AM-06 Access Management

User Access Provisioning

Access is granted only on a documented, authorised, least-privilege basis.

What good looks like

New-user access is requested via ticket, approved by line manager and system/data owner before provisioning; entitlements match the approved role.

Unauthorised or excessive access; SoD conflicts; data leakage.

5 tests — each concludes only on cited evidence.

Design

Procedure: Inspect the provisioning workflow for a control gate.
Expected: No path to provision access without a logged request.
Sample: 1 (design inspection)
Evidence: Access request tickets, approvals, HR new-hire list, entitlement extract.

Design

Procedure: Inspect the matrix mapping system/role to required approver(s).
Expected: Matrix is current and approved.
Sample: 1 (design inspection)
Evidence: Access request tickets, approvals, HR new-hire list, entitlement extract.

Operating

Procedure: For each sampled joiner, compare request date to account-creation date.
Expected: Request consistently precedes provisioning.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Access request tickets, approvals, HR new-hire list, entitlement extract.

Operating

Procedure: Inspect approvals on each sampled request.
Expected: All required approvals present and from authorised approvers.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Access request tickets, approvals, HR new-hire list, entitlement extract.

Operating

Procedure: Reconcile granted entitlements to the request and role profile.
Expected: No access granted beyond what was approved.
Sample: Judgmental, by population (e.g. 10–25)
Evidence: Access request tickets, approvals, HR new-hire list, entitlement extract.

Access request tickets, approvals, HR new-hire list, entitlement extract.

Want Tess to test AM-06 against your evidence?