Authority Checks — §11.10(g)

Authority Checks. The system shall employ authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand, in accordance with §11.10(g). Authority checks shall be implemented as follows: (a) the system shall verify, at the time of each critical action, that the individual performing the action has the appropriate privileges assigned to their user role; (b) electronic signature authority shall be restricted to individuals who have been formally designated as authorized signatories for the specific record type or process, as documented in the organization's signature authority matrix; (c) the system shall prevent unauthorized users from performing actions outside the scope of their assigned role, including creating, modifying, approving, rejecting, or deleting records; (d) elevated privileges (e.g., system administrator functions) shall be restricted to the minimum number of individuals necessary and shall require additional authentication where feasible; (e) the assignment and modification of authority levels shall be controlled through a documented process requiring management approval and shall be subject to periodic review; (f) any attempt by a user to perform an action for which they are not authorized shall be blocked by the system and logged in the audit trail; and (g) authority check configurations shall be documented, tested during system validation, and reviewed after any changes to organizational roles or system security settings.