PR.AC-4: Access Permission Management — NIST Cybersecurity Framework
Access permission management is foundational to preventing unauthorized activity and data breaches. PR.AC-4 requires organizations to enforce least privilege and separation of duties principles when granting and maintaining user access rights. For SMBs managing multiple systems and users, implementing this control prevents privilege creep and reduces insider risk.
What this means
PR.AC-4 mandates that your organization grant users only the minimum access necessary to perform their job functions (least privilege) and separate critical duties so no single person can complete a sensitive transaction alone (separation of duties). This control ensures access decisions are intentional, documented, and regularly reviewed to prevent unauthorized or excessive permissions from accumulating over time.
How to comply
- 1.Document all job roles and map required system and data access for each role
- 2.Implement role-based access control (RBAC) to assign permissions by position rather than individual need
- 3.Establish and enforce a principle that users receive only the minimum permissions required for their duties
- 4.Separate incompatible duties so that approval, execution, and reconciliation functions are assigned to different people
- 5.Conduct quarterly access reviews to identify and revoke unnecessary or outdated permissions
- 6.Require management approval and documented justification before granting elevated or special access
- 7.Log all access permission changes and maintain an audit trail for compliance verification
Evidence auditors look for
- Role definitions and RBAC matrices showing job function mapping to system permissions
- Access request and approval workflow with documented business justification
- User access lists by system showing assigned roles and privilege levels
- Separation of duties policy identifying incompatible roles (e.g., requester vs. approver)
- Quarterly access review reports with sign-off from business owners or managers
- Access removal documentation when employees change roles or leave the organization
- System audit logs showing permission grants, modifications, and revocations with timestamps and approvers
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates access permission reviews and tracks all user role assignments and changes in a centralized dashboard, eliminating manual spreadsheets and ensuring your organization can prove least privilege and separation of duties on demand.
See how GRCWatch handles this control automatically
Start free trial