NDA-Protected Capstone Case Study

Roles & Permissions Audit

A client-sponsored cybersecurity capstone focused on access control, role-based permissions, separation of duties, and security governance for an organization handling sensitive information.

View Case Study Skills Demonstrated

NDA Notice

This project was completed under a non-disclosure agreement. Details have been generalized to protect client confidentiality. Client-specific systems, internal data, screenshots, deliverables, and implementation details are intentionally omitted.

Overview

Improving access control through role and permission review

This capstone project focused on auditing roles and permissions across selected business systems for a client organization that handles sensitive user data. The goal was to evaluate whether access aligned with role responsibilities, identify potential separation of duties concerns, and provide recommendations to improve long-term access control governance.

Security Context

Why this work mattered

Sensitive Data

The client environment involved systems that supported sensitive operational data, making least privilege and access control hygiene important from both security and compliance perspectives.

Broken Access Control

Excessive or inconsistent access can create opportunities for misuse, accidental exposure, privilege abuse, and broader organizational risk.

Governance Gap

The work emphasized the need for clear role definitions, documented permissions, and repeatable procedures for future access reviews.

Methodology

How the audit was approached

1

Role Review

Grouped roles by business function to understand how access was intended to support operational responsibilities.

2

Permission Mapping

Reviewed permissions assigned to each role and compared them against the role’s expected purpose.

3

SoD Analysis

Identified areas where permissions could create separation of duties concerns or require additional review.

4

Recommendations

Delivered findings focused on documentation, access governance, role clarity, and future review processes.

Core Concepts

Access control principles used in the project

RBAC

Role-Based Access Control assigns permissions to roles and users to roles, making access easier to manage at scale.

Least Privilege

Users should only have the permissions necessary to perform their job responsibilities.

Separation of Duties

No single user or role should have enough access to complete a sensitive process without oversight or control boundaries.

Findings Summary

High-level observations

Governance

Limited role and permission documentation

A major challenge was the lack of complete documentation describing how roles should be created, managed, reviewed, and retired.

Access

Potential separation of duties review items

Some permissions required additional business validation to confirm whether access was appropriate for the role’s function.

Process

Need for repeatable access review procedures

The project showed the importance of repeatable access review workflows that can be reused across systems over time.

Recommendations

How the organization could improve access governance

Document Role Definitions

Maintain clear descriptions of what each role is responsible for and what permissions are required to perform that function.

Create SoD Policies

Define which roles or permissions should be mutually exclusive to reduce the risk of misuse or unauthorized process completion.

Improve Review Cadence

Establish regular access reviews tied to onboarding, offboarding, role changes, and administrative training.

Skills Demonstrated

Security work shown through this project

Identity & Access Security

Reviewed role design, permission assignment, least privilege, and access control risk.

Audit Methodology

Built a structured review approach for assessing roles, permissions, and potential SoD conflicts.

Security Communication

Translated technical access control issues into client-ready findings, recommendations, and future work.

Framework Alignment

Connected project reasoning to recognized security concepts such as RBAC, least privilege, separation of duties, and access control testing.

Risk-Based Thinking

Prioritized findings based on business function, sensitive data access, and the impact of excessive permissions.

Professional Discretion

Presented the project publicly in a generalized way while respecting NDA boundaries and client confidentiality.

Artifacts

Supporting materials

Because this project was completed under NDA, the full paper, presentation deck, client-specific findings, and internal deliverables are not published on this site. A generalized summary is provided here to demonstrate the project scope, methodology, and skills used without disclosing confidential information.