GRCWatch
Sign inStart free trial

CIS Control 6.8: Define and Maintain Role-Based Access Control

Role-based access control (RBAC) is your first line of defense against unauthorized access. CIS Control 6.8 requires you to document access rights by role, perform annual reviews, and ensure every privilege is justified. Weak access controls expose your organization to data breaches, compliance failures, and regulatory fines.

What this means

Role-based access control means assigning permissions to employees based on their job function, not individual needs. You must document which roles exist, what access each role requires, and why. Then you need to audit these assignments at least once yearly—or more frequently for sensitive systems—to catch over-privileged accounts, orphaned users, and access drift. This prevents the "never removing access" problem that plagues most organizations.

How to comply

  1. 1.Document all job roles in your organization and the legitimate access requirements for each role
  2. 2.Define access levels for each role across applications, systems, databases, and cloud services
  3. 3.Implement role-based access control in your identity and access management (IAM) system or directory service
  4. 4.Assign users to roles and remove individual, non-role-based permissions
  5. 5.Schedule recurring access reviews at least annually, or quarterly for critical systems
  6. 6.During reviews, validate that assigned access matches current job duties
  7. 7.Remove access that is no longer justified or belongs to inactive users
  8. 8.Document all access decisions and reviews for audit evidence

Evidence auditors look for

  • Role definition document listing all roles, responsibilities, and corresponding access rights
  • Access review checklist completed at least annually with approval signatures
  • IAM system reports showing user role assignments and their effective permissions
  • Audit trail or review logs documenting when access was granted, modified, or removed
  • Evidence of remediation for over-privileged accounts identified during reviews
  • Organization chart or role hierarchy documentation
  • Access policy stating the review frequency and approval requirements

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates annual access reviews by scanning your actual system permissions, comparing them against documented roles, and flagging over-privileged accounts and access drift—turning a weeks-long manual audit into a one-click compliance report.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Control 6.1 — Establish an Access Control ProcessCIS Control 6.2 — Ensure access control maintenanceCIS Control 5.3 — Disable Dormant Accounts