If a junior accountant can access the HR salary file, or a receptionist can modify customer pricing, mistakes or theft become easy—and you may not notice until damage is done. In 2022, a Delhi textile export company lost ₹18 lakhs when a disgruntled junior given 'admin access' deleted customer orders. Banks and large customers now ask Indian suppliers: 'Can you prove new hires only got the access they need?' If you can't answer clearly, you lose contracts. Regulatory audits under DPDP and CERT-In guidelines also flag excessive access as a major risk.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You find that when someone joins, they either get access to everything 'to be safe' or access is given ad-hoc based on whoever remembers to call IT. There's no written record of who has what access or why.
Initial
You have a basic list of what access each job role should have (e.g., 'Accountant gets financial software, not HR'), but you don't check whether people actually stick to it or whether leavers still have old access.
Developing
When someone new joins, you deliberately grant only the access they need based on a simple checklist for their role, and you've started removing access for people who move to different jobs—but there's no formal process documented and nobody's checking it regularly.
Defined
You have a written, approved access policy for each job role, a handover checklist for new joiners and leavers, and every quarter you spot-check that people's actual access matches what they should have—fixes are logged.
Managed
Your access control is managed in a system (even a spreadsheet with proper version control); role definitions are clear and reviewed annually; every user activity is logged; and violations are caught quickly and investigated.
Optimised
Access requests go through a formal workflow with manager approval; access is automatically provisioned and de-provisioned based on employee status; all access changes are logged with justification; quarterly reviews are automated and exceptions are flagged immediately for investigation.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a one-page table listing each job role (e.g., Accountant, HR Manager, Sales Person) and write down which systems and file folders they should access (e.g., 'Accountant gets QuickBooks, NOT payroll records') | Owner or IT Lead | 1–2 days |
| 1 → 2 | Write a simple one-page 'New Joiner Checklist' that says: Manager fills in the employee's role → IT grants access from the approved list → Manager and IT sign off. Use this for the next new hire; keep the signed checklist in a folder. | Owner/HR + IT Lead | 3–5 days |
| 2 → 3 | Formalize the access policy into a 2-3 page document (roles, access rules, approval process, removal process). Get it signed by the owner. Create a 'Leaver Checklist' that ensures access is removed when someone leaves or moves roles. Train all managers on the process. | Owner + IT Lead + HR | 2–3 weeks |
| 3 → 4 | Move access records into a simple tracking system (e.g., Google Sheet with restricted edit access, or low-cost IAM tool). Set up a quarterly access review: pull a list of who has what, manager confirms it's still correct, document findings and fixes. | IT Lead | 4–6 weeks |
| 4 → 5 | Implement automated provisioning (e.g., when HR marks someone as 'joined', systems automatically grant pre-defined role access; when they're marked 'left', access auto-removes). Add real-time alerting for unusual access patterns. Review and update role definitions annually. | IT Lead or external consultant | Ongoing quarterly review + annual update |
Documents and records that prove your maturity level.
- A written 'Access Control Policy' or document that lists job roles and what systems/files each role should access
- A filled-in 'New Joiner Access Checklist' signed by manager and IT for at least the last 2–3 hires, showing what access was granted and when
- A 'Leaver/Role Change Checklist' showing that access was removed when employees left or moved to different jobs
- A record or log (spreadsheet or system report) showing current user accounts and their assigned role-based access, last updated within the past 3 months
- Minutes or sign-off from a quarterly access review meeting where managers confirmed that their team's access is still appropriate
Prepare for these questions from customers or third-party reviewers.
- "Show me your policy on how new users are granted access. How do you decide what each person should be able to do?"
- "Pick a random employee who joined in the last 6 months. Show me the documentation proving that access was approved by their manager before being granted."
- "How do you remove access when someone leaves the company or moves to a different role? Show me an example from the last 3 months."
- "When was the last time you reviewed whether people's actual system access matches what they should have? Show me the results and any changes you made."
- "If I asked you right now, could you list all active user accounts and what each person can access? How current is that list?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Document and track access policies and role definitions | Google Docs (create template) + Google Sheets (access registry spreadsheet); Microsoft Word + Excel if you use Office | PolicyKit or similar document management tool: ₹5,000–15,000/year |
| Manage user access and permissions across systems (identity and access management) | Keycloak (open-source, self-hosted); basic directory services if you use Windows Server (included with license) | Okta: ₹50,000–200,000/year; Microsoft Entra ID (Azure AD): ₹2,000–5,000 per 10 users/month; OneLogin: ₹40,000–150,000/year |
| Log and monitor user activities and access changes | Windows Event Viewer (built-in); server logs; basic file access auditing | Splunk: ₹200,000+/year; ManageEngine Log360: ₹100,000–250,000/year; Datadog: ₹50,000–300,000/year depending on volume |
- Giving everyone admin or power-user access 'to avoid ticket requests later'—this is the biggest mistake. Training the team on role-based access takes 1–2 weeks upfront but saves months of security headaches.
- Forgetting to remove access when someone leaves or moves teams. The easiest fix: make 'remove all access' part of the final exit interview checklist, and have IT verify it's done before the person's last day.
- Not documenting who approved what access and why. When an auditor asks 'Why does this person have access to payroll?', if you can't show a manager's approval, you fail. Keep every access request and sign-off, even if it's just an email.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (accountability) and Schedule 2 (baseline security practices) require principle of least privilege for data access |
| CERT-In 2022 | Direction 4 requires user access control and removal of access for employees no longer needing it |
| ISO 27001:2022 | Annex A.5.3 (segregation of duties) and A.6.2 (user access provisioning and de-provisioning) |
| NIST CSF 2.0 | Govern (GV) and Protect (PR) functions; specifically PR.AC-1 (manage physical/logical access) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →