---
id: access-control
name: Access Control
group: governance
status: active
last_verified: 2026-03-25
search_terms:
  - authorization
  - permissions
  - role-based access
---

## Summary

Requirement to restrict system and data access based on defined roles, responsibilities, and the principle of least privilege.

## What Counts

- Role-based access control (RBAC) implementation
- Regular access reviews and recertification
- Segregation of duties enforcement
- Audit logging of access events

## What Does Not Count

- Shared credentials or service accounts without oversight
- Access granted without documented justification