5.5 Access control matrix + audit trails
Security in a manufacturing environment requires vigilance to prevent both external threats and internal, accidental data corruption (such as an operator unintentionally modifying a Master Routing). The principle of Least Privilege provides a strong defense. A user should be granted exactly enough access to perform their specific job function, and no more.
The RBAC standard (role-based access control)
Section titled “The RBAC standard (role-based access control)”It is highly recommended to assign permissions to Roles rather than to individuals. When a team member changes jobs, you update their Role, leaving individual settings manageable and auditable.
Standard factory personas
Section titled “Standard factory personas”- Operator:
- Scope: The Station HMI.
- Rights: Log in, Start/Stop Cycle, Acknowledge Alarm.
- Block: No access to the Windows Desktop, Network Settings, or Recipe Parameters.
- Line Lead / Maintenance:
- Scope: The Line.
- Rights: Override Interlocks (with a logged code), Adjust Mechanical Offsets, Clear Jams.
- Block: Cannot change Master Data (BOM or Route).
- Process Engineer:
- Scope: The Process.
- Rights: Edit Recipes (in Draft mode), Analyze Data, Change Cycle Times.
- Block: Cannot “Release” their own changes (this requires a Quality signature).
- Quality Manager:
- Scope: Compliance.
- Rights: Approve/Reject Recipes, Release Master Data, Disposition Non-Conformances (e.g. Scrap).
- Block: Cannot Edit Machine Parameters.
- IT Admin:
- Scope: Infrastructure.
- Rights: Manage Users, Execute Backups, Apply Patches.
- Block: Avoid granting IT Admins “Super User” access to Business Data. An IT Admin should not have the system capability to “Pass” a failed unit.
- Auditor:
- Scope: Oversight.
- Rights: Global Read-Only access.
- Block: Zero Write access.
The matrix
Section titled “The matrix”| Action | Operator | Maint / Lead | Engineer | Quality | IT Admin |
|---|---|---|---|---|---|
| Execute Order | ✅ | ✅ | ✅ | ❌ | ❌ |
| Edit Recipe | ❌ | ❌ | ✅ (Draft) | ❌ | ❌ |
| Approve Recipe | ❌ | ❌ | ❌ | ✅ | ❌ |
| Bypass Interlock | ❌ | ✅ (Log) | ✅ (Log) | ❌ | ❌ |
| Scrap Unit | ❌ | ❌ | ❌ | ✅ | ❌ |
| User Mgmt | ❌ | ❌ | ❌ | ❌ | ✅ |
| View Reports | ✅ (Own) | ✅ | ✅ | ✅ | ❌ |
The JML lifecycle (joiner, mover, leaver)
Section titled “The JML lifecycle (joiner, mover, leaver)”User access tends to accumulate unneeded permissions over time. “Privilege Creep” occurs when a user moves departments and retains their old access rights while acquiring new ones. A strict lifecycle must be enforced to mitigate this.
Joiner (new hire)
Section titled “Joiner (new hire)”- Trigger: HR System or Helpdesk Ticket.
- Rule: An established Profile must be copied. (e.g. “Mirror permissions of a standard Operator”).
- Validation: The relevant Manager must approve the specific Role request.
- SLA: Ensure access is ready on Day 1.
Mover (job change)
Section titled “Mover (job change)”- Trigger: Promotion or Department Transfer.
- Risk: Accumulation of conflicting rights (e.g. an Operator becomes an Engineer but retains the ability to execute production operations).
- Logic:
- Step 1: Revoke ALL current permissions.
- Step 2: Apply the NEW Role permissions entirely.
- Pro-Tip: Avoid simply “Adding” the new role on top of the old one.
Leaver (termination)
Section titled “Leaver (termination)”- Trigger: HR Notification.
- Action: An Immediate Account Disable must be executed (both in Active Directory & MES).
- Speed: Complete within < 1 Hour from the termination notice.
- Clean Up: Ownership of any “Checked Out” files or records must be transferred to the responsible Manager.
Audit trails: the “god view”
Section titled “Audit trails: the “god view””Every click that alters data must be recorded. If the system cannot reliably reconstruct who changed a setting and when, it may not be fully compliant.
The 4 ws of logging
Section titled “The 4 ws of logging”For every INSERT, UPDATE, or DELETE operation, the system should log:
- Who: The specific User ID (avoid generic “Admin” accounts).
- When: A UTC Timestamp.
- What: The specific Field that was changed.
- Value: Both the Old Value and the New Value.
Pro-Tip: Audit logs must be Read-Only. Even the IT Admin should not have permissions to delete the Audit Log. Ship these logs to an immutable SIEM (Security Information and Event Management) system or WORM storage.
The access review (cadence)
Section titled “The access review (cadence)”Verification must follow trust; permissions drift naturally over time.
- Frequency: Quarterly (Every 90 Days).
- Process:
- IT generates a report of all Active Users and their assigned Roles.
- Department Managers receive the list relevant to their team.
- Action: The Manager must actively mark each user as “Retain” or “Revoke.”
- Logic: When a Manager fails to review the list by the Deadline, the system should ideally Auto-Disable the unverified accounts to enforce compliance.
Final Checkout: Access control matrix + audit trails
Section titled “Final Checkout: Access control matrix + audit trails”| Category | Metric / Control | Threshold / Rule |
|---|---|---|
| Least Privilege | Role Usage | Ensure 100% of users are assigned to a Role. 0 Direct Permissions. |
| Segregation | SoD (Segregation of Duties) | Configure the system so no single user can both Edit and Approve a Master Record. |
| Leavers | Kill Switch | Ensure Terminated users are disabled in < 2 Hours. |
| Hygiene | Stale Accounts | When an account is Inactive > 30 Days, it should Auto-Disable. |
| Audit | Logs must capture Old_Value vs New_Value for all Config changes. | |
| Review | Governance | Ensure a Quarterly Access Review is completed by Dept Managers. |
| Admin | Control | IT Admins should be blocked from modifying Business Data (Recipes/BOMs). |