How to Prove Application Access Restrictions for SOC 2 with Screenshots
Proving application access restrictions for SOC 2 requires concrete screenshot evidence of 'access denied' states, not just policy documents. This article explains how to automate negative testing for Control CC6.1, capturing valid proof that unauthorized users are blocked from sensitive data.
Proving application access restrictions for SOC 2 requires verifiable screenshots showing that unauthorized users are blocked from sensitive resources. While automated platforms monitor identity provider configurations, they often fail to capture the application-level evidence needed for Control CC6.1. To pass an audit, you must demonstrate that your application actively enforces permissions by collecting screenshots of "403 Forbidden" or "Access Denied" states. Modern automation tools now handle this by recording negative tests and generating audit-ready reports instantly.
What Evidence Do Auditors Need for Application Access Restrictions?
Answer: Auditors require "negative testing" evidence for SOC 2 Control CC6.1 (Logical Access). This means showing that a user without privileges cannot access restricted data. The most common artifact is a timestamped screenshot showing a non-admin user attempting to access an admin page and receiving an error message or redirection.
For a SOC 2 Type II audit, this evidence must typically be collected:
- Quarterly (to show operating effectiveness over time).
- Across environments (Production, and sometimes Staging).
- For critical roles (e.g., verifying a "Viewer" cannot delete data).
The Difference Between Positive and Negative Testing
Most teams focus on positive testing (proving a user can log in). However, SOC 2 specifically requires proof of restriction.
| Test Type | Objective | Evidence Required |
|---|---|---|
| Positive Test | Verify authorized access | Screenshot of successful login/action |
| Negative Test | Verify restricted access | Screenshot of "Access Denied" / 403 Error |
| Why it matters | Ensures availability | Ensures confidentiality & integrity |
Where Traditional SOC 2 Automation Stops
Most companies use GRC platforms like Drata or Vanta to automate their SOC 2 compliance. These tools are excellent at monitoring infrastructure configuration via APIs, but they have a "blind spot" when it comes to application logic.
The API vs. UI Gap
Drata can check your Okta API to see that User A is in the Viewers group. However, Drata cannot log into your actual SaaS product to verify that the Viewers group is correctly blocked from the /admin/billing page.
This creates a 20% manual gap in evidence collection.
- Automated by GRC: "Is the user assigned the correct role in the IdP?"
- Manual Work Required: "Does the application actually block the user based on that role?"
Without tools like Screenata, engineering leads often spend 40–80 hours per quarter manually creating test accounts, logging in, attempting forbidden actions, taking screenshots, and pasting them into Word documents.
How to Automate Application Access Evidence with Screenshots
Answer: You can automate application access evidence by using workflow recording tools that perform "computer use" tasks. These tools log in as a restricted user, navigate to a restricted URL, and capture the resulting denial screen automatically.
The Automation Workflow
Instead of a human manually testing permissions, an AI-driven recorder performs the following steps:
- Authentication: Logs in using a specific test persona (e.g., "Read-Only User").
- Navigation: Attempts to visit a restricted URL (e.g.,
/settings/api-keys). - Capture: Detects the "Access Denied" or "403" state and takes a high-resolution screenshot.
- Metadata: Attaches the timestamp, URL, User ID, and browser version.
- Reporting: Generates a PDF evidence pack mapped to Control CC6.1.
This approach transforms a manual, error-prone process into a repeatable, audit-proof workflow.
Step-by-Step: Proving CC6.1 (Logical Access)
To satisfy SOC 2 Control CC6.1, you must demonstrate that logical access to system resources is restricted to authorized users. Here is the standard procedure for proving this with automated screenshots.
1. Define the Restricted Resource
Identify a high-risk area of your application.
- Example: The "Delete Organization" button or the "API Keys" settings page.
2. Execute the Negative Test
Using Screenata or a similar evidence automation tool, record the following sequence:
- Step A: Show the user profile page to prove the current user has "Low-Level" permissions.
- Step B: Attempt to click the restricted button or navigate to the restricted URL.
- Step C: Capture the resulting toast message ("You do not have permission") or page error.
3. Generate the Evidence Pack
The automation tool should compile these images into a single PDF. Crucially, the PDF must include:
- Control ID: CC6.1
- Test Date: e.g., 2026-01-16 14:30 UTC
- Tester: Automated Agent / [User Name]
- Result: PASS (Access was successfully denied)
Example: Proving Admin Panel Restrictions
Below is a breakdown of what a perfect piece of evidence looks like for an auditor reviewing Admin Panel restrictions.
Control: CC6.1 — Logical Access
Scenario: Verify that Support_Staff cannot access Super_Admin billing controls.
| Evidence Element | What the Screenshot Shows | Why Auditors Need It |
|---|---|---|
| 1. User Context | Top-right corner shows user avatar and "Role: Support" | Proves the test was run by a restricted user. |
| 2. The Action | User cursor clicking "Edit Billing" | Shows the attempt to perform a privileged action. |
| 3. The Restriction | Red banner: "Error 403: Insufficient Privileges" | The Proof. Confirms the application logic works. |
| 4. Timestamp | System clock or metadata footer | Proves the test is current (within the audit window). |
Automated Output:
Instead of four loose image files, Screenata produces CC6.1_Admin_Restriction_Test.pdf containing all three views plus a JSON manifest verifying the chain of custody.
Best Practices for "Access Denied" Screens
If your application simply redirects a user to the dashboard without an error message, auditors may find the evidence ambiguous. To make your SOC 2 evidence clearer:
- Explicit Error Messages: Ensure your app displays "Access Denied" or "You do not have permission" rather than a silent fail.
- URL Visibility: Ensure screenshots capture the browser URL bar showing the attempted path (e.g.,
app.com/admin) versus the redirected path. - Console Logs: Advanced automation tools can capture the browser console log showing the
403 Forbiddennetwork response, which is definitive technical proof even if the UI is subtle.
Frequently Asked Questions
Can I use a video instead of screenshots?
Yes, but auditors generally prefer static screenshots embedded in a document because they are easier to store in workpapers. If you use video, ensure your automation tool (like Screenata) extracts key frames into a PDF summary so the auditor doesn't have to watch a video file for every control.
How often do I need to prove access restrictions?
For SOC 2 Type II, you generally need to provide evidence of this test quarterly or semiannually. If you deploy code daily, automated testing ensures you can prove that a recent deployment didn't break your permission model.
Does Drata or Vanta collect this automatically?
No. Drata and Vanta verify that your Identity Provider (like Okta or Google Workspace) is configured correctly. They do not verify that your application code honors those configurations. You must provide this evidence manually or use an application-level evidence tool like Screenata.
What if my application doesn't have a visible "Access Denied" page?
If your app redirects users silently, capture the "Before" and "After" state.
- Before: URL is
/admin. - After: URL is
/dashboard. - Narrative: "User attempted to access /admin and was automatically redirected to /dashboard, confirming access restriction."
Key Takeaways
- ✅ Negative testing is mandatory: You must prove that unauthorized users fail to get access, not just that authorized users succeed.
- ✅ Infrastructure monitoring has gaps: Tools like Drata cannot see inside your application's UI logic; they only see API settings.
- ✅ Screenshots need context: A valid proof includes the user role, the attempted action, the error message, and the timestamp.
- ✅ Automation saves time: Using tools to record these workflows reduces the quarterly evidence burden from days to minutes.
- ✅ Focus on CC6.1: This is the primary control where application access restriction evidence is scrutinized.
Learn More About SOC 2 Compliance Automation
For a complete guide to automating SOC 2 evidence collection, see our guide on automating SOC 2 evidence collection, including how to capture application-level proof that infrastructure monitoring tools miss.
Not sure if you even need a compliance consultant? Read Do You Actually Need a vCISO for SOC 2? Probably Not Anymore or The Bootstrapped Founder's Guide to SOC 2.
Ready to Automate Your Compliance?
Join 50+ companies automating their compliance evidence with Screenata.