Implement Access Control and Authorization: Fillable template and example

Fillable template: Implement access control and authorization policy (user policy) DOCX, 43 KB

Fillable templates provide instructions on the information required to be documented for certification.

Example: Implement access control and authorization policy (user policy) DOCX, 123 KB

Examples provide sample text to help learners complete a template.

[Organization name/letterhead]

Implement access control and authorization policy (user policy)

[insert date]


CyberSecure Canada has developed this template for your use in relation to certification requirements for the Provide Employee Awareness Training security control area. It provides guidance as to how information can be organized and documented for certification. CyberSecure Canada does not guarantee a successful certification from use of this template. Organizations are not obliged to use this template and may provide the certification requirement(s) in a documented format best suited for them.

Template instructions

Instructions: The purpose of this template is to help users to meet the certification requirements for the Implement Access Control and Authorization security control area for CyberSecure Canada.

Instructions are provided in blue font within each section of this template. Upon completion of the template, delete these instructions.

It is recommended that users review the eLearning module for Implement Access Control and Authorization and the completed example of this policy. Instructions end.

Revision history

It is a best practice for organizations to review and update their polices regularly.

The Implement Access Control and Authorization Policy (User Policy) has been modified as follows:





[Date edited]

[Document version]

[Description of changes made]

[Name of the editor]


Instructions: Insert your scope statement or use the example below.

This policy shall apply to all employees, contractors, and affiliates of [Organization Name] whom have either a general or administrative account on [Organization Name] devices and systems.

All accounts

Instructions: Insert your policy statement(s) for all accounts below, alternatively you can use the provided example.

  1. Accounts only have the bare minimum of administrative tools needed.
  2. Network share access is limited and controlled.
  3. Users must be authenticated before being granted an account.
  4. All users will only have the account privileges required for their roles.
  5. Accounts will be removed when employees depart the organization.

General accounts

Instructions: Its important to ensure general user accounts do not have the abilities of administrator accounts. Administrator accounts should be limited to performing administrator duties only. Checking email and surfing the web are examples of activities which should not be performed when logged in as "an administrator"

Insert your policy statement(s) for general accounts below. Alternatively, you can use the example provided.

List what users with general accounts will be able to do.

Clearly state that general account users will have less privileges than administrator account users.

General accounts are administered by [Organization Name], and do not have administrator rights.

Administrator accounts


  • Determine the software/IT systems to which administrator accounts apply.
  • Determine who in your organization will be given an administrator account.
  • Determine and list the authorities and activities of an administrator account user.
  • Insert your policy statement(s) for administrator accounts below. Alternatively, you can use the example provided.
  1. Granted administrative rights to:
    1. disable or revert software updates
    2. disable anti-malware
    3. change software settings
  2. Administrator account users will be limited to IT personnel.
  3. Administrator accounts are limited to performing administrative activities. Users who have administrator accounts must also have a general account for general business use.

Identity and access management

Instructions: Organizations have the option to use centralized authorization control systems to help administrator user accounts. If your organization does not use this type of system, indicate that this section is not applicable.

Insert your policy statement(s) related to identify and access management administrator accounts.


Instructions: Insert your enforcement statements below or use the example provided.

It is the responsibility of [insert] to enforce this policy by granting users the appropriate accounts and permissions to fulfill their role and responsibilities. It is the responsibility of managers and team leaders to verify account permissions for their employees to [Insert title/person responsible to enforce this policy]

Additional certification requirements

Non-IT personnel with administrator rights

Instructions: Outline situations where non-IT personnel have administrator rights and the rationale why they require this level of authority.

Account maintenance

Instructions: Outline how your organization reviews accounts to ensure accounts of employees departing the organization are either suspended or deleted. As well, provide an outline of how accounts are regularly reviewed to ensure each person has the appropriate privileges and functionality their position requires