Control Types and Categories

Least Privilege

Least privilege is a security best practice utilized to ensure users, roles and security groups have appropriate access that is commensurate with their job responsibilities. When a thorough, least privilege based application security design is implemented, excessive and unneeded access should be eliminated. Least privilege controls not only help to ensure users have access to perform appropriate business functions but also help ensure these users have access to appropriate data.

The following Least Privilege related controls are organized by Platform. You can also “Jump To” Control Types and Categories by clicking on the link located at the right of this screen.

The following are links to more detailed pages:

All

Showing 2 controls:
Control TitleControl TypeRisk Rating
Authorization – High Privileged Access in SSM Identity Governance, Least Privilege High
Role and Entitlements Management Identity Governance, IT General Controls, Least Privilege High

Azure

Showing 8 controls:
Control TitleControl TypeRisk Rating
Access to High privileged VMs Identity Governance, Least Privilege High
Access to Manage Azure Access Rights Data Controls, Least Privilege Critical
Access to Storage Accounts Keys Cloud Controls, Least Privilege High
Ensure that no custom subscription owner roles are created Cloud Controls, Least Privilege High
High privileged access to VMs Least Privilege High
High Privileged Azure Users Least Privilege High
Non-MFA High Privileged Users Cloud Controls, Least Privilege High
VM Network Security Groups allowing inbound traffic from RFC-1918 CIDRs Cloud Controls, Least Privilege Medium

BOX

Showing 2 controls:
Control TitleControl TypeRisk Rating
Box-Collaborator permission on Folders Least Privilege Low
Box-External Collaborators having permission on Files Least Privilege High

JD Edwards

Showing 18 controls:
Control TitleControl TypeRisk Rating
Access Administration – Critical Access Least Privilege, Segregation of Duties Critical
Count of Applications by Role Least Privilege Medium
Create Suppliers – Critical Access Least Privilege, Segregation of Duties High
JDE – Govern Access to Critical Roles Identity Governance, IT General Controls, Least Privilege High
Limit access that create Segregation of Duties risk IT General Controls, Least Privilege High
Limit access to critical JD Edwards applications and reports Least Privilege High
Limit user accounts having access to super-user type functionality Least Privilege High
Monitor accounts with access to SOX critical applications Least Privilege High
Monitor configuration of *ALL Least Privilege High
Monitor configuration of *PUBLIC Least Privilege High
Monitor read-only Roles with write access Least Privilege Medium
Monitor unlocked stale accounts with no activity for more than 3 months Least Privilege Medium
Payables Setup – Critical Access Least Privilege, Segregation of Duties High
Purchasing Setup – Critical Access Least Privilege, Segregation of Duties High
Restrict application, action, row, column, processing option, tab and exit security as appropriate Least Privilege High
Restrict Users that access to unsecure navigation aids in Production Least Privilege High
Restrict Users that have access to Object Workbench Least Privilege High
Restrict Users that have access to Security Workbench Least Privilege High

MS Dynamics GP

Showing 11 controls:
Control TitleControl TypeRisk Rating
Access Administration – Critical Access Least Privilege, Segregation of Duties Critical
Create Suppliers – Critical Access Least Privilege, Segregation of Duties High
Customer Account Maintenance – Critical Access Least Privilege, Segregation of Duties High
General Ledger Periods – Critical Access Least Privilege, Segregation of Duties High
General Ledger Setup – Critical Access Least Privilege, Segregation of Duties High
Maintain Chart of Accounts – Critical Access Least Privilege, Segregation of Duties High
MD Dynamics GP – Govern Access to Critical Roles Identity Governance, IT General Controls, Least Privilege High
Payables Setup – Critical Access Least Privilege, Segregation of Duties High
Purchasing Setup – Critical Access Least Privilege, Segregation of Duties High
Receivables Setup – Critical Access Least Privilege, Segregation of Duties High
Set Up Payment – Critical Access Least Privilege, Segregation of Duties High

Office 365

Showing 1 control:
Control TitleControl TypeRisk Rating
All Users (membership) Access Least Privilege Medium

Oracle EBS

Showing 25 controls:
Control TitleControl TypeRisk Rating
Access Administration – Critical Access Least Privilege, Segregation of Duties Critical
Create Supplier – Critical Access Least Privilege, Segregation of Duties High
Limit access that creates Segregation of Duties risk Least Privilege High
Limit access to Alert Manager Least Privilege High
Limit access to configure Profile Options Least Privilege High
Limit access to critical Oracle EBS functions Least Privilege High
Limit access to SQL forms Least Privilege High
Limit access to User and System Profile Values Form Least Privilege High
Limit user accounts having access to super-user type functionality Least Privilege High
Monitor accounts assigned delivered EBS roles or responsibilities Least Privilege High
Monitor accounts with access to AZN Menus Least Privilege High
Monitor accounts with access to SOX Critical Functions Least Privilege High
Monitor accounts with access to Utilities: Diagnostics and Utilities: SQL Trace Least Privilege High
Monitor of users with access to Order Entry Administrator Least Privilege High
Monitor read-only Responsibilities with write access Least Privilege Medium
Monitor users with access to Approvals Management Administrator Least Privilege High
Monitor users with access to Cash Management Setup Least Privilege High
Monitor users with access to Payments Setup Administrator Least Privilege High
Monitor users with access to Trading Community Architecture Least Privilege High
Monitor users with access to Workflow Administrator Least Privilege High
Oracle EBS – Govern Access to Critical Roles Identity Governance, IT General Controls, Least Privilege High
Payables Setup – Critical Access Least Privilege, Segregation of Duties High
Purchasing Setup – Critical Access Least Privilege, Segregation of Duties High
Restrict Users that can develop concurrent programs Least Privilege High
Restrict Users with access to modify audit and logging Least Privilege High

Oracle ERP Cloud

Showing 3 controls:
Control TitleControl TypeRisk Rating
Access Administration – Critical Access Least Privilege, Segregation of Duties Critical
Create Suppliers – Critical Access Least Privilege, Segregation of Duties High
Oracle ERP Cloud – Govern Access to Critical Roles Identity Governance, IT General Controls, Least Privilege High

PeopleSoft

Showing 35 controls:
Control TitleControl TypeRisk Rating
Access Administration – Critical Access Least Privilege, Segregation of Duties Critical
Count of non-Display Only pages by Permission List Least Privilege Medium
Create Suppliers – Critical Access Least Privilege, Segregation of Duties High
Customer Account Maintenance – Critical Access Least Privilege, Segregation of Duties High
Development – Critical Access Least Privilege, Segregation of Duties Critical
General Ledger Periods – Critical Access Least Privilege, Segregation of Duties High
General Ledger Setup – Critical Access Least Privilege, Segregation of Duties High
Limit access that create Segregation of Duties risk Least Privilege High
Limit access to critical PeopleSoft menus and pages Least Privilege High
Limit access to use of Correction in authorized actions for component pages Least Privilege High
Limit user accounts having access to super-user type functionality Least Privilege High
Maintain Chart of Accounts – Critical Access Least Privilege, Segregation of Duties High
Maintain Hierarchies – Critical Access Least Privilege, Segregation of Duties High
Monitor access of PeopleSoft pages for under utilization Least Privilege Medium
Monitor accounts assigned delivered PeopleSoft roles or permission lists Least Privilege High
Monitor accounts with access to SOX Critical Functions Least Privilege High
Monitor querying capabilities of users Least Privilege Medium
Monitor read-only Roles and Permission Lists with write access Least Privilege Medium
Monitor user primary permission lists and row security class Least Privilege High
Monitor users or roles with access to ALLPNLS or ALLPAGES and *PNLS Permission Lists Least Privilege High
Monitor users with access to Cash Management Setup Least Privilege High
Monitor users with access to delivered PeopleTools roies Least Privilege High
Monitor users with access to Payments Setup Least Privilege High
Monitor users with the ability to add or update vendors in their User Preferences settings Least Privilege High
Monitor users witht he ability to post journal entries in the their user preferences settings Least Privilege High
Payables Setup – Critical Access Least Privilege, Segregation of Duties High
PeopleSoft – Govern Access to Critical Roles Identity Governance, IT General Controls, Least Privilege High
Purchasing Setup – Critical Access Least Privilege, Segregation of Duties High
Receivables Setup – Critical Access Least Privilege, Segregation of Duties High
Restrict Users that have access to development tools in Production Least Privilege High
Restrict Users that have access to integration tools in Production Least Privilege High
Restrict Users that have access to reporting and analysis tools in Production Least Privilege High
Restrict Users that have access to the Maintain Security menu Least Privilege High
Restrict Users that have access to Utilities in Production Least Privilege High
Set Up Payment – Critical Access Least Privilege, Segregation of Duties High

SalesForce

Showing 9 controls:
Control TitleControl TypeRisk Rating
Manual Sharing of object records to Internal Users Least Privilege Medium
Permission Sets with High Risk Permissions Least Privilege High
Permission Sets with Modify All Data Permissions Least Privilege High
Permission Sets with View All Data Permissions Least Privilege High
Profiles with High Risk Permissions Least Privilege High
Profiles with Modify All Data Permissions Least Privilege High
Profiles with View All Data Permissions Least Privilege High
SalesForce – Govern Access to Critical Roles Identity Governance, IT General Controls, Least Privilege High
Users with high risk permissions Identity Governance, Least Privilege High

SAP

Showing 66 controls:
Control TitleControl TypeRisk Rating
Basis Archiving Actions – Critical Access Least Privilege, Segregation of Duties High
Basis Configuration Actions – Critical Access Least Privilege, Segregation of Duties High
Basis Critical Actions – Critical Access Least Privilege, Segregation of Duties High
Basis Performance Actions – Critical Access Least Privilege, Segregation of Duties High
Monitor dialog users with the number of authorization objects Least Privilege Medium
Enabler Roles (Organizational access) with transactions Least Privilege High
Monitor accounts having access to Sensitive Data Screens (e.g. BOM) critical transactions Least Privilege High
Monitor Critical transactions_usage counts Least Privilege High
Monitor critical transactions usage, role assignment, and role_user assignment Least Privilege High
Monitor Info Providers containing Company Code only as a characteristic Least Privilege High
Monitor Info Providers that do not contain any of the characteristics Least Privilege Medium
Monitor Info Providers (with queries) containing characteristics (key fields for security) with company code not a part of selection criteria Least Privilege High
Monitor Infocubes secured by Profit Center/Company Code Least Privilege Medium
Monitor queries Restricted by Company Code and its Usage in the InfoProviders List Least Privilege High
Monitor queries restricted by Company Code/Profit Center and their usage Least Privilege High
Monitor queries that are not restricted by ProfitCenter/Company Code Least Privilege High
Monitor Roles with selected authorization objects (), Fields(), Values() Least Privilege Medium
Monitor Roles with Company Code (BUKRS) and Profit Center as wildcards (*) Least Privilege High
Monitor roles with manually inserted authorizations to replace or append to suggested standard Least Privilege Medium
Monitor roles with manually inserted authorizations to replace or append to suggested standard authorizations Least Privilege Medium
Monitor Roles with * (or pseudo wildcards) Least Privilege Medium
Monitor Roles with * (or pseudo wildcards) Least Privilege Medium
Monitor Roles with * (or pseudo wildcards) that give complete or excessive access Least Privilege Medium
Monitor Roles with organizational access such as postings to legal entities Least Privilege Medium
Monitor Roles with the number of unused transactions Least Privilege Medium
Monitor Roles with their count of unused transactions Least Privilege High
Monitor Roles with wildcard (*) value which provides all levels of access for activity (i.e. create/change/delete etc.) Least Privilege Medium
Monitor S2P or R2R roles and accounts with usage Least Privilege High
Monitor Source to Pay (S2P or R2R) roles with their child roles or transactions Least Privilege High
Monitor transactions associated with more than one role Least Privilege Medium
Monitor Transactions not used in the last () days Least Privilege Medium
Monitor transactions with their security status Least Privilege Medium
Monitor unused transactions with their associated Roles Least Privilege Medium
Monitor users and user groups that can be process asset write-offs Least Privilege High
Monitor users and user groups that can create customer master records Least Privilege High
Monitor users and user groups that can create material master records Least Privilege High
Monitor users and user groups that can create Vendor master records Least Privilege High
Monitor users and user groups that can perform security administration activities – Role Maintenance Least Privilege High
Monitor users and user groups that can perform security administration activities – user master maintenance Least Privilege High
Monitor users and user groups that can post depreciation Least Privilege High
Monitor users and user groups that can process payments to vendors Least Privilege High
Monitor users and user groups that can process returns/refunds Least Privilege High
Monitor users and user groups that can process Sales Orders Least Privilege High
Monitor users and user groups that can create asset master records Least Privilege High
Monitor users and user groups that perform invoice processing (from Vendors) Least Privilege High
Monitor users and user groups with access to significant financial reporting transactions/financial statements Least Privilege High
Monitor users by their positions/titles with Process (OTC/STP/FIN etc.) roles assignment Least Privilege High
Monitor users executing reports (Business Intelligence (BI)) Least Privilege Medium
Monitor users not in selected user group () having access to transactions () with change/update ability Least Privilege High
Monitor users and user groups that approve invoices Least Privilege High
Monitor users that approve purchase orders Least Privilege High
Monitor users that can post journal entries Least Privilege High
Monitor users and user groups that create Bank master data Least Privilege High
Monitor users and user groups that can perform treasury operations Least Privilege High
Monitor users that process purchase orders Least Privilege High
Monitor users who are assigned SAP Standard template Roles Least Privilege High
Monitor users with access to high risk SOX critical transactions Least Privilege High
Monitor users with access to Joint Ventures Data Least Privilege High
Monitor users with access to program maintenance and ABAP workbench Least Privilege Critical
Monitor users with access to system administration transactions Least Privilege Critical
Monitor users with change permissions in critical authorization objects such as S_PROGRAM, S_DEVELOP, S_TABU_DIS, S_TABU_CLI, S_BTCH_JOB, S_BTCH_ADM Least Privilege Critical
Monitor users with Company Code (BUKRS) and Profit Center (PRCTR) as wildcards (*) which allows all levels of access Least Privilege High
Monitor users with Security Maintenance transactions Least Privilege Critical
Review read only roles with write/execute/change access Least Privilege High
SAP – Govern Access to Critical Roles Identity Governance, IT General Controls, Least Privilege High
Usage history for transaction/s () and or user/s () Least Privilege High

SAP HANA

Showing 56 controls:
Control TitleControl TypeRisk Rating
Enabler Roles (Organizational access) with transactions Least Privilege High
Monitor accounts having access to Sensitive Data Screens (e.g. BOM) critical transactions Least Privilege High
Monitor Critical transactions_usage counts Least Privilege High
Monitor critical transactions usage, role assignment, and role_user assignment Least Privilege High
Monitor dialog users with the number of authorization objects Least Privilege Medium
Monitor Info Providers containing Company Code only as a characteristic Least Privilege High
Monitor Info Providers that do not contain any of the characteristics Least Privilege Medium
Monitor Info Providers (with queries) containing characteristics (key fields for security) with company code not a part of selection criteria Least Privilege High
Monitor Infocubes secured by Profit Center/Company Code Least Privilege Medium
Monitor queries Restricted by Company Code and its Usage in the InfoProviders List Least Privilege High
Monitor queries restricted by Company Code/Profit Center and their usage Least Privilege High
Monitor queries that are not restricted by ProfitCenter/Company Code Least Privilege High
Monitor Roles with Company Code (BUKRS) and Profit Center as wildcards (*) Least Privilege High
Monitor roles with manually inserted authorizations to replace or append to suggested standard authorizations Least Privilege Medium
Monitor Roles with * (or pseudo wildcards) that give complete or excessive access Least Privilege Medium
Monitor Roles with organizational access such as postings to legal entities Least Privilege Medium
Monitor Roles with selected authorization objects (), Fields(), Values() Least Privilege Medium
Monitor Roles with the number of unused transactions Least Privilege Medium
Monitor Roles with their count of unused transactions Least Privilege High
Monitor Roles with wildcard (*) value which provides all levels of access for activity (i.e. create/change/delete etc.) Least Privilege Medium
Monitor S2P or R2R roles and accounts with usage Least Privilege High
Monitor Source to Pay (S2P or R2R) roles with their child roles or transactions Least Privilege High
Monitor transactions associated with more than one role Least Privilege Medium
Monitor Transactions not used in the last () days Least Privilege Medium
Monitor transactions with their security status Least Privilege Medium
Monitor unused transactions with their associated Roles Least Privilege Medium
Monitor users and user groups that approve invoices Least Privilege High
Monitor users and user groups that can be process asset write-offs Least Privilege High
Monitor users and user groups that can create asset master records Least Privilege High
Monitor users and user groups that can create customer master records Least Privilege High
Monitor users and user groups that can create material master records Least Privilege High
Monitor users and user groups that can create Vendor master records Least Privilege High
Monitor users and user groups that can perform security administration activities – Role Maintenance Least Privilege High
Monitor users and user groups that can perform security administration activities – user master maintenance Least Privilege High
Monitor users and user groups that can perform treasury operations Least Privilege High
Monitor users and user groups that can post depreciation Least Privilege High
Monitor users and user groups that can process payments to vendors Least Privilege High
Monitor users and user groups that can process returns/refunds Least Privilege High
Monitor users and user groups that can process Sales Orders Least Privilege High
Monitor users and user groups that create Bank master data Least Privilege High
Monitor users and user groups that perform invoice processing (from Vendors) Least Privilege High
Monitor users and user groups with access to significant financial reporting transactions/financial statements Least Privilege High
Monitor users by their positions/titles with Process (OTC/STP/FIN etc.) roles assignment Least Privilege High
Monitor users executing reports (Business Intelligence (BI)) Least Privilege Medium
Monitor users not in selected user group () having access to transactions () with change/update ability Least Privilege High
Monitor users that approve purchase orders Least Privilege High
Monitor users that process purchase orders Least Privilege High
Monitor users who are assigned SAP Standard template Roles Least Privilege High
Monitor users with access to high risk SOX critical transactions Least Privilege High
Monitor users with access to Joint Ventures Data Least Privilege High
Monitor users with access to program maintenance and ABAP workbench Least Privilege Critical
Monitor users with access to system administration transactions Least Privilege Critical
Monitor users with change permissions in critical authorization objects such as S_PROGRAM, S_DEVELOP, S_TABU_DIS, S_TABU_CLI, S_BTCH_JOB, S_BTCH_ADM Least Privilege Critical
Monitor users with Company Code (BUKRS) and Profit Center (PRCTR) as wildcards (*) which allows all levels of access Least Privilege High
Monitor users with Security Maintenance transactions Least Privilege Critical
Usage history for transaction/s () and or user/s () Least Privilege High

Workday

Showing 8 controls:
Control TitleControl TypeRisk Rating
Access Administration – Critical Access Least Privilege, Segregation of Duties Critical
Application Administrator – Critical Access Least Privilege, Segregation of Duties Critical
Create Suppliers – Critical Access Least Privilege, Segregation of Duties High
Customer Account Maintenance – Critical Access Least Privilege, Segregation of Duties High
Development – Critical Access Least Privilege, Segregation of Duties Critical
General Ledger Setup – Critical Access Least Privilege, Segregation of Duties High
Payables Setup – Critical Access Least Privilege, Segregation of Duties High
Workday – Govern Access to Critical Roles Identity Governance, IT General Controls, Least Privilege High