You are here: Skip breadcrumbAttorney-General's Department >> Integrity >> Counter fraud >> Fraud countermeasures >> User permissions

 User permissions

Prevention shield icon Previous page Next page


Functionality within systems is limited/controlled by user permissions, which are assigned to users based on specific business needs; for example, high-risk functions are limited to specialised users.

The Protective Security Policy Framework articulates the government protective security policies that underpin this control.


Some examples of this type of countermeasure include:

  • Access to functionality within systems is limited to specific permissions.
  • Specific permissions require a business case and approval to obtain.
  • Only centralised areas have access to certain functions, e.g. only payroll staff have access to payroll functions and information.
  • Staff are blocked from accessing their own programme record.
  • Authorised representatives can only perform limited functions on a customer's record.

Purpose of this countermeasure

Staff or contractors can abuse their position of trust to:

  • process fraudulent requests or claims for themselves or another person, and
  • access, manipulate or disclose official information without authority.

Staff and contractors can also be coerced to commit fraud for the benefit of another person or entity; e.g. coerced to provide information or pay a claim.

Abuse of public office, acting dishonestly or influencing a Commonwealth public official to commit fraud are offences under the Criminal Code Act 1995.

Failing to control a system user's ability to access information or complete transactions can lead to fraudsters exploiting weaknesses to:

  • facilitate fraudulent payments, or
  • access, manipulate and disclose information without a business need.


This type of control is supported by:

How do I know if my countermeasures are effective?

You can apply the following methods to measure the effectiveness of these types of countermeasures:

  • Confirm controls comply with the Protective Security Policy Framework. This includes security requirements for:
    • Sensitive and classified information
    • Access to information
    • Safeguarding information from cyber threats
    • Robust ICT systems
  • Confirm the existence of permissions and limits within the system.
  • Review procedures or guidance to confirm it clearly specifies where permissions should be limited.
  • Obtain and review requirements for who should have certain user permissions.
  • Confirm the existence of a request and approvals process for obtaining specific permissions.
  • Confirm request and approvals processes are consistently applied.
  • Review procedures for requesting user permissions. Confirm the request processes are robust. Actively test them if required.
  • Confirm that someone cannot bypass standard process requirements even when subject to pressure or coercion.
  • Confirm that user permissions consider segregation of duties requirements.
  • Review the need for Security Clearances for some permissions, if applicable.
  • Undertake quantitative and qualitative analysis of user permissions to confirm only those who require permissions have the permissions.
  • Undertake testing or a process walk-through to confirm that permissions within systems work correctly and cannot be circumvented.
  • Confirm the existence of a review and reconciliation process. Review the reports.
  • Review any past access breaches to identify how they were allowed to occur.

Back to top

Previous page Next page​​

​​​​Commonwealth Fraud Prevention Centre logo​​​​​