Skip to content

SC.01 — User and Access Management#

System: AI Connectors Platform Last updated: 2026-04-29

This document describes how the AI Connectors platform fulfils the SC.01 control category.

Control Attestation Table#

Control Description Status Evidence
CTRL0537490 — SC.01.01 No shared user accounts Compliant access-management.md §1, §8
SC.01.02 Define user roles Compliant access-management.md §1
SC.01.03 User access roles match business requirements with least privilege Compliant access-management.md §1–2
CTRL0537505 — SC.01.04 Grant, modify, and remove access rights according to business requirements Compliant access-management.md §3–5
SC.01.05 Inactive account controls — maximum inactivity time before account disable Compliant access-management.md §5
CTRL0537524 — SC.01.06 User access review — check for inactive accounts on a regular basis Compliant access-management.md §4
SC.01.09 User account identification — passwords/tokens are individual and identity-linked Compliant access-management.md §2, §8
SC.01.11 Password protection — use a password management system with security measures Compliant secrets-management.md §2
SC.01.12 Machine-generated secrets meet complexity requirements Compliant secrets-management.md §2
CTRL0537475 — SC.01.13 Privileged account protection — use NN Privileged Identity Management (PIM) solution Compliant access-management.md §6
CTRL0537509 — SC.01.14 Access control — extra layer of authentication for remote access (MFA) Compliant access-management.md §7
CTRL0537488 — SC.01.15 Password confidentiality — encryption/hashing for password storage and transmission Compliant secrets-management.md §2, data-storage-encryption.md §3
CTRL0537477 — SC.01.17 User access approvals — proper approvals by line manager and/or IT Infrastructure Owner Compliant access-management.md §3
CTRL0537510 — SC.01.18 User access monitoring — maintain a list of current users and their access Compliant access-management.md §4, §6
SC.01.19 Secrets stored in a secure location with strict access controls Compliant secrets-management.md §2–3

Security Controls Reference#

CTRL0537475 — SC.01.13: Protect privileged accounts and credentials#

Control Text: Protect privileged accounts and their passwords to the standard delivered by the Novo Nordisk Privileged Identity Management solution.

Applicability: There are users in the IT Solution or service. Mandatory add-on — must be implemented regardless of risk assessment outcome; compensating controls require CISO approval.

Additional Description

Privileged Identity Management (PIM) provides a protected vault for secure storage and management of passwords. Using PIM allows you to:

  • Avoid having to remember all passwords
  • Have a central repository with various access levels for employees
  • Automate password management (verify/change/reset passwords)
  • Keep an audit trail in one place for operations with accounts
  • Have password rotation

A PIM solution by Novo Nordisk standards must include the following security features (or equivalent compensating measures):

  • Access Control: Least Privilege Principle, Role-Based Access Control (RBAC), Access Approval Workflow
  • Authentication & Authorization: Multi-Factor Authentication (MFA), strong password policies, Single Sign-On (SSO) integration
  • Monitoring & Auditing: Session monitoring, comprehensive audit logs, anomaly detection
  • Account Management: Automated provisioning/de-provisioning, periodic review, password vaulting, encryption of sensitive data in transit and at rest

Detailed Description

AI Connectors gates all privileged AWS access through the NN PIM solution using separate ADMIN-XXXX accounts, not standard corporate identities. Engineers authenticate to PIM with MFA, receive a time-limited (8-hour) password for their ADMIN-XXXX account, and then sign into AWS SSO with additional MFA. After 8 hours the password expires automatically — no standing access exists. Service identities are AWS IAM roles that cannot be assumed by humans, only by ECS tasks via instance metadata.

Implementation Considerations

CTRL0537477 — SC.01.17: Ensure proper approvals of user access#

Control Text: Ensure proper approvals of user accesses (for instance by line manager and/or IT System owner).

Applicability: There are users in the IT Solution.

Additional Description

It is recommended to use novoAccess if possible. User access must be granted only to authorised users and access rights must be properly approved and reviewed before granting access.

Guidelines for access authorisation are defined in Section 2.1 of the "Manage Users of IT Systems - Guideline" Q0355420 in Quality Docs.

Detailed Description

AI Connectors enforces approval at two layers. End-user access is governed by Azure AD group assignment (currently the "All Novo users" group 3bb6cc78-2024-419a-a6af-42c28127e12f) — no individual provisioning is required. AWS account access is managed via NovoAccess, approved by the IT Infrastructure Owner or IT Infrastructure Manager. Azure AD app registrations are ordered via ServiceNow RITM by the IT Infrastructure Owner or IT Infrastructure Manager — the Azure AD team creates the object, after which the AI Connectors team imports it into Terraform. All initial ordering RITM IDs are on record.

Implementation Considerations

  • access-management.md §3 — approval process for end-user access, operator access, and app registrations

CTRL0537488 — SC.01.15: Ensure that passwords are kept secure#

Control Text: Ensure that passwords are kept confidential when entered, stored, and transmitted across any network with encryption/hashing methods considered best practice by Global Information Security.

Applicability: There are users in the IT Solution or services. Mandatory add-on — must be implemented regardless of risk assessment outcome; compensating controls require CISO approval.

Additional Description

Protecting passwords when entered: - Require strong, unique passwords not easily guessable or based on personal information. - The IT solution should not allow persistent disclosure of password in plain text (temporary view is acceptable). - Instruct users to follow IT code of conduct on password handling. - Two-factor authentication is in many cases a mandatory extra layer of security.

Protecting passwords in transit: - Never transmit passwords in plain text. - Apply end-to-end encryption via TLS in all web- and service-based communications. Support only TLS 1.2 and TLS 1.3; disable all other protocols.

Protecting passwords at rest: - Do not store passwords in clear text — store a salted hash value using a best-practice hash function. - Also encrypt the database where password hashes are stored. - Implement strong access controls to limit access to password hashes to authorized individuals only. - Monitor and log access to detect and prevent unauthorized access.

Recommended hashing algorithms: Argon2id, scrypt, bcrypt, blake2, or PBKDF2. These are computationally expensive by design, making them resistant to cracking. Use salting (unique random string per password) and optionally peppering (secret value not stored in the database) to further enhance security.

Detailed Description

AI Connectors does not manage end-user passwords — all human authentication is fully delegated to Azure AD. The platform's own secrets (Azure AD client secrets used for OBO token exchange) are generated by Terraform and written directly into AWS SSM Parameter Store as encrypted SecureString values. The AI Connectors team never knows the secret value. Secrets are transmitted only over TLS to Azure AD, never logged or printed, and accessible only by the specific MCP's ECS execution role at container startup.

Implementation Considerations

CTRL0537490 — SC.01.01: Shared user accounts (group accounts)#

Control Text: Shared user accounts (group accounts) can only be used if individual accounts are not possible, and only if implementing compensating controls such as physical access controls and logging of the use of the account.

Applicability: There are users in the IT Solution that are not managed through Active Directory.

Additional Description

If it is not possible to use individual accounts, follow these guidelines:

  • Use a Privileged Identity Management (PIM) Solution.
  • Restrict access to shared accounts through isolation and lock-down.
  • Use a local, restricted account which can only enter data or has limited display of data. Never use a generic CORP user account as a shared account.
  • Physically isolate the point of access to the shared account by placing the computer in a locked room or building.
  • Disable access to anything but the IT solution that the shared account is used for (e.g. remove email, internet access if possible).
  • Monitor and review the shared account regularly to detect any potential misuse.
  • Review transactions/logs for the shared account and consider using a usage-log to improve enforcement and provide individual accountability.
  • Increase frequency of password changes and implement more strict password management controls (e.g. define whether password should be changed when an employee with access to the account leaves the company).

System accounts are most often an integrated part of an IT system with extensive privileges, presenting significant risks. These risks should be identified and managed appropriately.

Detailed Description

AI Connectors uses Azure AD OAuth 2.0 with On-Behalf-Of flow — every end-user request carries a Bearer token tied to that specific user's identity, exchanged for a Graph API token that preserves the same identity. Platform operators use individual ADMIN-XXXX accounts via PIM, not shared admin passwords. Service identities are AWS IAM roles that cannot be assumed by humans. CI/CD uses per-MCP GitHub Actions OIDC roles, each scoped to its own workflow. No shared credentials or accounts exist at any layer.

Implementation Considerations

CTRL0537505 — SC.01.04: Review access rights for all users#

Control Text: Review access rights for all users on a regular basis and revoke rights that are no longer needed, for instance due to changing job roles or termination of employment.

Applicability: There are users in the IT Solution.

Additional Description

When performing an access rights review, it is important to review both:

  • The list of users that have access to the IT solution (do they still all need access?)
  • The specific roles and privileges assigned to those users (do users need all the permissions they have, or can they be reduced?)

It is up to the IT solution management to determine the appropriate frequency of access right reviews, depending on the risk profile of the IT solution. Minimum guidelines are defined in Section 3.2 and 3.3 of the "Manage Users of IT Systems - Guideline" Q0355420 in Quality Docs. For IT solutions with a higher risk profile, consider more frequent reviews.

Detailed Description

AI Connectors performs annual access rights reviews across three populations: end-user group assignments, platform operator AWS SSO roles, and service identity owners. Reviews assess whether broad all-employee assignment remains appropriate, remove unused roles or assignments, and confirm no unexpected owners or trust extensions were added. Offboarding is automatic for end users (Azure AD account disable by NN IT invalidates all tokens) and manual for operators (IT Infrastructure Manager removes AWS SSO assignments).

Implementation Considerations

CTRL0537509 — SC.01.14: Remote user access#

Control Text: For remote user access to any Novo Nordisk IT solution, data, or network from non-Novo Nordisk controlled devices or networks, apply an extra layer of authentication, such as one-time passwords, biometrics, or tokens, in addition to the username and password.

Applicability: There are users in the IT Solution. Mandatory add-on — must be implemented regardless of risk assessment outcome; compensating controls require CISO approval.

Additional Description

Implementing this control:

  • Requires use of a two-factor authentication mechanism approved by Global Information Security. Contact gsosecurityservices@novonordisk.com or see the Service Catalogue for approved options.
  • You may choose from one-time passwords, biometrics, or tokens — evaluate the benefits and drawbacks of each before deciding.
  • Once decided, implement across all IT systems, which may involve deploying new hardware/software or reconfiguring existing systems.
  • Inform all remote users of the new authentication requirements and provide clear instructions. Disable other authentication methods that could bypass the additional layer.
  • Use of a VPN connection to the Novo Nordisk network is considered a compensating control. Note that SC.02.03 on network connections between Novo Nordisk infrastructure and third parties requires CISO approval.

Detailed Description

AI Connectors is cloud-hosted and exposed over the public internet, so all access is inherently remote. MFA is enforced upstream by the Novo Nordisk Azure AD tenant via Conditional Access policies — no AI Connectors component can issue a valid token without the caller first passing MFA at the Azure AD layer. Privileged access (ADMIN-XXXX / PIM) requires MFA to obtain passwords from PIM and again when signing into AWS via SSO. There is no bypass path.

Implementation Considerations

CTRL0537510 — SC.01.18: Maintain a list of current users#

Control Text: Maintain a list of current users and their access.

Applicability: There are users in the IT Solution.

Additional Description

It is recommended to use novoAccess if possible. Maintaining an up-to-date list of users and their access rights is an important component of access control — without it there is a risk of granting access to unauthorised users or failing to revoke access rights when they are no longer required.

Guidelines for creating/updating access rights are defined in Section 3.1 of the "Manage Users of IT Systems - Guideline" Q0355420 in Quality Docs.

Detailed Description

AI Connectors does not maintain a separate user database — it relies on authoritative sources maintained in real time. Azure AD enterprise application group membership is the live access list for end users. NovoAccess is the system of record for privileged operator access. The immutable audit log in S3 captures user identity (oid and upn) on every tool call, providing a queryable activity record that complements the access list.

Implementation Considerations

CTRL0537524 — SC.01.06: Check for inactive accounts#

Control Text: Check for inactive accounts on a regular basis. Disable any accounts that are inactive.

Applicability: There are users in the IT Solution.

Additional Description

To implement this control:

  • Define the maximum amount of time an individual can be inactive before the account is disabled, based on the risk and sensitivity of the data being protected.
  • Implement account management processes that check for inactivity and disable accounts that exceed the defined maximum time period.
  • Ensure that all users are aware of the maximum time period for inactivity and the consequences of exceeding this period.

See Section 2.3 of the "Manage Users of IT Systems - Guideline" Q0355420 in Quality Docs.

Detailed Description

AI Connectors delegates end-user inactivity detection entirely to Azure AD. When NN IT disables an employee's Azure AD account, all tokens are immediately invalidated, including any cached OBO tokens in DynamoDB (which also expire automatically via TTL after ~1 hour). For platform operators, there are no persistent sessions — AWS SSO tokens are short-lived and PIM passwords expire after 8 hours. Operator access is reviewed annually and unused assignments or roles are removed.

Implementation Considerations