Access Controls Policy

Effective Date: August 11, 2025 | Version 1.0

1. Purpose and Scope

This Access Controls Policy establishes the framework for managing and controlling access to our e-commerce platform, systems, and sensitive data. This policy applies to all users, administrators, and third-party services accessing our production environment.

2. Role-Based Access Control (RBAC)

2.1 User Roles and Permissions

Our platform implements strict role-based access control with the following defined roles:

ADMIN Role

  • Full system administration access
  • User management and role assignment
  • Financial and payment system configuration
  • Access to all customer data and orders
  • System configuration and security settings
  • Audit log review and analysis

STAFF Role

  • Order management and fulfillment
  • Customer service functions
  • Product inventory management
  • Limited financial data access (view only)
  • Cannot modify system settings or user roles

CUSTOMER Role

  • Self-service account management
  • View own orders and invoices
  • Manage own payment methods
  • Access to own transaction history only
  • No access to other customer data or system functions

2.2 Permission Matrix

ResourceADMINSTAFFCUSTOMER
User ManagementFullNoneNone
Payment ProcessingFullViewOwn Only
Customer DataFullReadOwn Only
System SettingsFullNoneNone
Audit LogsFullNoneNone

3. Authentication Requirements

3.1 Password Policy

  • Minimum 12 characters in length
  • Must contain uppercase and lowercase letters
  • Must include numbers and special characters
  • Password history enforcement (cannot reuse last 5 passwords)
  • Account lockout after 5 failed login attempts
  • Password reset requires email verification

3.2 Session Management

  • Automatic session timeout after 30 minutes of inactivity
  • Secure session tokens using JWT with encryption
  • Session invalidation on password change
  • Single session enforcement for sensitive operations

3.3 Multi-Factor Authentication (MFA)

  • Required for all ADMIN accounts
  • Available for all user accounts as optional security
  • Email-based verification for sensitive operations
  • Device fingerprinting for anomaly detection

4. Access Provisioning Process

4.1 New User Access

  1. Access request submitted through registration or admin panel
  2. Email verification required for all new accounts
  3. Business verification for CUSTOMER accounts with payment access
  4. Admin approval required for STAFF role assignments
  5. Access granted based on principle of least privilege

4.2 Access Modification

  • Role changes require ADMIN authorization
  • All access modifications are logged in audit trail
  • Immediate effect upon role change
  • Notification sent to affected user

4.3 Access Revocation

  • Immediate deactivation upon account termination
  • Automated session invalidation
  • API token revocation
  • Removal from all access control lists
  • Data retention per legal requirements

5. Periodic Access Reviews

5.1 Review Schedule

  • Quarterly review of all ADMIN accounts
  • Semi-annual review of STAFF accounts
  • Annual review of inactive CUSTOMER accounts
  • Immediate review upon security incidents

5.2 Review Process

  1. Generate access reports from system
  2. Verify continued business need for access
  3. Confirm appropriate role assignments
  4. Identify and remove orphaned accounts
  5. Document review results and actions taken

6. API and Third-Party Access

6.1 API Access Control

  • API keys required for all programmatic access
  • Rate limiting enforced on all endpoints
  • IP whitelisting for production API access
  • API key rotation every 90 days
  • Separate keys for development and production

6.2 Third-Party Service Access

  • OAuth 2.0 for Plaid payment integration
  • Webhook signature verification for all incoming requests
  • Encrypted token storage for service credentials
  • Regular review of third-party permissions
  • Immediate revocation upon service termination

7. Production Environment Access

7.1 Infrastructure Access

  • SSH key-based authentication only
  • Bastion host for production access
  • VPN required for administrative access
  • No direct database access from application
  • Encrypted connections for all services

7.2 Database Access

  • Application-level access through ORM only
  • Separate read and write credentials
  • Connection pooling with limits
  • Encrypted connections using TLS
  • Query logging for audit purposes

8. Audit and Monitoring

8.1 Access Logging

  • All authentication attempts logged
  • Failed login monitoring and alerting
  • Role changes and permission modifications tracked
  • API access logs with request details
  • Administrative action audit trail

8.2 Log Retention

  • Access logs retained for 90 days minimum
  • Security event logs retained for 1 year
  • Audit trails retained for 3 years
  • Encrypted backup of critical logs

9. Incident Response

9.1 Unauthorized Access Response

  1. Immediate account suspension upon detection
  2. Session invalidation across all systems
  3. Password reset enforcement
  4. Investigation and root cause analysis
  5. Notification to affected parties if required

9.2 Breach Containment

  • Isolation of compromised accounts
  • Revocation of all associated tokens
  • System-wide password reset if necessary
  • Enhanced monitoring activation
  • Legal and regulatory notification as required

10. Compliance and Standards

  • PCI DSS requirements for payment data access
  • NACHA rules for ACH payment processing
  • State privacy laws (CCPA, etc.)
  • Industry best practices (NIST, ISO 27001)
  • Regular compliance assessments

11. Training and Awareness

  • Access control training for all new users
  • Annual security awareness updates
  • Role-specific training for privileged users
  • Incident reporting procedures education
  • Best practices documentation maintained

12. Policy Enforcement

Violations of this Access Controls Policy may result in:

  • Immediate access revocation
  • Account suspension or termination
  • Legal action if warranted
  • Notification to relevant authorities

13. Policy Review

This policy is reviewed annually and updated as needed to address:

  • Changes in business operations
  • New regulatory requirements
  • Emerging security threats
  • Technology updates
  • Lessons learned from incidents

Contact Information

  • Security Officer: Administrator
  • Email: contact@shawnnance.com
  • Access Requests: Via admin panel or email

This Access Controls Policy demonstrates our commitment to maintaining strict access controls and protecting sensitive data through comprehensive role-based access management and continuous monitoring.