Cyber Essentials
DashboardSign Out

Lesson 6.1 — User access control: accounts, permissions and least privilege

This lesson introduces the Cyber Essentials user access control requirements.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • explain the purpose of user access control
  • identify the main account types in scope
  • understand the principle of least privilege
  • recognise high-risk access patterns
  • create a first user access control baseline covering accounts
  • permissions

Why This Matters

It explains why user accounts must be assigned only to authorised individuals, why users should only receive the access they need for their role, and how organisations can start building an access control baseline before moving into account approval, leavers, MFA, password-based authentication and administrator accounts in later lessons.

The most common problems are:

  • thinking user access control only means password policy;
  • ignoring cloud and SaaS accounts;
  • ignoring supplier accounts;
  • ignoring service accounts;

The Core Rule

User access control makes sure only authorised users have accounts and that those accounts only give access needed for their role.

Every active account is a possible route into organisational data and services.

What the CE Assessor Looks For

A strong position shows:

  • accounts are assigned to authorised individuals only;
  • account creation is approved;
  • users have unique credentials;
  • users receive access based on role and business need;
  • MFA is used where available, and always for cloud services;
  • administrator accounts are separate from daily-use accounts;

Common Mistakes

  • thinking user access control only means password policy;
  • ignoring cloud and SaaS accounts;
  • ignoring supplier accounts;
  • ignoring service accounts;
  • allowing shared logins without justification;
  • giving users more access than they need;

Copy This

Keep this rule visible:

Only the right people should have accounts, and those accounts should only give them the access they need to do their job.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What is the main aim of user access control?
  • [ ] What does least privilege mean?
  • [ ] Why are user accounts risky?
  • [ ] Why are privileged accounts higher risk?
  • [ ] Why should users have unique credentials?

Your Action

Do this now — it takes 10–20 minutes.

Describe your user account process in two or three sentences: how accounts are created, what access they receive, and who approves. Add to Section UAC.

Key Takeaway

Only the right people should have accounts, and those accounts should only give them the access they need to do their job.

Your Workbook Activity

Complete: User access control baseline review

Next Lesson

In the next lesson: Creating and approving user accounts: joiners, movers, contractors and temporary access

Up next

Creating and approving user accounts

Set up account creation and approval workflows for joiners, movers, contractors, and temporary users.