GRCWatch
Sign inStart free trial

AC.L1-3.1.2: Transaction and Function Control

Transaction and function controls ensure users can only execute actions they're authorized to perform—a foundational access control requirement under CMMC Level 1. This control prevents unauthorized or accidental misuse of system capabilities by restricting user permissions to specific business functions.

What this means

This control requires you to configure your information systems so that each authorized user can only execute the types of transactions and functions their role permits. Rather than giving users broad access, you implement granular restrictions based on job duties. If a user's role is 'data entry clerk,' they should only access data entry screens—not reporting, configuration, or deletion functions.

How to comply

  1. 1.Map all system transactions and functions to specific user roles based on job duties
  2. 2.Define authorization rules that restrict each role to only their permitted transactions
  3. 3.Configure access controls in your systems to enforce role-based permissions
  4. 4.Document which users have access to which functions and maintain this mapping
  5. 5.Test access restrictions to confirm users cannot execute unauthorized transactions
  6. 6.Review and update role definitions when job duties or system functions change

Evidence auditors look for

  • Role-based access control (RBAC) configuration showing restricted permissions per user group
  • System access logs demonstrating users only performed authorized transactions
  • Access control matrix documenting user roles and permitted functions
  • Policy or procedure describing transaction approval workflows
  • Application settings showing disabled or hidden functions for restricted users
  • User access review documentation confirming appropriateness of assigned permissions

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates role-based permission mapping and flags unauthorized transaction attempts in real time, eliminating manual access reviews and reducing the time to demonstrate AC.L1-3.1.2 compliance by up to 80%.

See how GRCWatch handles this control automatically

Start free trial

Related controls

AC.L1-3.1.1 — Authorized Access ControlAC.L2-3.1.2 — Detailed Access ControlAC.L2-3.1.5 — Access Control for Privileged Accounts