Limit what authorized users can do

What evidence satisfies this

Any one of these, by itself, won't satisfy the practice — but showing a few of them together is what an assessor or a prime contractor expects to see:

• ✓A role list: e.g. owner = admin, PM = full FCI read/write, bookkeeper = invoices only, shop floor = drawings read-only.
• ✓Microsoft 365 / Google admin showing which users hold the Global Admin / Super Admin role (should be 1–2 people, not everyone).
• ✓Folder permissions distinguishing read-only vs read/write on the FCI folder.
• ✓On the ERP / quoting / accounting system: per-user permissions (not everyone is admin).
• ✓A documented "least privilege" rule of thumb the team understands and follows.

Common ways small shops fail this

• ✗Every user is a Global Admin in M365 / Google because "it's easier."
• ✗Everyone has read/write on the FCI folder, nobody has read-only.
• ✗Daily work done from the same admin account used for tenant management.
• ✗The bookkeeper has access to engineering drawings they don't need.
• ✗Shared logins to the shop PC that have local admin rights.

How to fix it in a weekend

1. 1Inventory every system in scope (M365, ERP, file server, accounting). For each, list the roles you actually need.
2. 2Demote everyone from admin who doesn't need it. Two named admins is plenty for a small shop.
3. 3Set folder permissions to read-only for users who only consume FCI (e.g. shop floor reading drawings).
4. 4Have admins do daily work from a regular user account and only switch to admin when needed.
5. 5Add the least-privilege rule to your one-pager so a new hire knows the convention.

FAQ

Related references