
- ensuring that security personnel administering access control functions do not also administer audit functions.

Nobody shall have administrator privileges for daily tasks.
Guidance
Consider the following:
- Separate administrator accounts from user accounts.
- Do not privilege user accounts to effectuate administration tasks.
- Create unique local administrator passwords and disable unused accounts.
- Consider prohibiting Internet browsing from administrative accounts.

Privileged users shall be managed, monitored and audited.