GRCWatch
Sign inStart free trial

SOC 2 CC6.3: Access Rights Management

CC6.3 requires your organization to control who accesses data and systems through documented, approved processes. Without proper access rights management, unauthorized users can compromise sensitive information and violate compliance obligations. This control ensures every access request follows your established procedures and is regularly reviewed.

What this means

Access Rights Management (CC6.3) mandates that your organization implement a formal system for authorizing, modifying, and removing user access to data, software, functions, and protected information assets. All access decisions must be based on approved and documented requests, and your access control procedures must define who can grant or revoke access, under what conditions, and with what justification. This creates an auditable trail showing that access rights are granted only to authorized personnel and removed promptly when no longer needed.

How to comply

  1. 1.Document your access request and approval workflow, specifying who can request access, who must approve it, and required justifications
  2. 2.Define role-based or attribute-based access control (RBAC/ABAC) policies that map job functions to system permissions
  3. 3.Require written approval from authorized personnel before granting, modifying, or removing any user access
  4. 4.Maintain a centralized access control matrix or directory showing which users have access to which systems and data
  5. 5.Implement periodic access reviews (quarterly or semi-annually) to verify access is still appropriate and remove unnecessary privileges
  6. 6.Automate access provisioning and deprovisioning workflows to reduce manual errors and ensure timely removal when users leave or change roles
  7. 7.Log all access changes with timestamps, change requesters, approvers, and business justifications for audit trails

Evidence auditors look for

  • Access request forms with approver signatures or digital approval records
  • Role-based access control (RBAC) documentation mapping roles to system permissions
  • Access control matrices showing users, systems, and approved data access levels
  • Approved access request tickets in your ticketing system with clear audit trails
  • Quarterly access review reports signed by managers confirming access appropriateness
  • User provisioning and deprovisioning logs from your identity management system
  • Change management records documenting access modifications with business justification
  • Termination checklists showing access removal confirmation for departing employees

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates access request workflows, tracks approvals, and generates quarterly access review reports—eliminating manual spreadsheets and ensuring CC6.3 compliance with complete audit trails.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CC6.1 — Logical and Physical Access ControlsCC6.2 — Prior to Issuing System CredentialsCC7.2 — System MonitoringCC9.1 — Change Management Procedures