Access Control Policy: Why, Where, and How
November 11, 2021

Access Control Policy Definition

An access control policy defines the controls placed on access to IT environments. It specifies both physical access controls, and a secure process for accessing software. The goal is to limit access to computer networks and data, to protect from unauthorized access and loss. 

Access control policies define the details involved in controlling access to systems and information. They may include the management of several key issues, such as access control standards, network access controls, user access, passwords, higher-risk system access and operating system software controls. 

An access control policy can also define the details of providing access to documents and files, controlling remote user access, securing workstations left unattended, protecting against unauthorized physical access, restricting access, and monitoring how systems are accessed and used.

In this article:

Types of Access Policies

Access control policies determine who can access data under what circumstances. Policies that manage access based on individualized privileges allow you to better protect company data and physical assets from unauthorized access. Such policies provide varying levels of access permissions to each user, reducing the risk exposure and facilitating security monitoring and maintenance.

Many organizations have to comply with industry and regulatory standards, which require access policies to be enforced and documented. With an access policy in place, you can manage and track access to systems and data, ensuring that users have the appropriate access. Restricting access is of critical importance in maintaining security and confidentiality. 

Individual access permissions must take into account:

  • Necessity—access to systems, applications and data should be provided only where necessary to complete a task.  This is critical to least privileged access, which is a core tenet of Zero Trust.
  • Access approval—any changes in the role or status of an end-user must be approved by the security administrator. Access privileges should immediately be revoked upon termination of an employee or contractor. External users (non-employees) are often required to obtain approval from an internal manager or department head before receiving access.
  • Management—there should be a management policy in place to guide the process of making changes to access policies. Security measures should be regularly updated to keep up with evolving technologies.

In some cases, you may want to place additional barriers or require users to sign forms and statements in order to get access:

  • Acceptable use—users often must agree to an acceptable use policy (AUP), which reminds them to adhere to behavioral guidelines. This helps avoid exposing your organization to security threats and legal issues. 
  • Compliance—individuals should sign a compliance statement before being issued a user ID. This should be reconfirmed annually. 
  • Authentication—ideally, this should be two-factor or multi-factor authentication based on a combination of identifiers like passwords, tokens and biometrics.
  • Workstation access control—apply automatic log-out and password-protected screen savers, so users must log in again after periods of inactivity.
  • Remote access control—your access policy should define how users can connect remotely to your organization’s network. 
  • Physical access control—access to your physical premises should be treated as a privilege and restricted accordingly. Apply measures such as locks that provide access based on user ID, security personnel and monitoring devices. 

Related content: Read our guide to access control types (coming soon)

What Is Tiered Access Control?

Tiered access control consists of the following three tiers:

  • Tier 0—includes assets that enable direct control of identity and security infrastructure. Active Directory (AD) is a popular Tier 0 asset, but it can also include public key infrastructure (PKI), Azure Active Directory (Azure AD), identity and access management (IAM) tools, and management systems for Tier 0 assets.
  • Tier 1—includes servers, cloud services, and applications. Tier 1 access often provides significant access to critical business information. Tier 1 is typically segmented to limit privileged access to different sets of applications, services and servers.
  • Tier 2—includes client computers and any related devices. The tier often includes administrative access and indirect control of an end user device (such as help desk or desktop support). Tier 2 can be further segmented to limit privileged access to different sets of assets.

Related content: Read our guide to access control security (coming soon)

What to Include In an Access Control Policy Document

An access policy document is a formal procedure that defines how the organization wishes to restrict access to sensitive assets. Based on this document, technical controls can be put in place to enforce access restrictions. When compiling your access control policy document, consider including the following sections:


This section explains the need for the access control policy (i.e. protecting sensitive resources and information). This helps ensure that all users understand what is at stake and take the policy seriously.


This section explains what users and resources the policy applies to. Each type of user (employee, contractor, customer, etc) will have different privileges and obligations. Resources should be classified according to their sensitivity. 

The scope also describes the limits of the policy (for example, it does not apply to the private use of personal devices, but only to the use of company devices or personal devices for work purposes). 


This section describes the responsibilities of the team enforcing the access control policy. The policy owner is responsible for writing and overseeing the policy, while there are often additional team members (such as IT admins) who are responsible for implementing it.


This section stipulates the consequences of non-adherence to access control policies. This should also outline requirements for periodic security training to reinforce the policy and maintain employee awareness.

Access Policies

This section provides the actual access control policies in detail.


This section provides details about whom to contact with questions about the policies, or when policies need to be adapted due to new roles, resources, or processes.

Policy History

This section keeps a record of updates to the policy, as well as a history of audits. This shows the policy as a living document and helps build confidence in the policy.

Automated Access Control Policies with Pathlock

Implementing proper access control solutions can be a stressful, expensive, and time consuming process, but it doesn’t have to be. Pathlock provides an automated, real-time solution to automating access control across all of your business systems. Furthermore, Pathlock’s continuous controls monitoring can ensure that you are always tracking your compliance requirements around access control, so there are no major surprises when the audit season comes around. 

In today’s modern enterprise, nearly 100% of the financially relevant activity happens in modern applications like SAP, Oracle, Workday, and NetSuite. By connecting directly into your business applications, Pathlock can automatically provision and deprovision users in these applications to surface any violations to controls, and pinpoint and quantify the financial impact of any risks.  Internal and external auditors alike trust Pathlock’s reports to prove control enforcement and compliance with regulations like SOX, PCI DSS, and others


User Access Reviews

Pathlock supports automated user access reviews to ensure employees don’t have more access than is required.  The review workflow and reporting is completely automated, to ensure campaigns are completed accurately and on time.

Fine-Grained Provisioning

Pathlock’s access control provides the detailed level of visibility you require to stay in control and stay compliant.  Pathlock can provision beyond the basic role level down to the detailed transaction level (eg. T-Code level in SAP).

Real-time Access Mitigation

Pathlock allows user to quickly investigate and respond to potential risky transactions by reviewing access, deprovisioning users, forcing 2FA, or even allowing Pathlock to respond intelligently in real-time, terminating suspicious sessions and blocking transactions in real time

Out-of-the-Box Integrations

Pathlock’s out of-the-box integrations extend workflows to the other IAM tools you already have in place such as ServiceNow, SailPoint, Okta, Azure AD, SAP GRC, and more

Lateral SOD Correlation

All entitlements and roles are correlated across a user’s behavior, consolidating activities and showing cross application SOD’s between financially relevant applications.  Pathlock integrates to 140+ applications, correlating and normalizing user access and activity across systems.

Emergency Access Management

Pathlock reduces risk by providing a turnkey solution for granting and revoking elevated privileges on a just-in-time basis.  Furthermore, Pathlock monitors 100% of the activity performed with these elevated privileges, to assist with proving compliance mandates.

Learn more about Pathlocks access control solution