Skip to main content

Access Control Policy

Owner: Anchor MSP Operations Lead Last reviewed: 2026-05-24

Purpose

Define access control standards for all systems under Anchor managed production.

Scope

All systems, tools, and infrastructure components managed by Anchor MSP.

Policy

Named User Accounts

  1. Every operator accessing a managed system must have a named, individual account. No shared accounts.
  2. Account usernames follow the format: firstname.lastname or firstname_lastname depending on system constraints.
  3. Service accounts are permitted for automated processes only. Each service account must have a documented owner and purpose.

Least-Privilege Principle

  1. Access is granted based on the minimum permissions required to perform assigned duties.
  2. Default access for new operators: read-only monitoring access. Elevated access requires approval from the Operations Lead.
  3. Root/admin access is restricted to the Operations Lead and designated senior operators.

Break-Glass Procedures

  1. Emergency access ("break-glass") is available for critical incidents when normal access is insufficient.
  2. Break-glass credentials are stored in Vault with audit logging enabled.
  3. Every break-glass access event triggers an automatic alert to #anchor-incidents-critical and must be documented in a post-incident report within 24 hours.
  4. Break-glass credentials are rotated after every use.

Access Review Schedule

  1. Access reviews are conducted quarterly by the Operations Lead.
  2. Review scope: all operator accounts across all managed systems.
  3. Review actions:
    • Verify each account is still needed (operator still active).
    • Verify permissions match current role (no privilege creep).
    • Remove accounts for departed operators.
    • Rotate credentials for service accounts.
  4. Review results are documented and retained.

Provisioning and Deprovisioning

  1. Provisioning: New operator access is requested by the Operations Lead. Access is granted within 1 business day. MFA must be configured before first use.
  2. Deprovisioning: When an operator leaves Anchor or changes roles, all access is revoked within 4 hours of notification. This includes:
    • SSH keys removed from all systems
    • VPN credentials revoked
    • Monitoring dashboard access removed
    • Vault tokens revoked
    • Slack removed from operational channels

Service Account Management

  1. Service accounts are created with the minimum permissions needed for their function.
  2. Each service account has a documented owner responsible for its lifecycle.
  3. Service account credentials are stored in Vault and rotated quarterly.
  4. Unused service accounts are disabled after 90 days of inactivity and deleted after 180 days.

Audit Logging

  1. All access events (login, sudo, key usage) must be logged.
  2. Access logs are shipped to the central logging stack (Loki) and retained for 1 year.
  3. Failed access attempts generate alerts per the Alert Severity Matrix.

Exceptions

None. All managed systems must comply with this policy.