Skip to main content

5.5 Access Control Matrix + Audit Trails

Security in a manufacturing environment is not just about preventing external hackers; it is about preventing an untrained operatorintern from accidentally crashingdeleting a million-dollarMaster machine.Routing. IdentityThe managementprinciple servesof asLeast Privilege is the digitalonly safetydefense rail,against ensuringincompetence thatand everymalice. A user hasshould have exactly theenough permissions they needaccess to doperform their job—nothingspecific more,job nothingfunction—and less. Treat identity asnot a criticalsingle processpixel parameter, not an IT administrative burden.more.

The RBAC Standard (Role-Based Access Control (RBAC)Control)

StopDo managingnot assign permissions user-by-user.to Itindividuals is(e.g., unscalable"John Smith"). Assign permissions to Roles. When John changes jobs, you change his Role, not his individual settings.

Standard Factory Personas

  1. Operator:
    • Scope: The Station HMI.
    • Rights: Log in, Start/Stop Cycle, Acknowledge Alarm.
    • Block: No access to Windows Desktop, Network Settings, or Recipe Parameters.
  2. Line Lead / Maintenance:
    • Scope: The Line.
    • Rights: Override Interlocks (with code), Adjust Mechanical Offsets, Clear Jams.
    • Block: Cannot change Master Data (BOM/Route).
  3. Process Engineer:
    • Scope: The Process.
    • Rights: Edit Recipes (Draft), Analyze Data, Change Cycle Times.
    • Block: Cannot "Release" their own changes (requires Quality signature).
  4. Quality Manager:
    • Scope: Compliance.
    • Rights: Approve/Reject Recipes, Release Master Data, Disposition Non-Conformances (Scrap).
    • Block: Cannot Edit Machine Parameters.
  5. IT Admin:
    • Scope: Infrastructure.
    • Rights: Manage Users, Backups, Patching.
    • Block: Do not give IT Admins "Super User" access to Business Data. An IT Admin should not be able to "Pass" a failed unit.
  6. Auditor:
    • Scope: Oversight.
    • Rights: Global Read-Only.
    • Block: Zero Write access.

The Matrix

Action

Operator

Maint / Lead

Engineer

Quality

IT Admin

Execute Order

Edit Recipe

✅ (Draft)

Approve Recipe

Bypass Interlock

✅ (Log)

✅ (Log)

Scrap Unit

User Mgmt

View Reports

✅ (Own)

The JML Lifecycle (Joiner, Mover, Leaver)

User access tends to rot over time. "Privilege Creep" occurs when a user moves departments and dangerous.keeps Definetheir old keys while getting new ones. Enforce a strict "Roles" that mirror physical job functions and map users to these groups.lifecycle.

TheJoiner "Zero-Generic"(New RuleHire)

  • Strict Prohibition:Trigger: NeverHR useSystem generic/ accountsHelpdesk like Line1_Admin or Operator_3.Ticket.
  • Reasoning:Rule: Copy Profile. (e.g., "Mirror permissions of User X").
  • Validation: Manager must approve the specific Role request.
  • SLA: Access ready on Day 1.

Mover (Job Change)

  • Trigger: Promotion or Department Transfer.
  • Risk: Accumulation of rights (e.g., an Operator becomes an Engineer but keeps the ability to execute production).
  • Logic:
    • Step 1: Revoke ALL current permissions.
    • Step 2: Apply NEW Role permissions.
    • Never just "Add" the new role on top of the old one.

Leaver (Termination)

  • Trigger: HR Notification.
  • Action: Immediate Account Disable (Active Directory & MES).
  • Speed: < 1 Hour from termination notice.
  • Clean Up: Transfer ownership of any "Checked Out" files/records to the Manager.

Audit Trails: The "God View"

Every click that alters data must be recorded. If Line1_Admin changes a safety limit, you havecannot no way of knowingreconstruct who actually pressed the button. Every action must be attributable tochanged a named human.

Standard Manufacturing Roles

  • Operator (Read/Execute): Can start jobs, view SOPs, and record Pass/Fail. Cannot change recipes or skip steps.
  • Line Lead (Override): Can release "Held" lots and re-assign tasks.
  • Process Engineer (Write): Can modify Limits, Recipes, and Bill of Operations.
  • Maintenance (Bypass): Can operate machine in "Manual Mode" for repair.

Access Logic

  • If User is in AD Group MES_Operators → Grant Level 1 Access.
  • If User leaves the company → Disable AD Account (Access revoked instantly across all systems).

Authentication & SSO (Single Sign-On)

On the shop floor, speed is the priority. If an operator has to type a complex password every 60 seconds, they will write it on a sticky note attached to the monitor.

Shop Floor Auth Strategy (Badge + PIN)

  • Mechanism: Integrate RFID Badge Readers (HID) with the MES.
  • Workflow:
    1. Tap: Operator taps badge.
    2. Verify: System reads Card ID -> Queries Active Directory -> Logs User in.
    3. Timeout: Auto-logout after 5 minutes of inactivity to prevent "piggybacking."

Office/Remote Auth Strategy (MFA)

  • Mechanism: Engineers accessing the system from outside the OT network must use Multi-Factor Authentication (MFA).
  • Rule: No remote access to PLC/SCADA control functions without VPN + MFA.

 Privileged Actions (The "Break Glass" Logic)

Some actions are necessary but dangerous (e.g., Changing a test limit, Force-Passing a failed unit). These require a "conscious act" of elevation.

Double-Authentication Protocol

Do not rely on the user simply being logged in. Force them to re-prove their identity for critical steps.

  • Trigger: User clicks "Modify Recipe."
  • System Challenge: Pop-up window: "Please Re-Enter Password / Tap Badge to Confirm."
  • Result: This stops accidental clicks and creates a distinct "Signature" event in the logs.

Supervisor Sign-Off

  • If a critical safety parameter is changed → Require "Four-Eyes" Principle.
  • Action: The Engineer makes the change, but the system leaves it in "Pending" state until a Manager logs in and approves it.

Audit Logs (The Black Box)

Compliance (FDA, IATF, ISO) requires proving who did whatsetting and when., Theyour audit logsystem is yournot legal defense.compliant.

ImmutabilityThe Standard4 Ws of Logging

    For every INSERT, UPDATE, or DELETE, the system must log:

    1. Storage:Who: Write-Once,User Read-ManyID (WORM)not generic "Admin").
    2. Integrity:When: LogsUTC must be cryptographically signed or stored in a separate database that System Admins cannot modify.

The "Who, What, Where, Why" Format

A log entry saying "Value Changed" is useless. It must be verbose.

  • Bad Log: 10:00 AM - User: J.Doe - UpdateTimestamp.
  • Good Log: What:10:00 AMThe -specific User:Field J.Doechanged.
  • Value: -The ChangedOld [Oven_Temp]Value fromand [240C]the to [245C]. Reason: [New Profile A1]Value. Station: [Oven-01] 

Pro-Tip: CreateAudit anlogs "Alertingmust Rule"be onRead-Only. Even the IT Admin should not be able to delete the Audit Log. IfShip these logs to an immutable SIEM (Security Information and Event Management) system or WORM storage.

The Access Review (Cadence)

Trust but verify. Permissions drift.

  • Frequency: Quarterly (Every 90 Days).
  • Process:
    1. IT generates a specificreport criticalof parameterall (e.g.,Active Users + Roles.
    2. Department Managers receive the list for their team.
    3. Action: Manager must mark each user as "SterilizationRetain" Time")or is"Revoke."
    4. Logic: changed,If triggerManager an immediate emailfails to thereview Qualityby Director.Deadline Don't waitThen forAuto-Disable the monthly audit to find out.accounts.

Final Checklist

Category

Metric / Control

Threshold / Rule

IdentityLeast Privilege

AttributionRole Usage

100% of actionsusers linkedassigned to a uniqueRole. Named0 UserDirect Permissions.

RBACSegregation

GranularitySoD (Segregation of Duties)

UsersNo mappedsingle touser ADcan Groups,both notEdit localand DBApprove permissionsa Master Record.

AuthLeavers

FrictionKill Switch

RFID/BadgeTerminated Loginusers enableddisabled forin Shop< Floor2 terminalsHours.

SecurityHygiene

TimeoutStale Accounts

If Inactive > 30 Days → Then Auto-logout set to < 10 mins on shared terminals

Risk

Elevation

Critical changes require Double-Auth (Re-entry)Disable.

Audit

RetentionTraceability

Logs keptcapture Old_Value vs New_Value for Productall LifetimeConfig + X Yearschanges.

ComplianceReview

TraceabilityGovernance

AuditQuarterly LogAccess capturesReview "Oldcompleted Value"by +Dept "NewManagers.

Admin

Control

IT Value"Admins blocked from modifying Business Data (Recipes/BOMs).


Back to top