Access Governance & RBAC
Plain English Translation
Access to personal data systems must be governed by a formal access management policy that enforces role-based access controls, requires authentication for all authorized users, and maintains a secure database of user records. Access rights must be regularly reviewed and promptly revoked when no longer needed. This prevents unauthorized or excessive access to personal data by restricting each user to only the data required for their role.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Define basic roles (e.g., admin, standard user) and implement centralized identity management for systems containing personal data.
Required Actions (scaleup)
- Implement strict RBAC integrated with Human Resources systems for automated provisioning and de-provisioning of access upon termination.
Required Actions (enterprise)
- Deploy continuous access governance tools, conduct automated quarterly access reviews, and enforce Just-In-Time (JIT) access for privileged roles.
The organization must implement an access management policy that includes user accreditation, authentication, role-based access controls, and a secure user record database.
RA 10173 mandates implementing organizational, physical, and technical security measures, including strict role-based access controls and formal processes for revoking access when a user leaves the organization.
Organizations must implement comprehensive organizational, physical, and technical security measures designed to maintain data availability, integrity, and confidentiality.
Yes, IRR Section 26(d)(3) specifically requires policies to implement role-based access controls for systems containing personal data.
It must include processes for user accreditation, authentication procedures, RBAC implementation guidelines, and instructions for maintaining a secure user record database.
Organizations must have a formal process to evaluate, approve, and grant appropriate system access privileges to users based on their defined job responsibilities before providing access.
It is a protected and maintained repository or directory that securely logs and tracks all accredited users, their identities, and their corresponding access levels and roles.
While not specifying an exact timeframe, the IRR requires monitoring and review of operations. Best practice dictates quarterly access reviews to ensure ongoing alignment with RBAC policies.
Technical measures include data encryption, tracking access activity, securing computer networks against vulnerabilities, and deploying robust authentication processes.
CISOs should define strict roles based on least privilege, enforce central identity management, integrate access controls with HR systems, and maintain continuous access auditing.
Access management policies can become outdated when roles, systems, or approval workflows change. Tools like WatchDog Security's Policy Management can help maintain version-controlled policies, track employee acceptance, and support periodic review of RBAC and user accreditation requirements.
RBAC evidence usually includes role definitions, access review logs, approval records, and user termination checklists. Tools like WatchDog Security's Compliance Center can help organize these artifacts, assign evidence owners, and identify gaps against RA 10173 control requirements.
"An access management policy which shall include a process for accreditation and authentication of authorized users granted access to the system, policies to implement role-based access controls, and maintenance of a secure user record database."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | WatchDog GRC Team | Initial publication |

