User Access Management (UAM) – Roles & PermissionsGlossary

User Access Management (UAM) – Roles & Permissions

Q: RBAC vs ABAC—do we need attributes?

RBAC is the baseline for GxP clarity and validation. Attributes (site, shift, equipment) can refine access if governed and validated; keep decisions explainable and testable.

Q: Is SSO required for Part 11?

No, but SSO with MFA strengthens identity assurance. Regardless, e-signatures must be unique, attributable, and verified with appropriate prompts.

Q: How often should we run access reviews?

At least quarterly for high-risk roles, and after major organizational or role model changes. Close gaps promptly and document remediation.

Q: How should we handle service accounts and APIs?

Assign owners, enforce least privilege, rotate secrets, restrict network sources, monitor use, and review regularly. Prefer named user access when feasible.

Q: Can operators share a login on a line terminal?

No. Use personal accounts with quick re-auth (badge+PIN, short sessions) to preserve attribution and meet Part 11/Annex 11 expectations.

Q: What links access to competence?

The Training Matrix. Map roles to required courses and assessments; block controlled actions until training is current and effective.

This topic is part of the SG Systems Global regulatory & operations glossary.

Updated October 2025 • Access Control, Segregation of Duties & Compliance • IT/OT, QA, Manufacturing, Laboratory

User Access Management (UAM) is the governance and control of who can do what, where, and when across regulated manufacturing systems. In practice, UAM translates policy into role‑based permissions that gate actions in MES, LIMS, ELN, WMS and QMS modules, enforce least privilege, and prevent conflicts via segregation of duties (SoD). Because decisions like batch release and e‑signatures carry legal weight under 21 CFR Part 11 and EU Annex 11, UAM sits at the core of Data Integrity and must be demonstrably effective, validated (CSV), and auditable through immutable audit trails.

“In GxP, access is a quality decision: every permission you grant becomes a risk you must control and prove.”

TL;DR: Define standard roles with least‑privilege permissions, map users to roles through a governed joiner‑mover‑leaver lifecycle, enforce MFA and SSO, block conflicts with SoD, and link access to competence via the Training Matrix. Execute in validated systems with audit trails, e‑signature rules (Part 11 / Annex 11), periodic access reviews, and controlled changes via Document Control and MOC.

1) What UAM Covers—and What It Does Not

Covers: Identity, authentication (e.g., SSO, MFA), authorization (roles, permission sets), SoD, privileged access, emergency/break‑glass controls, service accounts and API tokens, session controls, approval workflows, dual verification, and periodic access reviews. It also includes the user lifecycle (joiner‑mover‑leaver), training/competency gating, and evidence that access maps to responsibilities defined in the quality system.

Does not cover: UAM cannot compensate for weak process design or uncontrolled documents. It does not replace procedural checks in eBMR, nor does it remove the need for second‑person review. UAM enables and constrains actions; it does not, by itself, validate those actions as scientifically sound or compliant.

2) Legal, System & Data Integrity Anchors

Access decisions culminate in e‑records that must meet Part 11/Annex 11 criteria: unique identities, verified signatures, time‑stamped audit trails, and validated security controls under CSV. Policies live in controlled SOPs (Document Control), and evidence is retained per Record Retention. UAM should align with the organization’s QMS (ISO 13485, QMSR) and IT security standards, and be periodically challenged through Internal Audit.

3) The Evidence Pack for UAM

An audit‑ready UAM file shows: approved role catalogue and permission matrices; SoD rules and exceptions; mapping of roles to job titles and required competencies in the Training Matrix; JML records (who requested, who approved, when provisioned/removed); authentication settings (SSO provider, MFA factors); session policies; service account ownership and token rotation logs; access review results and remediation; and links to related change controls, deviations, and CAPA. All entries should be attributable, time‑stamped, and immutable via audit trails.

4) From Request to Enforcement—A Standard Path

Access begins with a documented request tied to a role and competency profile. Supervisors and QA/IT approve per SOP; the system provisions access automatically via directory groups or native roles. Before a user can perform controlled actions (e.g., release, disposition, result entry), the platform checks training effectiveness and signature enrolment. During use, permissions gate step‑level actions in the eBMR/LIMS workflow, enforce dual verification where required, and record each action under the user’s identity. Movers trigger re‑assessment of SoD and permissions; leavers prompt immediate de‑provisioning and token revocation. Periodic access reviews reconcile reality to policy and close gaps.

5) Interpreting Roles, Permissions & SoD

Think of a role as a named bundle of permissions that expresses a job function, not a person. Good roles are small, composable, and stable; permissions are explicit verbs (create batch, approve deviation, sign result). SoD ensures no single role (or user) can both originate and approve the same high‑risk decision (e.g., create and release a batch). Exceptions should be rare, time‑bound, and logged as risk‑accepted with management approval and review. Align roles to the Control Plan and real workflows so security doesn’t force workarounds that harm compliance.

6) Joiner–Mover–Leaver (JML) Lifecycle

For joiners, provision only the roles justified by the job description and completed training; delay e‑signature activation until identity is verified. Movers (promotions, transfers) require delta reviews: remove old access first, then add new; re‑evaluate SoD. Leavers must be de‑provisioned on the effective date with immediate credential revocation across MES/LIMS/ELN/WMS and connected services; archive their records per retention policy. Each JML step is ticketed, approved, and auditable.

7) Authentication, e‑Signatures & Sessions

Use centralized SSO (SAML/OIDC) with MFA for interactive users; set session timeouts appropriate to risk and environment. For Part 11 compliance, e‑signatures must be unique to an individual and never shared; signing prompts should require at least password re‑entry and meaning of signature (review, approve, responsibility). Disable cached/shared credentials on shared workstations; prefer user‑specific logins with fast re‑auth (badge plus PIN) to maintain attribution without sacrificing productivity.

8) Shop‑Floor & Laboratory Reality

Terminals on lines and benches often serve many operators. Avoid shared generic accounts—use personal accounts with quick switching, badge scans, or kiosk modes that preserve identity at each step. Bind device use to training on specific equipment; block critical actions (e.g., weigh by tolerance, release tests) if training is expired. For integrated instruments, ensure the controlling user identity flows into the record (no “system” user overwrites) and that clocks/time zones are consistent for Data Integrity.

9) Vendors, Service & API Access

Vendors and automation need access, but not carte blanche. Assign named accounts to individuals when possible; if service accounts are unavoidable, scope tightly (least privilege), rotate secrets, restrict IPs, and log every call. API tokens should be short‑lived and auditable to an owner. For remote support, time‑box access, require approvals, and capture sessions where feasible. Treat all non‑human access as changes under MOC.

10) Emergency & Break‑Glass Controls

Define a minimal set of emergency capabilities (e.g., halt line, secure product) granted via a break‑glass role. Access should be activated only under documented emergencies, expire automatically, and trigger alerts and after‑action review. Never use break‑glass as a convenience to bypass SoD or training gates.

11) Change Control, Validation & Audits

Role model changes, SoD matrices, authentication settings, and directory integrations are configuration items that must be validated proportionately under CSV and governed by MOC. Test negative cases (role cannot sign, SoD blocks approve), boundary conditions, and audit trail completeness. Use Internal Audits to challenge orphan accounts, shared credentials, and stale permissions; treat findings through CAPA.

12) Integration with Operations & Release

UAM should reinforce, not slow, compliant execution. Gate high‑risk actions (e.g., Lot Release, Finished Goods Release, deviation approvals) to appropriate roles; require dual verification for critical steps (identity checks, label approval). Tie permission to training so unqualified users cannot execute or sign. Ensure UAM spans connected systems so the same person cannot bypass a block in MES by acting in LIMS or WMS.

13) Metrics That Demonstrate Control

MFA coverage: % of interactive accounts with MFA enforced.
Provisioning/de‑provisioning time: median hours from approval to change applied (joiner/leaver).
SoD violations prevented/resolved: blocks at point‑of‑use and time to remediation.
Orphan & shared accounts: count and age; target zero.
Access review completion: on‑time rate and number of changes from review.
Service token hygiene: rotation cadence, owner assignment, last‑used age.
Audit trail completeness: % of critical actions with attributable user/signature.

These KPIs show that access is timely, risk‑based, and continuously verified—not set‑and‑forget.

14) Common Pitfalls & How to Avoid Them

Shared logins or generic “operator.” Replace with personal accounts and fast re‑auth on shared stations.
Role creep. Periodically refactor and right‑size roles; remove grants on movers/leavers promptly.
SoD only on paper. Implement technical blocks at the point of action, not just SOP text.
Uncontrolled service accounts. Assign owners, least privilege, rotation, IP limits, and monitoring.
Spreadsheet access lists. Maintain access in the validated platform with audit trails, not offline files.
Training not linked to access. Enforce training gates via the Training Matrix to prevent unqualified execution.

15) What Belongs in the UAM Record

Keep the role catalogue, permission matrices, SoD rules and test evidence, JML tickets and approvals, directory/SSO configuration and validation, MFA and session settings, service account registry, periodic access reviews and outcomes, training‑to‑role mappings, e‑signature enrolment logs, exceptions and break‑glass events, and links to related MOC, Deviations, CAPA, and archival metadata—all under Document Control.

16) How This Fits with V5 by SG Systems Global

Centralized roles & SoD enforcement. The V5 platform standardizes RBAC across MES, LIMS, ELN, WMS and QMS modules with an enterprise role catalogue, effective‑dating, and environment separation (DEV/TEST/PROD). SoD policies (e.g., “cannot both record and approve lab results,” “cannot create and release a lot”) are enforced at step level—blocking actions and prompting compliant routing through Approval Workflows and Dual Verification.

Identity, SSO & MFA. V5 integrates with enterprise identity providers (SAML/OIDC) to deliver SSO and MFA, while maintaining Part 11/Annex 11 e‑signature prompts and meaning‑of‑signature capture. Kiosk and badge‑plus‑PIN modes support shared terminals without sacrificing user attribution.

Training‑gated access. Roles can require competencies from the Training Matrix; users lacking current training are prevented from executing or signing controlled steps until re‑qualified. Training status appears contextually in the eBMR, LIMS, and QMS screens.

Service/API governance. V5 manages service accounts and API tokens with owners, scopes, expiries, IP restrictions, and full auditability. Tokens can be time‑boxed for vendor support and auto‑revoked on leaver events.

Lifecycle control & validation. UAM configurations are version‑controlled, change‑managed under MOC, and backed by CSV scripts that test negative/positive scenarios (e.g., SoD blocks, e‑sig prompts). Access reviews, orphan account scans, and SoD dashboards keep governance visible to QA and IT.

Audit‑ready evidence. Every access grant, revoke, and use of privilege is captured by immutable audit trails with user, time, rationale, and approval. Reports summarize MFA coverage, JML timelines, SoD exceptions, and e‑signature compliance for inspections—without spreadsheet stitching.

Bottom line: V5 turns access control into a first‑class, validated business process—tight enough for regulators, fast enough for operators.

17) FAQ

Q1. RBAC vs ABAC—do we need attributes?
RBAC (roles) is the baseline for GxP clarity and validation. Attributes (site, shift, equipment) can refine access if governed and validated; keep decisions explainable and testable.

Q2. Is SSO required for Part 11?
Not explicitly, but SSO with MFA strengthens identity assurance. Regardless, e‑signatures must be unique, attributable, and verified at the point of signing with appropriate prompts.

Q3. How often should we run access reviews?
At least quarterly for high‑risk roles; align with audits and organizational changes. Always review after mergers, reorganizations, or major role model updates.

Q4. How do we handle service accounts?
Treat them as configuration items: assign owners, limit scope, rotate secrets, restrict network sources, monitor use, and review regularly. Prefer named user access wherever feasible.

Q5. Can operators share a login on a line terminal?
No. Use individual accounts with quick re‑auth (badge+PIN, short sessions) to preserve attribution and meet Part 11/Annex 11 expectations.

Q6. What links access to competence?
The Training Matrix. Map roles to required courses/assessments; block controlled actions until training is current and effective.