User Accounts & Responsibilities

📅 Last updated: March 2025 👥 Maintained by: Security & Compliance Team 🔒 Internal Use Only

ℹ️

This document outlines the standardized account structure, role-based permissions, and security responsibilities across all #about digital platforms. All employees, contractors, and third-party vendors must comply with these guidelines.

Overview

At #about, secure and efficient account management is foundational to our operational integrity. We follow a strict Role-Based Access Control (RBAC) model to ensure that users only have access to the data and tools necessary for their specific job functions.

Proper account management minimizes security risks, ensures regulatory compliance (SOC 2, GDPR, CCPA), and maintains audit trails across all client and internal systems. Failure to adhere to these guidelines may result in access revocation or disciplinary action.

Account Roles & Tiers

Every user account is assigned a primary role upon provisioning. Roles define baseline access levels, approval workflows, and accountability standards.

Role	Scope	Approval Level	Typical Users
Administrator	Full system access, user management, billing, API keys, security settings	VP / C-Suite	IT Directors, Platform Leads, Compliance Officers
Manager	Project oversight, team management, resource allocation, reporting	Director / Head of Dept	Project Managers, Team Leads, Account Directors
Editor	Create, edit, publish content; manage workflows; limited settings	Manager / Team Lead	Designers, Developers, Content Strategists, Marketers
Viewer	Read-only access to assigned projects, documentation, and reports	Auto-provisioned	Interns, Junior Staff, Cross-functional Contributors
Auditor	Read-only access to logs, compliance records, and financial reports	Compliance / Legal	Internal Audit, External Consultants, Legal Team

Permissions Matrix

The following matrix details granular permissions by role. Access is evaluated on a need-to-know basis and must be justified during the provisioning request.

Permission	Admin	Manager	Editor	Viewer	Auditor
Create / Edit Accounts	✓	✗	—	—	—
Manage Billing & Invoicing	✓	✓	✗	✗	✓
Deploy to Production	✓	✓	✗	—	—
Access Client Data	✓	✓	✓	✓	✓
Modify Security Settings	✓	✗	—	—	—
Export Reports / Logs	✓	✓	✗	—	✓

⚠️

Principle of Least Privilege: Never request higher privileges than required for your current tasks. Elevated access requires documented justification and quarterly review.

Security & Compliance Responsibilities

Every account holder shares responsibility for maintaining a secure digital environment. The following protocols are mandatory:

Authentication & Sessions

Multi-Factor Authentication (MFA): Enabled and enforced for all roles. TOTP or hardware keys required for Admin/Manager accounts.
Password Policy: Minimum 12 characters, complexity requirements, 90-day rotation, no reuse of last 10 passwords.
Session Timeouts: Inactive sessions expire after 15 minutes (Editor/Viewer) or 30 minutes (Admin/Manager).

Data Handling & Privacy

Client data must never be stored on personal devices or unapproved cloud services.
Screenshots or exports of sensitive data require Manager approval and are logged for audit.
All PII (Personally Identifiable Information) is encrypted at rest and in transit.

Incident Reporting

If you suspect a compromised account, unauthorized access, or data leak:

Immediately reset your password and revoke active sessions.
Notify the Security Team via the Incident Reporting Portal.
Do not delete logs or alter system configurations before investigation.

Account Lifecycle & Offboarding

Account management extends beyond initial provisioning. Proper lifecycle management prevents orphaned accounts and reduces attack surface.

Stage	Action	Responsible Party	Timeline
Onboarding	Role assignment, SSO sync, MFA enrollment, policy acknowledgment	HR & IT	Day 1
Access Review	Quarterly validation of permissions vs. current role	Direct Manager	Every 90 days
Role Change	Permission sync, old access revocation, training if needed	IT & Manager	Within 24 hours
Offboarding	Immediate disable, data handoff, license reclamation, final audit log	HR, IT, Manager	Exit day or sooner

✅

Manager Responsibility: You are accountable for all accounts under your team. Failure to initiate offboarding or approve access reviews may result in compliance penalties.

Frequently Asked Questions

How do I request elevated access or a role change?

Submit an Access Request Form through the IT portal with your manager's approval. Requests are reviewed within 2 business days. Temporary elevation (max 7 days) requires additional justification.

What happens if I forget my MFA device?

Contact IT Support to initiate a backup recovery code flow. For security reasons, identity verification is required before resetting MFA configurations.

Can contractors receive Admin or Manager roles?

No. Third-party vendors and contractors are restricted to Editor, Viewer, or Auditor roles based on contract scope. Admin privileges are strictly limited to full-time #about employees with cleared access.

How often are permissions audited?

Automated reviews run monthly. Manual compliance audits occur quarterly. All findings are logged and discrepancies are escalated to the Security & Compliance team.