Question
Should all internal SaaS applications enforce role-based access control (RBAC) instead of broad, one-size-fits-all permissions?
Background
Many employees currently have broad access in systems holding finance, HR, and customer data. Implementing RBAC could reduce risk and better align privileges with job duties, but requires design work, configuration, and ongoing maintenance across tools.
Options
- Require RBAC for all internal SaaS apps within two years.
- Prioritize RBAC for high-risk systems and phase in for others later.
- Encourage, but not require, RBAC adoption by system owners.
- Leave access management to each team’s discretion.