AM-17 Access Management

Application Access (RBAC)

Application functionality is granted by least-privilege role.

Domain: Access Management
Control type: Preventive
Automated / manual: Automated
Frequency: Per event
Framework reference: COBIT DSS05.04

What good looks like

Application access is role-based; roles map to least privilege and are reviewed.

Risk if it fails

Excessive functional access; in-app SoD breach.

How Tess tests it

4 tests — each concludes only on cited evidence.

Roles defined to least privilege

Design

Procedure: Inspect the role catalogue.
Expected: Documented least-privilege roles.
Sample: 1 (design inspection)
Evidence: Role definitions, entitlement extract.

User-role assignment matches job

Operating

Procedure: Sample users.
Expected: Assigned role appropriate to job.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Role definitions, entitlement extract.

Entitlements match role definition

Operating

Procedure: Reconcile entitlements to role.
Expected: No off-role access.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Role definitions, entitlement extract.

Role definitions reviewed

Operating

Procedure: Inspect review evidence.
Expected: Periodic review performed.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Role definitions, entitlement extract.

Evidence Tess looks for

Role definitions, entitlement extract.

More in Access Management

AM-01 IT Organisation & Segregation AM-02 Password / Authentication Policy AM-03 Multi-Factor Authentication (MFA) AM-04 Centralised Identity / SSO

Want Tess to test AM-17 against your evidence?