VUN1 Task 1: Managing Security Operations and Access Controls
Alysia Lewis
College of IT, Western Governors University
Dave Cameron
January 26, 2026
, C845 Task 1: Security Operations Report for FinSecure Corp.
A1: ACCESS CONTROL EXPLANATION
The access control model that best applies to FinSecure Corp is Role‑Based Access Control. RBAC gives users
access based on the job role they hold, and the permissions for each role are set in advance. The model relies
on three main principles. The first is least privilege, which means users should only receive the access needed
to perform their work. The second is separation of duties, which reduces risk by keeping important tasks
divided between different roles rather than relying on a single user. The third is role assignment, which ensures
that access is granted because a user is assigned to a specific role, not because permissions are added to
individual accounts.
FinSecure Corp’s user matrix shows a structure that aligns with RBAC. Each role is listed with the systems and
privileges connected to it, such as the Finance Manager having access to the payroll system and budget
tracker. This reflects the RBAC idea that permissions belong to roles rather than to users directly. If RBAC were
fully applied, all users in the same role would receive the same access, and permissions would be managed
through role definitions instead of one‑off changes made to individual accounts.
Using RBAC principles also makes it easier to identify problems in the current access setup. For example, a
Customer Support Representative has payroll access, which does not match the duties of that role. In another
case, a Junior System Administrator was manually granted Domain Admin rights, which is much higher access
than the role requires and increases risk. These issues show that access has been assigned directly to users
instead of being controlled through roles. Applying RBAC would correct these inconsistencies by ensuring
users receive access that matches their job duties, reducing unnecessary privileges, and preventing privilege
creep. This would strengthen FinSecure Corp’s ability to manage access and reduce the chance of misuse or
accidental exposure.
A2: MISALIGNMENTS
After analyzing the user role matrix, four critical misalignments were identified between FinSecure Corps access
control policy and RBAC principles. Each of these misalignments represents a conflict with RBAC's principles in
the user role matrix.
Misalignment 1: Identification of Excessive Access
In the user matrix, a Customer Support Rep role has access to the payroll system. This is excessive
access because payroll duties do not fall within the responsibilities of a Customer Support role. Under
RBAC, if system access exceeds permissions, it violates the principle of least privilege. Since the role
Alysia Lewis
College of IT, Western Governors University
Dave Cameron
January 26, 2026
, C845 Task 1: Security Operations Report for FinSecure Corp.
A1: ACCESS CONTROL EXPLANATION
The access control model that best applies to FinSecure Corp is Role‑Based Access Control. RBAC gives users
access based on the job role they hold, and the permissions for each role are set in advance. The model relies
on three main principles. The first is least privilege, which means users should only receive the access needed
to perform their work. The second is separation of duties, which reduces risk by keeping important tasks
divided between different roles rather than relying on a single user. The third is role assignment, which ensures
that access is granted because a user is assigned to a specific role, not because permissions are added to
individual accounts.
FinSecure Corp’s user matrix shows a structure that aligns with RBAC. Each role is listed with the systems and
privileges connected to it, such as the Finance Manager having access to the payroll system and budget
tracker. This reflects the RBAC idea that permissions belong to roles rather than to users directly. If RBAC were
fully applied, all users in the same role would receive the same access, and permissions would be managed
through role definitions instead of one‑off changes made to individual accounts.
Using RBAC principles also makes it easier to identify problems in the current access setup. For example, a
Customer Support Representative has payroll access, which does not match the duties of that role. In another
case, a Junior System Administrator was manually granted Domain Admin rights, which is much higher access
than the role requires and increases risk. These issues show that access has been assigned directly to users
instead of being controlled through roles. Applying RBAC would correct these inconsistencies by ensuring
users receive access that matches their job duties, reducing unnecessary privileges, and preventing privilege
creep. This would strengthen FinSecure Corp’s ability to manage access and reduce the chance of misuse or
accidental exposure.
A2: MISALIGNMENTS
After analyzing the user role matrix, four critical misalignments were identified between FinSecure Corps access
control policy and RBAC principles. Each of these misalignments represents a conflict with RBAC's principles in
the user role matrix.
Misalignment 1: Identification of Excessive Access
In the user matrix, a Customer Support Rep role has access to the payroll system. This is excessive
access because payroll duties do not fall within the responsibilities of a Customer Support role. Under
RBAC, if system access exceeds permissions, it violates the principle of least privilege. Since the role
