Control 3.1.2

★What This Means in Plain English

Even after users are authenticated, they should only be able to perform actions they are specifically authorized to do. A regular employee should not be able to run admin commands, and a finance user should not be able to modify security settings.

✓How Petronella Implements This Control

Petronella Technology Group implements this control through:

• Role-based access control (RBAC) in Microsoft Entra ID with granular role definitions per business function
• Group Policy Objects (GPOs) restricting application execution and system utilities based on user role
• Application-level permissions enforcing function-based access within line-of-business applications
• ComplianceArmor documentation tracking authorized transactions per role
• Quarterly role certification reviews ensuring permissions match current job responsibilities

🔎Assessment Guidance

Assessors will review role definitions and permission matrices, test that users cannot execute transactions outside their authorized scope, verify function-level restrictions are enforced, and check that role assignments are documented and regularly reviewed.

⚠Common Implementation Gaps

• Overly broad role definitions granting excessive permissions
• No function-level access controls within applications
• Users retaining permissions from previous roles after job changes
• Lack of documented permission matrices mapping roles to transactions
• Admin rights granted to standard users for convenience

⇄Cross-Framework Mapping