5.5 Access Control Matrix + Audit Trails

Security in a manufacturing environment is not just about preventing external hackers; it is about preventing an intern from accidentally deleting a Master Routing. The principle of Least Privilege is the only defense against incompetence and malice. A user should have exactly enough access to perform their specific job function—and not a single pixel more.

The RBAC Standard (Role-Based Access Control)

Do not assign permissions to individuals (e.g., "John Smith"). Assign permissions to Roles. When John changes jobs, you change his Role, not his individual settings.

Standard Factory Personas

1. Operator:
   • Scope: The Station HMI.
   • Rights: Log in, Start/Stop Cycle, Acknowledge Alarm.
   • Block: No access to Windows Desktop, Network Settings, or Recipe Parameters.
2. Line Lead / Maintenance:
   • Scope: The Line.
   • Rights: Override Interlocks (with code), Adjust Mechanical Offsets, Clear Jams.
   • Block: Cannot change Master Data (BOM/Route).
3. Process Engineer:
   • Scope: The Process.
   • Rights: Edit Recipes (Draft), Analyze Data, Change Cycle Times.
   • Block: Cannot "Release" their own changes (requires Quality signature).
4. Quality Manager:
   • Scope: Compliance.
   • Rights: Approve/Reject Recipes, Release Master Data, Disposition Non-Conformances (Scrap).
   • Block: Cannot Edit Machine Parameters.
5. IT Admin:
   • Scope: Infrastructure.
   • Rights: Manage Users, Backups, Patching.
   • Block: Do not give IT Admins "Super User" access to Business Data. An IT Admin should not be able to "Pass" a failed unit.
6. Auditor:
   • Scope: Oversight.
   • Rights: Global Read-Only.
   • Block: Zero Write access.

The Matrix

The JML Lifecycle (Joiner, Mover, Leaver)

User access tends to rot over time. "Privilege Creep" occurs when a user moves departments and keeps their old keys while getting new ones. Enforce a strict lifecycle.

Joiner (New Hire)

• Trigger: HR System / Helpdesk Ticket.
• Rule: Copy Profile. (e.g., "Mirror permissions of User X").
• Validation: Manager must approve the specific Role request.
• SLA: Access ready on Day 1.

Mover (Job Change)

• Trigger: Promotion or Department Transfer.
• Risk: Accumulation of rights (e.g., an Operator becomes an Engineer but keeps the ability to execute production).
• Logic:
  • Step 1: Revoke ALL current permissions.
  • Step 2: Apply NEW Role permissions.
  • Never just "Add" the new role on top of the old one.

Leaver (Termination)

• Trigger: HR Notification.
• Action: Immediate Account Disable (Active Directory & MES).
• Speed: < 1 Hour from termination notice.
• Clean Up: Transfer ownership of any "Checked Out" files/records to the Manager.

Audit Trails: The "God View"

Every click that alters data must be recorded. If you cannot reconstruct who changed a setting and when, your system is not compliant.

The 4 Ws of Logging

For every INSERT, UPDATE, or DELETE, the system must log:

1. Who: User ID (not generic "Admin").
2. When: UTC Timestamp.
3. What: The specific Field changed.
4. Value: The Old Value and the New Value.

Pro-Tip: Audit logs must be Read-Only. Even the IT Admin should not be able to delete the Audit Log. Ship these logs to an immutable SIEM (Security Information and Event Management) system or WORM storage.

The Access Review (Cadence)

Trust but verify. Permissions drift.

• Frequency: Quarterly (Every 90 Days).
• Process:
  1. IT generates a report of all Active Users + Roles.
  2. Department Managers receive the list for their team.
  3. Action: Manager must mark each user as "Retain" or "Revoke."
  4. Logic: If Manager fails to review by Deadline → Then Auto-Disable accounts.

Final Checklist