Limiting System Access — §11.10(d)

System Access Controls. Access to computerized systems containing electronic records subject to 21 CFR Part 11 shall be limited to authorized individuals in accordance with §11.10(d). The organization shall implement the following access control measures: (a) each individual who accesses the system shall be assigned a unique user account consisting of a user identification code and password, or other equivalent authentication mechanism; user accounts shall not be shared among individuals; (b) a formal access request and approval process shall be established requiring written authorization from the system owner or department management before access is granted; (c) access privileges shall be assigned based on the principle of least privilege, granting each user only the minimum level of access required to perform their job functions; (d) role-based access control (RBAC) shall be implemented to define and enforce access privileges based on organizational roles and responsibilities; (e) access privileges shall be reviewed at least every six (6) months by the system owner to verify that access remains appropriate and that terminated or transferred personnel have been promptly deactivated; (f) user accounts shall be automatically locked after a defined number of consecutive failed login attempts, not to exceed five (5); (g) inactive sessions shall be automatically locked or terminated after a defined period of inactivity, not to exceed fifteen (15) minutes; and (h) all access provisioning, modification, and deactivation activities shall be documented and retained as part of the system records.