+ORP.4.A2 Creating, Changing, and Revoking Authorisations [IT Operation Department] (B)

1. Overview

ORP.4.A2 Creating, Changing, and Revoking Authorisations [IT Operation Department] (B)

User IDs and authorisations MUST ONLY be granted on the basis of actual need in connection with specific tasks (in line with the least-privilege and need-to-know principles). If there are personnel changes, the user IDs and authorisations that are no longer required MUST be removed. If employees apply for authorisations that are beyond the respective standard, they MUST ONLY be assigned after additional justification and verification are provided. Access permissions to system directories and files SHOULD be restricted. All authorisations MUST be established via separate administrative roles.

Summary	Standard

1.1 References

1.2 Identified Requirements

1.2 Related Regulation

2. Identified Requirements

Requirements
Source	Requirement

3. Related Regulations

Regulations
Source	Regulation

ITGC -
Bundesamt für Sicherheiter in der Informationstechnik - IT-Grundschutzkompendium Stand 2022