Restrict Database User Access Based on Duties
Users can only access or change database information if it's part of their job.
Plain language
This control is about ensuring that people can only access the database information they need to do their job. It matters because if everyone can access everything, it could lead to mistakes, data leaks, or intentional harm to the business.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Database users' ability to access, insert, modify and remove database contents is restricted based on their work duties.
Why it matters
Unrestricted database access can enable unauthorised viewing or changes to records, increasing insider misuse, data breach risk, and operational disruption.
Operational notes
Use role-based access to grant only required database CRUD privileges per duty, and review/recertify roles after job changes and at least quarterly.
Implementation tips
- IT team should identify user roles: Define different roles within your organisation and what database access is necessary for each. Use a straightforward list or table to detail which type of employee role needs access to specific parts of the database.
- Managers should review role access: Regularly review which employees are assigned each role to ensure only those who need access have it. Organise a quarterly meeting with team leaders to discuss any changes in responsibilities that might require access adjustments.
-
Look ata 'user management' or 'access settings' option in your database software and assign permissions based on your role table
- HR and Managers must coordinate when roles change: Ensure that HR notifies the IT team when an employee changes roles or leaves the company. Create a checklist for HR to follow whenever an employee starts, leaves or changes roles to update their database access accordingly.
- Database administrators should monitor access logs: Regularly check who is accessing the database and what actions they're taking. Use logging features within the database software to track access and create alerts for unusual activity.
Audit / evidence tips
-
Aska list of roles and database access permissions: Request the document or file that outlines the relationship between user roles and database access
Goodhas detailed role descriptions and permissions that align with job duties
-
Askrecent role review meeting notes: Request minutes or summaries from meetings where employee roles and database access were discussed
Goodshows regular reviews with clear outcomes and assigned actions
-
Askto see employee access change log: Request logs or records of any recent changes to user access permissions
Goodshows timely updates with authorisation details
-
Askto see access log reports: Request recent reports that show who accessed the database and what changes were made
Goodshows monitoring with alerts for any anomalies or unauthorised access
-
Askthe onboarding/offboarding checklist: Request evidence of the checklist used when employees start or leave the organisation
Goodshows a completed checklist with all necessary access changes documented
Cross-framework mappings
How ISM-1255 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.15 | ISM-1255 requires duty-based restriction of database actions (read/write/change/delete) for database users | |
| handshake Supports (1) expand_less | ||
| Annex A 5.3 | Annex A 5.3 requires conflicting duties and areas of responsibility to be segregated to prevent misuse of authority | |
| link Related (2) expand_less | ||
| Annex A 5.18 | Annex A 5.18 requires access rights to be provisioned and maintained based on organisational access control policy and business rules | |
| Annex A 8.3 | Annex A 8.3 requires access to information and associated assets to be restricted in line with access control policy | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-RA-ML3.1 | ISM-1255 requires database users’ ability to access, insert, modify and remove database contents to be restricted based on work duties | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.