Resources
← Back to all resources
Tracker

Access Control Matrix

Map users, roles, and permissions across your tools and systems to identify security gaps.

Purpose

An access control matrix maps every user in your organisation to the systems and tools they can access, along with their permission level. It is the single source of truth for who has access to what — critical for security audits, employee offboarding, and compliance certifications.

Matrix Structure

Create a table with the following columns for each system or tool:

  • System / Application: Name of the tool (e.g., Google Workspace, AWS, GitHub, CRM, HRMS).
  • User: Employee name and email address.
  • Role / Group: Assigned role in that system (Admin, Editor, Viewer, etc.).
  • Permission Level: Granular permission set within the role.
  • Grant Date: When access was granted.
  • Last Review Date: When this access was last reviewed and confirmed as still needed.
  • Review Status: Active, Needs Review, or Revoke.

Review Cadence

  • Critical Systems (finance, HRMS, production infrastructure): Review access monthly.
  • Business Tools (email, collaboration, project management): Review access quarterly.
  • Development Tools (code repositories, CI/CD, staging): Review access quarterly.
  • Low-Risk Tools (internal wikis, expense reports): Review access bi-annually.

Offboarding Checklist Integration

When an employee leaves, the access control matrix is the master checklist for revoking access. Follow this order:

  1. Disable the user account in the identity provider (Google/Azure AD/Okta).
  2. Revoke access to all systems listed in the matrix for that user.
  3. Verify revocation by attempting to log in to each system.
  4. Document the revocation timestamp and confirmation in the offboarding ticket.
  5. Archive the matrix row (do not delete) for audit trail purposes.

Common Access Control Issues

  • Orphaned accounts: Active accounts for former employees. The #1 security gap in Indian SMEs.
  • Over-privileged users: Users with admin rights they do not need for their role.
  • Shared credentials: Multiple people using the same login. Breaks audit trail and accountability.
  • Unreviewed access: Access granted years ago and never verified as still needed.

Put this into practice with workro desk.

Create your workspaceMore free resources