...
Who can see Economic Operators related data:
View Organisation | View Transactions | Certificate ID and validity | Certificate Site/Scope/Material | |
EC Admin/User | Y | Y (authorised personnel only) | Y | Y |
MS Lead User & User | Y | Y (authorised personnel only) | Y | Y |
VS Lead User & User | Y | N | Y | Y |
EO Lead User & User | Y | Y | Y | Y |
Other EO Lead user & user | N | N | Y(planned) | N |
TSO/DSO/LSO | N | N | Y | N |
CB Lead User & User | Y | Y | Y | Y |
Service Provider | Y (SP appointed by EO only) | Y (SP appointed by EO only) | Y (No restrictions, for all EO) | Y (SP appointed by EO only) |
Access Control and Authentication security standard. Determining Access rights:
Requirement | Implementation (M=mandatory, R=recommended) |
Access to system functionalities and data shall be restricted to authorised users on the basis of the ‘need to know’ principle. | M |
Authorisation mechanisms6 in the system shall ensure that access is: automatically denied unless accounts have been explicitly authorised for the system; and automatically restricted to access rights granted to the account. | M |
The system owner shall determine access rights associated with differentiated levels of authorisation to access the system data and functionalities. | M |
The access rights shall be determined on the basis of a risk assessment that considers at least: · information sensitivity and level of classification – the need to limit access to system data, in line with data classification, general data sensitivity and applicable regulation; and | M |
Determined access rights shall be reviewed periodically to check that they continue to ensure the protection of sensitive non-classified information, the enforcement of process controls and the segregation of incompatible duties. | M |
Access decisions (both positive and negative) following a user access request during a login process shall be logged in order to provide an audit trail. | M |