PR.AC-4: Access permissions
Access permissions and authorisations are managed with least privilege and separation of duties
Requirement
Access permissions for users to the organisation's systems shall be defined and managed. It shall be identified who should have access to the organisation's business-critical information and technology. Employee access to data and information shall be limited to the systems and specific information they need to do their jobs (the principle of Least Privilege).
Our Implementation
Access permissions follow the principle of least privilege. In the NextSDS product, data isolation is enforced through Supabase Row Level Security (RLS) policies — customers can only access data belonging to their own organisation. Administrative access to cloud infrastructure is restricted to the three co-founders, with the primary owner (CEO/CTO) holding organisation-owner privileges on critical systems (GitHub, Vercel, Supabase, Slack).
Access rights are tracked in the access matrix, which documents each team member's access level per system. Google Workspace SSO centralises authentication, allowing access to be revoked from a single point when needed.
Gaps / Planned improvements:
- No separate admin accounts — team members use the same accounts for daily work and administration (NEX-346)
- Formal access review process not yet established — planned quarterly reviews (NEX-367, NEX-383)
- Access matrix flagged as draft — full audit pending (NEX-344)