Evidence – AC.L2-3.1.2
Limit System Access to Authorized Transactions and Functions
Control Overview
This document describes the evidence used to demonstrate implementation of AC.L2-3.1.2, which requires system access to be limited to the transactions and functions authorized for each user.
This evidence supports the control response documented in the System Security Plan (SSP).
Evidence Objectives
Evidence for this control demonstrates that:
- User access privileges are defined by role
- Users can perform only authorized functions
- Administrative and privileged functions are restricted
- Access privileges are reviewed and maintained
Evidence Artifacts
1. Role Definitions
Evidence demonstrating defined access privileges may include:
- Role definition documentation
- Role-to-function mapping tables
- Administrative role descriptions
Examples of acceptable sources: - Access control policy - Role and responsibility matrix - Identity provider role definitions
2. Role Assignments
Evidence demonstrating enforced access privileges may include:
- User-to-role assignment listings
- Group membership records
- Application permission assignments
Examples of acceptable sources: - Microsoft Entra ID group membership - Google Workspace admin role assignments - Application access configuration screens
3. Privileged Access Restrictions
Evidence demonstrating restricted privileged functions may include:
- Administrative account listings
- Privileged role membership records
- Approval records for elevated access
Examples of acceptable sources: - Entra ID privileged role assignments - Google Workspace super admin role listings - Privileged access approval documentation
4. Access Reviews
Evidence demonstrating ongoing enforcement may include:
- Periodic access review records
- Role change documentation
- Removal or modification of excess privileges
Evidence Retention
Evidence supporting this control is retained in accordance with organizational policy and contractual requirements and is available for review during assessment.
Notes
This document identifies example evidence artifacts only. Organizations may use different tools or platforms provided the same objectives are met and evidence is available.