The GDS Way and its content is intended for internal use by the GDS community.

Tracking Access Control

You should track the list of users who have access to secrets by logging the permissions, such as accounts and credentials, associated with a security resource in a single, centralised Access Control List (ACL).

The ACL specifies who or what is allowed to access the resource containing secrets and the operations which are allowed to be performed on the resource. See Principle of Least Privilege for guidance on minimising access rights.

User access rights must be reviewed when people change roles or teams as part of your joiners, leavers and movers process. ACLs should also be regularly reviewed on a predefined cadence (e.g. monthly, quarterly).

Identified exceptions should be raised with the colleague responsible for risk management in the directorate for escalation.

Teams ACL review should be documented to reflect:

• who (colleague) completed the review
• date review is undertaken
• next review date
• any changes to user status granted access, and the reason for change (if any)

Further guidance

• How to manage access to your third-party service accounts
• NCSC Cyber Assessment Framework - Principle B2 Identity and Access Control

This page was last reviewed on 26 July 2024. It needs to be reviewed again on 26 January 2025 by the page owner #gds-way .

This page was set to be reviewed before 26 January 2025 by the page owner #gds-way. This might mean the content is out of date.