How do I prove role-based access control works for SOC 2?

What Auditors Need to See

RBAC evidence for SOC 2 CC6.1 proves that your systems enforce different access levels based on job function. Auditors test three things:

1. Roles are defined. You have documented roles with specific permissions.
2. Users are assigned correctly. Each user has the role matching their job function.
3. Access is restricted. Users in lower roles can't access admin functions.

Evidence to Prepare

Evidence Type	What to Capture
Role definitions	Document listing each role and its permissions
User-role mapping	Screenshot of user list showing role assignments (GitHub, AWS, your app)
Permission matrix	Table showing which roles can access which resources
Access restriction proof	Screenshot showing a non-admin user can't access admin settings
Access review	Quarterly review confirming users are in correct roles

RBAC Across Your Stack

Show RBAC evidence for each critical system:

GitHub: Organization member roles (admin, member), team-level permissions, repository access levels.

AWS/Cloud: IAM groups or roles with specific policy attachments. Show that not everyone has AdministratorAccess.

Your Application: If your app has roles (admin, user, viewer), show the code or configuration that enforces them, and a screenshot of the admin panel showing user role assignments.

Google Workspace: Show admin vs. user roles and which privileges each has.

Common Mistakes

• Everyone is admin. Fix this before the audit. Even two roles (admin, developer) demonstrates least privilege.
• No documentation. Auditors need a written list of roles and their intended permissions, not just system screenshots.
• Inconsistent assignments. If your sales intern has admin access to AWS, that contradicts least privilege.

Quick Wins

If you don't have formal RBAC today, start with:

1. Create an "admin" and "member" role in each system
2. Restrict admin to 2-3 people (CTO + founding engineers)
3. Document the roles and who has each
4. Review assignments quarterly