Identity & Access Management: User Security & Reviews
      Back to home
      1. Trustero Support
      2. Phase 3: Operationalize Controls
      3. Identity & Access Management: User Security & Reviews

      How to Complete the RBAC Matrix for SMBs

      Step-by-step instructions on using the Trustero RBAC Matrix Template

      Trustero Tip: After reading this article, customize this template to document your Role-Based Access Controls.

      Introduction

      A foundational element of your internal Information Security Program is control of each person’s access to systems and data. Each individual should have just the access their role requires – and no more. (New hires should not be given the same access as a senior system administrator, and yet it happens.)  To manage access, most systems are equipped with some form of Role-Based Access Control (RBAC).

      This Knowledge Base article offers step-by-step instructions on using the Trustero RBAC Matrix Template. [LINK] The template is tailored to meet the unique needs of small to medium-sized businesses (SMBs). It is a practical tool to establish and manage access rights for both your internal InfoSec Program and any audit scopes.

      Purpose of the RBAC Matrix

      The Trustero RBAC Matrix adheres to the principle of least privilege to ensure that individuals have access to only the information systems that are necessary for their job functions.

      Getting Started with the RBAC Matrix Template

      1. Open the Trustero provided RBAC Matrix Template.[LINK TO TEMPLATE]
      2. Identify and list all Job Titles within your organization in the 'Job Titles' column.
      3. List all Information Systems in the 'Systems' column. Classify these systems into:
        • Primary Systems (within the audit scope)
        • Other Systems (not within the audit scope but still managed under the overall InfoSec Program)

      Filling Out the Template

      1. Define the level of access required for each Job Title to each System using the following categories:
        • Read
        • Write
        • Admin
        • Authorized to Provide Access
      2. Assign the appropriate level of access next to each Job Title for each System.

      Reviewing and Updating the Matrix

      1. Review the RBAC Matrix on at least an annual basis or when changes occur, to ensure it reflects current roles, responsibilities, and systems.
      2. Update the matrix whenever there are changes in job functions, systems updates, or deviations from standard practices.
      3. For temporary access needs outside of the predefined roles, document the exception and ensure management approval.

      Managing Deviations

      In your RBAC matrix, the "Access Deviations & Exceptions" tab is essential for tracking any approved deviations from standard access controls:

      1. Record each exception with details like Job Title, System, and Access Level Granted.
      2. Indicate the duration and approval status for the deviation.
      3. Regularly review and update this tab to ensure all deviations are current and still necessary.

      Conclusion

      By following this guide, you will create a robust RBAC Matrix that provides a clear, static source of truth for access rights within your organization. Regular maintenance of this matrix is essential for sustaining a strong security posture and ensuring continuous alignment with your InfoSec policies and audit requirements.

      Trustero Tip: After reading this article, customize this template to document your Role-Based Access Controls.