Skip to content
← Back to Library

Access Control Policy

Recommended security access_control_policy
Agent Prompt Snippet
Define role-based access rules, least privilege enforcement, credential rotation schedules, and periodic access review cadence for all system components.

Purpose

The access control policy defines role-based access, least privilege enforcement, credential rotation schedules, and access review cadence for all system components.

This is a Recommended document — most projects benefit significantly from having one. While not strictly essential for every situation, its absence often leads to gaps in team understanding or quality.

Key Sections to Include

  • Role-based access rules
  • Least privilege enforcement
  • Credential rotation schedules
  • Periodic access review cadence for all system components

Agent hint: Define role-based access rules, least privilege enforcement, credential rotation schedules, and periodic access review cadence for all system components.

What Makes It Good vs Bad

A strong version of this document:

  • Identifies specific threat models and attack vectors relevant to the project
  • Defines concrete controls with implementation details, not just aspirations
  • Includes verification steps — how to test that security measures work
  • References established frameworks (OWASP, NIST, CIS) where applicable
  • Specifies incident response procedures and escalation paths

Warning signs of a weak version:

  • Vague statements like ’the system will be secure’ without specifics
  • Missing threat model — no analysis of who attacks, how, and what’s at risk
  • No connection between identified threats and chosen mitigations
  • Ignores operational security (key rotation, access reviews, audit logging)
  • Written once and never updated as the threat landscape changes

Common Mistakes

  • Treating security as a checkbox rather than an ongoing practice
  • Focusing only on external threats while ignoring insider risks
  • Documenting controls without specifying how to verify they work
  • Not updating the document when new vulnerabilities or attack patterns emerge

How to Use This Document

Start by identifying the assets worth protecting and the threat actors most likely to target them. Use a framework like STRIDE or OWASP Top 10 to structure your analysis. For each identified threat, document the specific control that mitigates it and how that control is verified. Review the document at least quarterly or whenever the system architecture changes significantly.

For AI agents: When generating or reviewing this document, cross-reference the project’s architecture to ensure every external-facing surface has a corresponding security control documented.

Starter Template

SpecBase includes a ready-to-use template for this document: kb/templates/security/access_control_policy.md.tmpl. Use the SpecBase CLI or MCP integration to generate it pre-filled for your project.

# Generate stubs via CLI
specbase init <archetype> --features <features> --dir ./docs
  • Threat Modeling: Designing for Security by Adam Shostack — The definitive guide to identifying and mitigating security threats systematically.
  • Security Engineering by Ross Anderson — Comprehensive reference covering security principles from cryptography to physical security.
  • The Web Application Hacker’s Handbook by Dafydd Stuttard & Marcus Pinto — Practical guide to web application security testing and common vulnerability patterns.

Appears In