Skip to main content
AC

Acme Cloud

EthicPages logoVisit EthicPages

Access Control Policy

Last updated: January 15, 2026

Access Control Policy

Document owner: Chief Information Security Officer (CISO) Version: 3.0 Effective date: January 1, 2026 Last updated: January 15, 2026 Classification: Public — Trust Center Review cadence: Annual, and upon material changes to access control architecture or regulatory requirements Company: Acme Cloud, Inc. Address: 1200 Market Street, Suite 400, San Francisco, CA 94103, USA Primary contacts: trust@acmecloud.com | security@acmecloud.com | privacy@acmecloud.com

Definitions

TermDefinition
Access ControlSecurity technique regulating who can view or use resources
AuthenticationProcess of verifying the identity of a user, process, or device
AuthorizationProcess of granting or denying access to a specific resource
ABACAttribute-Based Access Control, access decisions based on attributes
CRUDCreate, Read, Update, Delete - standard data operations
DACDiscretionary Access Control, owner-determined access permissions
EntitlementA right or permission granted to a user or system
FIDO2Fast Identity Online 2, passwordless authentication standard
IAMIdentity and Access Management, framework for managing digital identities
IdPIdentity Provider, system managing user identities and authentication
JITJust-in-Time, access provisioning when needed for limited duration
Joiner-Mover-LeaverLifecycle events for access management
Least PrivilegeProviding minimum access necessary to perform duties
MACMandatory Access Control, system-enforced access restrictions
MFAMulti-Factor Authentication, requiring multiple verification methods
Need-to-KnowRestricting access to information necessary for job function
PAMPrivileged Access Management, controlling elevated access
PBACPolicy-Based Access Control, rule-driven access decisions
Privilege EscalationObtaining higher access than initially authorized
RBACRole-Based Access Control, access based on organizational roles
SCIMSystem for Cross-domain Identity Management, user provisioning protocol
Separation of DutiesDividing critical tasks among multiple people
Service AccountNon-human account for automated processes
SSOSingle Sign-On, one authentication for multiple applications
Step-up AuthenticationAdditional verification for sensitive operations
TOTPTime-based One-Time Password, MFA method using time-synchronized codes
WebAuthnWeb Authentication API, browser standard for FIDO2
Zero TrustSecurity model requiring verification for all access attempts

Scope and Applicability

1.1 Policy Scope

This Access Control Policy applies to all access to Acme Cloud, Inc. ("Acme Cloud") information systems, including:

Scope AreaCoverageExamples
Production systemsFull policySaaS platform, databases, infrastructure
Staging environmentsFull policy (with customer data)Pre-production validation
Development systemsPartial policyDevelopment environments, CI/CD
Corporate systemsFull policyGoogle Workspace, Slack, HR systems
Physical facilitiesPhysical access sectionsOffices, data centers
Customer systemsCustomer-facing featuresCustomer authentication, authorization

1.2 Personnel Scope

Personnel TypePolicy ApplicationExceptions
Full-time employeesFull policyNone
Part-time employeesFull policyNone
ContractorsFull policy + sponsor accountabilityTime-bound access
ConsultantsLimited policy per engagementProject-specific access
Temporary workersLimited policyTime-bound, no privileged access
Vendors (on-site)Physical access onlyEscorted access
CustomersCustomer access featuresSelf-service management

1.3 System Classification

ClassificationAccess RequirementsExamples
CriticalPrivileged access process, MFA required, audit logging, approval requiredProduction databases, encryption keys
HighStandard access process, MFA required, audit loggingProduction application, customer support tools
MediumStandard access process, MFA recommendedInternal wikis, project management
LowSelf-service access, basic authenticationPublic documentation

Access Control Principles

2.1 Foundational Principles

Acme Cloud access control is built on the following principles:

PrincipleDefinitionImplementation
Least PrivilegeGrant minimum access necessaryRole-based access, regular reviews
Need-to-KnowRestrict information to those who require itData classification, access controls
Separation of DutiesDivide critical functionsApproval workflows, dual control
Defense in DepthMultiple layers of controlsMFA, network segmentation, monitoring
Zero TrustVerify explicitly, assume breachContinuous verification, microsegmentation
AccountabilityEvery access traceable to individualAudit logging, no shared accounts

2.2 Zero Trust Architecture

Acme Cloud implements Zero Trust principles:

ZTA TenetImplementationVerification
Verify explicitlyAuthenticate every requestSession validation, token verification
Use least privilegeJIT access, time-limited permissionsAccess reviews, automatic expiration
Assume breachDefense in depth, monitoringSIEM, anomaly detection
Inspect and log all trafficNetwork monitoring, API loggingVPC flow logs, API audit logs
Encrypt everythingTLS everywhere, encryption at restCertificate management, KMS
Segment networksVPC isolation, microsegmentationNetwork architecture review

2.3 Access Control Models

ModelApplicationScope
RBAC (Role-Based)Primary model for most accessAll systems
ABAC (Attribute-Based)Context-aware decisionsProduction access, sensitive data
PBAC (Policy-Based)Complex authorization rulesMulti-tenant isolation
DAC (Discretionary)Limited to specific data sharingCustomer-configured sharing

Identity Management

3.1 Identity Providers

Identity ProviderPopulationUse Case
OktaAcme Cloud workforceCorporate SSO, workforce authentication
Acme Cloud PlatformCustomersCustomer authentication
Customer IdP (SAML/OIDC)Customer end usersFederated authentication
AWS IAMInfrastructureService authentication
GitHubDevelopersCode repository access

3.2 Account Types

Account TypeDescriptionLifecycleMFA Requirement
User AccountIndividual human identityJoiner-mover-leaverRequired
Admin AccountElevated privilegesSeparate from user accountRequired (FIDO2)
Service AccountAutomated process identityChange-controlledN/A (API keys)
System AccountInfrastructure identityInfrastructure-as-codeN/A (IAM roles)
Emergency AccountBreak-glass accessSealed, auditedRequired
Shared AccountProhibitedN/AN/A

3.3 Account Naming Standards

Account TypeNaming ConventionExamples
User accountsfirstname.lastname@acmecloud.comjohn.smith@acmecloud.com
Admin accountsfirstname.lastname-admin@acmecloud.comjohn.smith-admin@acmecloud.com
Service accountssvc-{service}-{function}@acmecloud.comsvc-billing-processor@acmecloud.com
System accountssys-{system}-{environment}sys-terraform-prod

3.4 Identity Lifecycle Management

Joiner Process (New Employee)

StepActionTimelineOwner
1HR creates identity recordPre-start dateHR
2Manager submits access request5 days before startManager
3Baseline access provisionedStart dateIT Operations
4Security training assignedDay 1Security Training
5Role-specific access grantedAfter training completionSystem owners

Mover Process (Role Change)

StepActionTimelineOwner
1HR updates role in systemUpon transferHR
2New manager requests new access5 days before transferNew manager
3Old access flagged for reviewTransfer dateAutomated
4Access review with old managerWithin 5 daysOld manager
5Unnecessary access removedWithin 10 daysIT Operations

Leaver Process (Termination)

StepActionTimelineOwner
1HR initiates terminationBefore last day (voluntary) / Immediately (involuntary)HR
2Access suspendedWithin 4 hours / ImmediatelyIT Operations
3Manager validates data transferWithin 24 hoursManager
4Account disabledAfter data transferIT Operations
5Account deleted30 days after terminationAutomated

Authentication Requirements

4.1 Password Policy

RequirementStandardPrivileged
Minimum length14 characters16 characters
ComplexityMixed case + numbers + symbolsMixed case + numbers + symbols
Maximum age365 days180 days
History12 passwords24 passwords
Lockout threshold10 failed attempts5 failed attempts
Lockout duration30 minutesManual unlock required
Breach database checkRequiredRequired

4.2 Multi-Factor Authentication

MFA MethodSecurity LevelApproved ForPhishing Resistant
FIDO2/WebAuthnHighestAll access, required for privilegedYes
Okta Verify PushHighAll accessPartial (number matching)
TOTP (authenticator app)MediumFallback onlyNo
SMSLowNot approvedNo
Email OTPLowNot approvedNo

MFA Requirements by Access Type:

Access TypeMFA RequiredApproved Methods
Corporate SSOYesFIDO2, Okta Verify, TOTP
Production accessYesFIDO2 required
Customer account (admin)YesFIDO2, Authenticator app
Customer account (user)ConfigurablePer customer policy
API accessToken-basedAPI keys, OAuth 2.0

4.3 Session Management

ParameterStandard SessionPrivileged Session
Maximum duration12 hours4 hours
Idle timeout30 minutes15 minutes
Concurrent sessionsLimited per policySingle session
Re-authenticationSensitive actionsAll actions
Session bindingDevice + IP rangeDevice + IP + geolocation

4.4 Authentication Logging

EventLogged DataRetention
Successful loginUser, timestamp, IP, device, method2 years
Failed loginUser (if known), timestamp, IP, reason2 years
MFA challengeUser, method, result, timestamp2 years
Password changeUser, timestamp, IP7 years
Account lockoutUser, timestamp, reason2 years
Session terminationUser, timestamp, reason2 years

Authorization Framework

5.1 Role-Based Access Control (RBAC)

Acme Cloud implements hierarchical RBAC:

Role LevelDescriptionExample Roles
Global rolesOrganization-wide permissionsAdmin, Security, Compliance
Department rolesDepartment-specific accessEngineering, Sales, Support
Project rolesProject-specific accessProject Owner, Contributor, Viewer
Resource rolesIndividual resource accessDocument Owner, Reviewer

5.2 Standard Role Definitions

RoleDescriptionPermissionsAssignment
EmployeeBase corporate accessEmail, chat, wiki, HR systemsAutomatic on hire
DeveloperEngineering team memberCode repos, CI/CD, dev environmentsEngineering manager
Support AgentCustomer supportSupport tools, read-only customer dataSupport manager
Account ExecutiveSales teamCRM, prospecting toolsSales manager
System AdministratorInfrastructure managementInfrastructure admin, production readIT director + CISO
Security AnalystSecurity operationsSecurity tools, log accessCISO
Database AdministratorDatabase managementDatabase admin (specific DBs)CTO + CISO
Super AdminMaximum privilegeAll systemsCEO + CISO approval

5.3 Role Assignment Process

Step 1: Access Request 1.1. User or manager submits access request 1.2. Request includes: role requested, business justification, duration 1.3. System validates requestor authorization

Step 2: Approval Workflow

Access LevelApproval Chain
StandardManager
ElevatedManager + Data/System Owner
PrivilegedManager + Data/System Owner + Security
Super AdminManager + CISO + CEO

Step 3: Provisioning 3.1. Approved request triggers provisioning 3.2. Access granted per role definition 3.3. User notified of new access 3.4. Access logged for audit

5.4 Permission Matrix

Permission TypeDescriptionExamples
ReadView data/resourceView reports, read documents
CreateGenerate new data/resourceCreate tickets, upload files
UpdateModify existing data/resourceEdit configurations, update records
DeleteRemove data/resourceDelete files, archive records
AdminFull control including permissionsManage users, configure settings
ExecuteRun operations/processesTrigger workflows, run reports

Privileged Access Management

6.1 Privileged Access Definition

Privilege LevelDefinitionExamples
Level 1 - StandardNormal business operationsEmail, documents, collaboration
Level 2 - ElevatedAccess to sensitive dataCustomer data, financial records
Level 3 - PrivilegedAdministrative capabilitiesSystem configuration, user management
Level 4 - Super PrivilegedMaximum accessInfrastructure admin, security admin

6.2 Just-in-Time (JIT) Access

All privileged access follows JIT principles:

JIT ParameterStandard PrivilegedEmergency Access
Request requiredYesPost-incident documentation
Approval requiredYes (within 4 hours)Pre-approved for named individuals
Maximum duration8 hoursAs needed (reviewed within 24 hours)
Automatic expirationYesYes
Session recordingYesYes
Extension processNew request requiredDocumented justification

6.3 Privileged Access Workflow

Standard Privileged Access Request:

StepActionTimelineSLA
1Submit request via PAM toolUser-initiatedN/A
2System validates entitlementAutomaticImmediate
3Route to approver(s)AutomaticImmediate
4Approver reviews and decidesApprover action4 hours
5If approved, credentials provisionedAutomatic5 minutes
6User accesses system (recorded)User actionN/A
7Access auto-expiresAutomaticPer request
8Session logs archivedAutomaticImmediate

6.4 Break-Glass Procedures

Emergency access when normal procedures cannot be followed:

StepActionVerification
1Retrieve sealed emergency credentialsTwo-person rule
2Access systemSession recorded
3Perform emergency actionsAudit logged
4Exit and reseal credentialsTwo-person verification
5Incident report within 24 hoursSecurity review
6Post-incident reviewCISO review

6.5 Service Account Management

RequirementImplementationVerification
Unique identityOne account per service/functionNaming convention
No interactive loginProgrammatic access onlyAccount type
Secrets in vaultAWS Secrets ManagerConfiguration audit
Automated rotation90-day rotationRotation logs
Owner assignedDocumented ownershipCMDB record
Access reviewQuarterlyReview records

Access Reviews and Recertification

7.1 Review Schedule

Review TypeScopeFrequencyReviewer
Privileged accessAll privileged accountsMonthlyCISO or delegate
Production accessProduction system accessMonthlySecurity Operations
Application accessBusiness applicationsQuarterlyApplication owners
Role membershipRBAC role assignmentsQuarterlyManagers
Service accountsAutomated account permissionsQuarterlyService owners
Contractor accessAll contractor accountsMonthlySponsors
Dormant accountsInactive > 30 daysMonthlyAutomated + Security

7.2 Access Review Process

Step 1: Review Initiation 1.1. System generates access review campaign 1.2. Reviewers notified via email 1.3. Review dashboard populated with entitlements

Step 2: Reviewer Actions 2.1. Reviewer examines each entitlement 2.2. For each: Certify (approve) or Revoke (remove) 2.3. Justification required for certifications

Step 3: Remediation 3.1. Revoked access removed within SLA 3.2. Incomplete reviews escalated 3.3. Completion reported to management

7.3 Review SLAs

Review TypeCompletion SLAEscalation TriggerRemediation SLA
Privileged access5 business daysDay 3Same day
Production access7 business daysDay 52 business days
Application access10 business daysDay 75 business days
Dormant accounts5 business daysDay 3Same day

7.4 Access Review Metrics

MetricTargetFY2025 Actual
Review completion rate100%100%
On-time completion100%97.3%
Revocation rateN/A (informational)8.2%
Escalation rate< 10%2.8%
Remediation SLA adherence100%99.1%

Customer Access Control Features

8.1 Customer Authentication Options

FeatureFreeProfessionalEnterprise
Username/passwordYesYesYes
MFA (TOTP)YesYesYes
MFA (FIDO2)YesYesYes
SSO (SAML 2.0)NoYesYes
SSO (OIDC)NoYesYes
Custom MFA policyNoBasicFull
Password policy customizationNoLimitedFull

8.2 Customer Authorization Features

FeatureFreeProfessionalEnterprise
Role-based accessBasic (3 roles)Standard (10 roles)Custom roles
Team/group managementNoYesYes
Permission customizationNoLimitedFull
API access controlsBasicStandardAdvanced
IP allowlistingNoNoYes
Time-based accessNoNoYes

8.3 Customer SSO Integration

SSO ComponentSupport LevelDocumentation
SAML 2.0Full supportdocs.acmecloud.com/sso/saml
OIDCFull supportdocs.acmecloud.com/sso/oidc
JIT provisioningSupportedIncluded with SSO
SCIM provisioningEnterprise onlydocs.acmecloud.com/scim
Group mappingEnterprise onlyCustom configuration
MFA passthroughSupportedIdP-controlled

8.4 Customer Audit Logs

Event TypeFree RetentionProfessional RetentionEnterprise Retention
Authentication events7 days90 days1 year + export
Authorization events7 days90 days1 year + export
Configuration changes7 days90 days1 year + export
Data accessNot available90 days1 year + export
Admin actions7 days90 days1 year + export

Monitoring and Enforcement

9.1 Access Monitoring

Monitoring TypeScopeAlert ThresholdResponse
Failed authenticationAll systems5 failures in 10 minutesAccount lockout, investigation
Impossible travelSSO loginsLogin from distant locationStep-up auth, investigation
Privilege escalationProduction systemsAny unauthorized attemptBlock, immediate investigation
Off-hours accessCritical systemsAccess outside business hoursAlert, verification required
Unusual data accessCustomer dataVolume anomalyAlert, investigation
Service account abuseAutomated accountsInteractive login attemptBlock, investigation

9.2 Access Anomaly Detection

Anomaly TypeDetection MethodResponse
Location anomalyGeolocation comparisonChallenge, step-up auth
Device anomalyDevice fingerprintingChallenge, notification
Behavior anomalyML-based baselineAlert, investigation
Time anomalyHistorical patternChallenge, logging
Volume anomalyStatistical thresholdAlert, rate limiting

9.3 Enforcement Actions

Violation TypeAutomated ResponseManual Follow-up
Policy violationAccess blockedInvestigation, remediation
Suspicious activityStep-up authenticationSecurity review
Confirmed compromiseAccount suspendedIncident response
Privilege abuseAccess revokedHR involvement
Repeated violationsEscalating restrictionsManagement escalation

Compliance and Exceptions

10.1 Policy Exceptions

Exception requests must include:

ElementRequirement
Business justificationWhy standard policy cannot be followed
Risk assessmentRisks introduced by exception
Compensating controlsAdditional controls to mitigate risk
DurationTime-limited (maximum 1 year)
Review dateWhen exception will be re-evaluated
ApprovalCISO approval required

10.2 Exception Approval Matrix

Exception TypeApproval RequiredMaximum Duration
MFA bypassCISO30 days
Password policy exceptionSecurity Manager90 days
Privileged access durationCISOPer incident
Shared accountNot approvedN/A
Access review extensionSecurity Manager5 business days

Framework Mapping Appendix

SOC 2 Trust Services Criteria Mapping

TSCControlAcme Cloud ImplementationEvidence
CC6.1Logical access securityIdentity management, authenticationIAM configurations
CC6.2Access provisioningJML process, approval workflowsProvisioning records
CC6.3Access removalOffboarding processTermination records
CC6.4Access restrictionRBAC, least privilegeRole definitions
CC6.5Privileged accessPAM, JIT accessPAM logs
CC6.6Access reviewsPeriodic recertificationReview records
CC6.7Physical accessBadge access, visitor managementAccess logs
CC6.8System account managementService account controlsAccount inventory

ISO 27001 Annex A Mapping

ControlAcme Cloud ImplementationEvidence
A.9.1.1Access control policyThis document
A.9.1.2Network access controlVPC segmentation, firewall rules
A.9.2.1User registrationJML process
A.9.2.2Access provisioningRole-based provisioning
A.9.2.3Privileged accessPAM system
A.9.2.4Secret managementSecrets Manager, rotation
A.9.2.5Access reviewPeriodic certification
A.9.2.6Access removalOffboarding process
A.9.3.1Secret information usePassword policy, MFA
A.9.4.1Access restrictionNeed-to-know, least privilege
A.9.4.2Secure log-onMFA, session controls
A.9.4.3Password managementPolicy enforcement
A.9.4.4Privileged utilitiesAdmin tool controls
A.9.4.5Source code accessRepository permissions

NIST CSF Mapping

NIST FunctionCategoryAcme Cloud Implementation
Identify (ID)ID.AMAsset inventory, account inventory
Protect (PR)PR.AC-1Identity management
Protect (PR)PR.AC-2Physical access control
Protect (PR)PR.AC-3Remote access management
Protect (PR)PR.AC-4Access permissions management
Protect (PR)PR.AC-5Network integrity
Protect (PR)PR.AC-6Identity proofing
Protect (PR)PR.AC-7Authentication
Detect (DE)DE.CM-3Access monitoring
Respond (RS)RS.MI-2Access incident response

Related Trust Center documents

security overview, encryption standards, incident response, data retention, privacy policy, terms of service

Document revision history

VersionDateAuthorSummary of changes
1.02024-06-01Legal & ComplianceInitial Trust Center publication
2.02025-03-15GRC ProgramSOC 2 Type II alignment refresh; expanded subprocessors
2.52025-09-01Security EngineeringEncryption standards update; ISO 27001 mapping
3.02026-01-15Trust Center ProgramFull procurement-grade expansion; 34-document set

Contact

Acme Cloud, Inc. 1200 Market Street, Suite 400 San Francisco, CA 94103, USA

ChannelEmailUse case
Trust & procurementtrust@acmecloud.comSecurity questionnaires, trust reviews
Securitysecurity@acmecloud.comIncidents, vulnerabilities, control questions
Privacyprivacy@acmecloud.comDSRs, privacy assessments
Legallegal@acmecloud.comContractual, DPA, legal notices
Last updated: January 15, 2026
EthicPages logoEthicPages