Skip to main content

User permissions in systems

Type of countermeasure

This is a prevention countermeasure. Prevention countermeasures are the most common and cost-effective way to stop fraud. They prevent or limit the size of the fraud risk by reducing the likelihood and consequences of fraud.

decorative  prevention countermeasures


Limit and control functionality within systems with user permissions. Assign permissions to users based on specific business needs, such as making high-risk functions limited to specialised users. The Protective Security Policy Framework sets out the government protective security policies that support this countermeasure.

Why this countermeasure matters

Not controlling system functionality with user permissions can lead to:

  • staff facilitating fraudulent payments
  • staff accessing, manipulating and disclosing information without a business need
  • staff processing fraudulent requests or claims for themselves or another person
  • criminals coercing staff into providing information.

How you might apply this countermeasure

Some ways to implement this countermeasure include:

  • limiting access to functionality within systems to specific permissions
  • requiring a business case and approval to obtain specific permissions
  • making sure only certain teams have access to certain functions, such as only payroll staff having access to payroll functions and information
  • blocking staff from accessing their own records
  • only allowing authenticated clients of authorised representatives to perform functions on a client’s record.

How to check if your countermeasures are effective

Here are some ways to measure the effectiveness of this type of countermeasure:

  • confirm controls comply with the Protective Security Policy Framework. This includes security requirements for:
    • sensitive and classified information
    • access to information
    • safeguarding information from cyber threats
    • robust ICT systems.
  • confirm the existence of permissions and limits within the system.
  • review procedures or guidance to confirm it clearly specifies where permissions should be limited.
  • obtain and review requirements for who should have certain user permissions.
  • confirm the existence of a request and approvals process for obtaining specific permissions.
  • confirm request and approvals processes are consistently applied.
  • review procedures for requesting user permissions, confirm the request processes are robust and actively test them if required.
  • confirm that someone cannot get around standard process requirements even when subject to pressure or coercion.
  • confirm that user permissions consider separation of duties requirements.
  • review the need for Security Clearances for some permissions.
  • review reports of user permissions to confirm only those who require permissions have the permissions.
  • undertake testing or a process walk-through to confirm that permissions within systems work correctly and cannot be ignored.
  • confirm the existence of a review and reconciliation process and review the reports.
  • review any past access breaches to identify how they were allowed to occur.

Related countermeasures

This type of countermeasure is supported by:

Personal and government information is highly sought after by fraudsters and organised criminals. The way data is collected and stored can also change the scale and impact of a potential breach. To better protect personal information, the minimal data required for a transaction should be collected, used and retained. Make sure sensitive or official information cannot leave your entity's network without authority or detection.

Authenticate customer or third-party identities during each interaction to confirm the person owns the identity record they are trying to access.

Clear eligibility requirements and only approve requests or claims that meet the criteria. This can include internal requests for staff access to systems or information.

Escalate non-standard requests or claims for further review or scrutiny. Non-standard requests or claims might include those that are late, do not meet normal conditions, include evidence that is difficult to verify (such as from overseas) or are for amounts that are higher than normal.

Separate duties by allocating tasks and associated privileges for a business process to multiple staff. This is very important in areas such as payroll, finance, procurement, contract management and human resources. Systems help to enforce the strong separation of duties. This is also known as segregation of duties.

Apply limits on requests, claims or processes, such as maximum claim amounts or time periods. Enforce these limits using IT system controls.

Make sure sensitive or official information cannot leave your entity's network without authority or detection. The Protective Security Policy Framework articulates mandatory information security requirements to maintain the confidentiality, integrity and availability of all official information.  Personal and government information is highly sought after by fraudsters and organised criminals. The way data is collected and stored can also change the scale of a potential breach.

Limit and monitor privileged system accesses (those that allow staff, contractors and providers to perform special functions or override system and application controls). The Protective Security Policy Framework outlines the government protective security requirements to safeguard information from cyber threats, including to restrict administrative privileges.

Related Fraudster Personas

Was this page helpful?