Question APPL-02
Are access controls for staff within your organization based on structured rules, such as RBAC, ABAC, or PBAC?
| Weight | 20 |
| High Risk | No |
| Required | Yes |
| Compliant Answer | Yes |
Standard Guidance
This includes system administrators and third-party personnel with access to the system. PBAC would include various dynamic controls such as conditional access, risk-based access, location-based access, or system activity–based access.
Answering "NO"
Describe any limitations that prevent support for RBAC within your organization.
Answering "YES"
EDUCAUSE provides no guidance here
Reason for Question
Managing a software/product/service may rely on various professionals to administer a system. This question is focused on how administration, and the segregation of functions, is implemented within the vendor's infrastructure.
Follow-Up Inquiries
Managing a complex infrastructure requires diligence in protecting access and authority. Unsatisfactory responses may indicate the lack of maturity with a vendor and/or a flat infrastructure with few individuals with broad authority. Inquire about separation of duties and look for areas of inappropriate functional overlap.
HECVAT Pro Advice
[Add expert insights and best practices]
Implementation Tips
[Add practical steps for SME SaaS vendors]
FAQ
[Add common questions related to this HECVAT item]
Resources
[Add links to relevant articles or tools]