When a person starts an employment relationship, he or she is granted access to all data systems related to his or her role at once.
Our organization has defined procedures for coordinating, at the time of termination of employment, e.g..:
When offering cloud services, the organisation should provide the technical implementation to enable the customer to manage the users access rights to their account.
The organisation should also provide instructions and specifications for the use of the user management (e.g. help articles, FAQs), e.g. related to available authentication methods, single sign-on capabilities and different admin actions.
When offering cloud services, the organisation should provide the technical implementation to enable the customer to manage the user registration and deregistration to the service.
The organisation should also provide instructions and specifications for the creation / deletion of users (e.g. help articles, FAQs), e.g. related to different user levels, user invitation process and different admin actions.
Supervisors have been instructed to notify the owners of data systems in advance of significant changes in the employment relationships of subordinates, such as promotions, discounts, termination of employment or other changes in the job role.
Based on the notification, a person's access rights can be updated either from the centralized management system or from individual data systems.
The organization implements role-based access control with predefined access roles for the various protected assets that entitle access to the associated asset. Strictness of the access roles should reflect the security risks associated with the asset.
The following should be considered to support access management: