Skip to main content
← All controls
AC-2 / A.9.2.1 / CIS-5.1 NIST SP 800-53 Rev 5 SOC 2

Is user provisioning approved (manager + system owner) and recorded with evidence (ticket, signature)?

Demonstrate that user access provisioning requires documented approval from both the requestor's manager and the system owner or custodian, with evidence retained in a retrievable format for audit verification.

Description

What this control does

This control requires that all requests to provision user access to systems, applications, or data repositories are approved by two parties—the user's manager (to confirm business need) and the system owner or data custodian (to authorize access appropriate to the system's classification and risk profile)—before access is granted. Approvals and the provisioning action itself must be documented in a traceable audit trail such as a ticketing system, email chain with electronic signature, or workflow management platform. This dual-approval model enforces segregation of duties, prevents unauthorized or excessive access grants, and provides evidence for compliance audits and access recertification reviews.

Control objective

What auditing this proves

Demonstrate that user access provisioning requires documented approval from both the requestor's manager and the system owner or custodian, with evidence retained in a retrievable format for audit verification.

Associated risks

Risks this control addresses

  • Unauthorized access granted by a single individual without business justification or security review, enabling insider threats or privilege abuse
  • Excessive permissions provisioned without system owner validation, violating least privilege and expanding attack surface
  • Access provisioned based on outdated or fraudulent requests due to lack of managerial verification of current role and business need
  • Inability to demonstrate compliance with SOC 2 CC6.2 (logical access controls) during audits due to missing or incomplete approval records
  • Social engineering attacks succeeding when attackers impersonate users and bypass dual-approval requirements through informal provisioning channels
  • Access creep accumulating over time when provisioning lacks traceable justification, complicating access reviews and recertification efforts
  • Collusion risk where a single approver provisions access for malicious insiders without independent oversight from system custodians

Testing procedure

How an auditor verifies this control

  1. Obtain a complete inventory of systems, applications, and data repositories subject to formal access provisioning requirements, including identity and access management (IAM) platforms, ticketing systems, and manual approval workflows.
  2. Select a risk-based sample of user provisioning events from the audit period, stratified by system criticality, user role type (employee, contractor, administrator), and provisioning method (automated workflow, manual request).
  3. For each sampled provisioning event, retrieve the corresponding ticket, workflow record, email approval chain, or other documented request artifact from the organization's systems.
  4. Verify that each provisioning request contains explicit written or electronic approval from the user's direct manager or authorized delegate, including name, timestamp, and confirmation of business justification.
  5. Verify that each provisioning request also contains explicit approval from the system owner, application owner, or designated data custodian, confirming authorization to grant the specific access level requested.
  6. Validate that the recorded approval timestamps predate the actual access grant date logged in the IAM system, directory service audit logs, or application access logs.
  7. Cross-reference a subsample of approved provisioning tickets against active directory logs, application access logs, or IAM platform records to confirm that approved access was provisioned as specified and no unapproved access exists.
  8. Interview IT operations and identity management personnel to confirm that informal or emergency provisioning channels (e.g., phone calls, chat messages, verbal requests) do not bypass the dual-approval documentation requirement, or document compensating detective controls if exceptions exist.
Evidence required Auditors collect ticketing system exports or workflow reports showing provisioning requests with dual approvals, screenshots of individual tickets displaying manager and system owner sign-offs with timestamps, access logs from IAM platforms or directory services confirming grant dates, and policy documentation defining approval requirements and system owner roles. Email approvals, electronic signature records, or workflow approval chains from ServiceNow, Jira Service Management, or similar platforms serve as primary evidence artifacts. Cross-referenced active directory or application audit logs demonstrate alignment between approvals and actual provisioning actions.
Pass criteria All sampled user provisioning events contain documented approval from both the user's manager and the system owner or custodian prior to access being granted, with evidence retained in a retrievable audit trail and no material exceptions or unapproved access observed.