Question APPL-01

Are access controls for institutional accounts based on structured rules, such as role-based access control (RBAC), attribute-based access control (ABAC), or policy-based access control (PBAC)?

Standard Guidance

This includes end users, administrators, service accounts, etc. PBAC would include various dynamic controls such as conditional access, risk-based access, location-based access, or system activity–based access.

Answering "NO"

Describe any limitations that prevent support for RBAC for Institutional accounts.

Answering "YES"

Describe available roles.

Reason for Question

Understanding access control capabilities allows an institution to estimate the type of maintenance efforts will be involved to manage a system. Depending on the users, concerns may or not be elevated. The value of this question is largely determined by the deployment strategy and use case of the software/product/service under review. This question is specific to end users.

Follow-Up Inquiries

Ask the vendor to summarize the best practices to restrict/control the access given to the institution's end users without the use of RBAC. Make sure to understand the administrative requirements/overhead introduced in the vendor's environment.

HECVAT Pro Advice

[Add expert insights and best practices]

Implementation Tips

[Add practical steps for SME SaaS vendors]

FAQ

[Add common questions related to this HECVAT item]

Resources

[Add links to relevant articles or tools]