Permission control Clause Samples
Permission control. A technical system for permission control shall govern the access to the personal data for the Processor and its personnel. Permissions shall be limited to those who need access to the personal data for their work. User ID and password shall be personal and may not be transferred or assigned to another person. There shall be procedures in place for the allocation and removal of permissions.
Permission control. (a) Role and authorisation concept
(i) Role and authorisation concept customer system ● A multi-level role concept for assigning rights can be individually configured for clients, distinguishing between viewing and editing rights for each function or area within Alasco for individual users.
(ii) Role and Authorisation Concept Admin System ● Access to the admin system is limited to trained employees in the areas of customer service and product development. Employees from the sales and finance team only have access to customer systems during the free test phase or to the corresponding billing data via the admin system and therefore cannot view customer data.
(iii) Role and authorisation concept server/database system ● Access to the server/database system is generally restricted to a limited number of trained employees in the area of product development and infrastructure.
(b) Assignment of access rights
(i) The allocation of access rights at Alasco is generally carried out according to the "Need-to-Know" principle. Access is only granted to people who need it comprehensibly and for as long as they need it. The person making the request must give a conclusive reason for the need when applying. The authorisation concept is role-based. Each employee is assigned a specific role. Authorisations that deviate from this role must be justified. Supervisors are required to request a corresponding correction of authorisations if employees change tasks. If employees leave the company, the personnel managers inform the personnel department immediately of any pending changes so that the corresponding authorisations can be revoked. If possible, the revocation of authorisations must take place within 24 hours of an employee leaving the company.
(c) Using a packet filtering firewall
(i) Alasco's servers use packet filter firewalls that ensure that no services can be accessed directly from the Internet. Publicly accessible services are routed via load balancers or bastion hosts that only allow the protocols required for the service in question.
(d) Logging of logon and logoff events
(i) Attempts to log on to and log off from the admin, customer and server systems/software are logged (min. e-mail address, user ID, IP address, result of the login attempt and timestamp) and are currently kept for up to 30 days. These logs can be evaluated on request and/or on concrete suspicion.