User Access Control: Right People, Right Access

Key Takeaways

Point	Summary
Unique accounts	Each user must have their own account—no shared accounts
Least privilege	Users should have the minimum access needed for their role
Admin restrictions	Admin accounts only for admin tasks; no email or browsing with admin accounts
MFA recommended	Multi-factor authentication for cloud services and admin accounts
Remove leavers promptly	Disable accounts when staff leave or change roles

Quick Answer: Cyber Essentials requires unique user accounts with least-privilege access. Admin accounts should only be used for admin tasks. MFA is strongly recommended for cloud services. Remove access promptly when employees leave.

Why access control matters

Poor access control is a common factor in breaches. When everyone has admin rights, a single compromised account can give attackers access to everything.

Without proper access control:

• All users have admin rights
• Shared accounts hide accountability
• Ex-employees may still have access
• Malware runs with full privileges
• One breach can mean total compromise

With proper access control:

• Users have only the access they need
• Individual accounts provide accountability
• Leavers are removed promptly
• Malware is limited to user-level access
• Breaches are contained to affected accounts

What Cyber Essentials requires

Core requirements

Requirement	Details
User authentication	All accounts must authenticate before access
Unique accounts	Each user has their own account
Appropriate privileges	Users only have access they need
Admin account control	Minimise and control admin accounts
Account lifecycle	Process for creating and removing accounts

Authentication requirements

Aspect	Requirement
Password minimum	8 characters (12+ recommended)
Or passphrase	Minimum 12 characters
Or MFA	Multi-factor instead of longer password
Account lockout	Enable after failed attempts
Biometrics	Acceptable with device-stored template

Implementing access control

Step 1: Establish account policy

Define your account management approach:

Account types:

• Standard user accounts: For day-to-day work, no admin privileges, used for email, browsing, and applications

• Administrative accounts: For system administration only, not for email or browsing, named individuals (not generic), higher authentication requirements

• Service accounts: For application or service use, strong unique passwords, minimum required privileges, regular review and rotation

Account lifecycle:

• Creation: Approved, documented, minimum access
• Modification: Approved changes only
• Review: Regular access reviews
• Removal: Prompt deactivation on departure

Step 2: Apply least privilege

Users should have the minimum access needed for their role:

Role	Typical Access Level
Standard employee	Standard user, job-specific applications
IT support	Standard user + specific admin tools
System administrator	Admin account (separate from daily use)
Finance	Standard user + finance applications
HR	Standard user + HR systems

Step 3: Separate admin and standard accounts

People who need admin access should have two accounts:

Standard account (e.g., john.smith):

• Used for email, browsing, documents
• Standard user access level
• Password meeting company policy
• Daily use account

Admin account (e.g., john.smith.admin):

• Used for admin tasks only
• Administrative access level
• Stronger password + MFA recommended
• Not for daily use—admin tasks only

Why separate accounts?

• Limits exposure of admin credentials
• Malware from browsing or email runs as standard user
• Phishing is less likely to compromise admin credentials
• Audit trail distinguishes admin actions
• Forces conscious decision to elevate privileges

Step 4: Configure authentication

Set appropriate authentication requirements:

Setting	Cyber Essentials Minimum	Recommended
Password length	8 characters	12+ characters
Complexity	Or passphrase	Passphrase recommended
MFA	Reduces length requirement	Enable for all admin accounts
Lockout	Enable	5-10 failed attempts
History	Not specified	Prevent password reuse

Step 5: Manage account lifecycle

Establish processes for account changes:

New starter (joiner):

• HR notifies IT of new employee
• Manager requests appropriate access level
• Account created with minimum necessary access
• User receives credentials securely
• Access granted is documented

Role change (mover):

• Manager requests access change
• Review current and new requirements
• Add access needed for new role
• Remove access no longer needed
• Changes documented

Departure (leaver):

• HR notifies IT promptly
• Account disabled immediately
• Review for any shared credentials
• Archive if needed for compliance
• Delete after retention period
• Removal documented

Admin account best practices

Minimising admin accounts

Principle	Implementation
Minimum number	Only those who genuinely need admin access
Named accounts	No generic 'Administrator' or 'Admin' accounts
Documented	List of who has admin access and why
Regular review	Quarterly review of admin access
Justified	Business reason for each admin account

Protecting admin accounts

Protection	Implementation
Strong authentication	MFA strongly recommended
Separate credentials	Different password than standard account
Limited use	Not used for email or browsing
Monitoring	Log and review admin activities
Privileged workstations	Consider for high-security environments

Access control audit

Regular reviews

Review	Suggested Frequency	Action
User access appropriateness	Quarterly	Verify access matches role
Admin account inventory	Quarterly	Validate each admin account
Inactive accounts	Monthly	Disable unused accounts
Leaver account removal	Daily/weekly	Verify prompt removal
Service account review	Bi-annually	Validate necessity

Pre-certification checklist

• All users have unique accounts
• No shared accounts in use
• Password policy meets requirements
• Admin accounts separated from daily use
• Admin accounts minimised and justified
• Joiner/mover/leaver process documented
• Account lockout enabled
• Access reviews conducted
• Ex-employees removed promptly

Common access control issues

Frequently found problems

Issue	Risk	Solution
Shared accounts	No accountability	Individual accounts
Everyone is admin	Malware has full access	Apply least privilege
Generic admin accounts	No audit trail	Named admin accounts
Old accounts still active	Potential misuse	Regular access reviews
No leaver process	Ex-employee access	HR/IT process
Weak passwords	Account compromise	Strong policy + MFA
Admin used for daily work	Unnecessary exposure	Separate accounts

Handling exceptions

Sometimes access exceptions are genuinely needed:

Request:

• Business justification required
• Duration specified
• Risk assessed
• Approval documented

Review:

• Is exception truly necessary?
• Are there alternatives?
• What compensating controls?
• What's the risk level?

Approval:

• Document approver
• Set expiry date
• Implement compensating controls
• Schedule review

Monitor:

• Track exception validity
• Review before expiry
• Remove when no longer needed
• Audit exception usage

How Bastion can help

Managing access control effectively requires good processes and consistent execution.

Challenge	How We Help
Policy development	We create access control policies tailored to your organisation
Process implementation	We help establish joiner/mover/leaver workflows
Access reviews	We help automate and track access reviews
Admin account management	We provide guidance on privileged access
Compliance monitoring	We help maintain visibility into access control

Working with a managed service partner means access control becomes a structured, consistent process rather than something that depends on individual memory or ad-hoc requests. We help ensure nothing falls through the cracks.

---

Need help implementing access controls? Talk to our team