Restricting access to desktop applications and tools ( CSV )

v9991

Trusted Information Resource
GxP computer systems which are involved in the generation of primary/raw data, are recommended/restricted from having access to certain computer application tools, which are deemed or potentially risk for the data integrity; they involve general inherent tools such as deletion of files, date & time functionalities which affect the data attributes; ( this is generally restricted to IT/Admin;
and other restricted controls for MS Office ( either not installing them at all OR access to given roles ( admin/IT) or personnel )

the query is procedural and technical,; request you to provide the reference or steps to implement following.
1. how do you implement above controls for computer application tools ( domain policies, )
2. how do you implement the access of the MS office to specified admin/personnel
3. is it possible to allow access of the MS office to ONLY other applications., ( i.e., MS office can be invoked by DMS but not by the individual personnel )

note to moderator :- request to move this query to separate technical/software section, if/as its appropriate
 

v9991

Trusted Information Resource
GxP computer systems which are involved in the generation of primary/raw data, are recommended/restricted from having access to certain computer application tools, which are deemed or potentially risk for the data integrity; they involve general inherent tools such as deletion of files, date & time functionalities which affect the data attributes; ( this is generally restricted to IT/Admin;
and other restricted controls for MS Office ( either not installing them at all OR access to given roles ( admin/IT) or personnel )

the query is procedural and technical,; request you to provide the reference or steps to implement following.
1. how do you implement above controls for computer application tools ( domain policies, )
2. how do you implement the access of the MS office to specified admin/personnel
3. is it possible to allow access of the MS office to ONLY other applications., ( i.e., MS office can be invoked by DMS but not by the individual personnel )

note to moderator :- request to move this query to separate technical/software section, if/as its appropriate
GPT Response-1
1. Restricting Access to application tools - Group Policy Editor
2. Role based access control ( Office 365 - Azure AD )
3. scripting
Restricting Access to Application Tools:
Use Group Policy Editor (GPE) to create policies that restrict user access to system settings like date and time.
Implement file permissions to prevent deletion by unauthorized users.
Use software restriction policies to block executable files from running1.
Restricting MS Office Access:
Assign Office 365 licenses to only those users who need access.
Use Role-Based Access Control (RBAC) in Office 365 to define what users can and cannot do.
Set up Administrative Units in Azure AD to restrict admin privileges to a subset of users2.
Allowing MS Office Access Only to Applications:
This is more complex and may require custom scripting or software development.
You can use app-only permissions in Azure to allow services to run Office applications without a user’s interaction3.
Consider consulting with a software developer or a Microsoft-certified professional for a tailored solution

GPT Response-2
1. user group policies
2. software restriction policies
3. AppLocker Overview
4. Programmatic Access Controls:
5. trust centre

Application Whitelisting and Blacklisting:
Use Group Policy to create rules that only allow MS Office to be launched by specific applications.
Open gpedit.msc.
Navigate to Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies.
Create new rules under "Additional Rules" to specify allowed and disallowed executables.
References:

Software Restriction Policies
AppLocker (Windows Enterprise and Education Editions):
Create AppLocker rules to control which users or groups can run particular applications.
Open gpedit.msc.
Navigate to Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker.
Create new Executable Rules to allow MS Office apps to be invoked by specific applications.
AppLocker Overview

Programmatic Access Controls:
Configure MS Office application settings to only allow automation from specific applications.
Use the Trust Center settings in Office applications to restrict programmatic access.
Open an Office application (e.g., Word).
Go to File > Options > Trust Center > Trust Center Settings.
Configure "Macro Settings" and "Programmatic Access" to allow only trusted applications.
References:

Trust Center in Office
By following these steps, you can effectively manage and restrict access to various computer functions and applications, enhancing security and control within your organization
 

v9991

Trusted Information Resource
Is this thread an attempt to convince me that GPT doesn't want me to think about audit trails?
this thread was about "possible ways to implement" controls to deployed on a computer where system, where an application is accessible by application, but not by the individual users.

where is the context of audit trails? however, in the context of GPT in compliance domain , there solutions developed ( and deployed) for using Gen-AI for "rule based contextual assessment " to replace the manual audit trail reviews .
 

Tidge

Trusted Information Resource
An audit trail is a no-brainer way to verify if a software tool is allowing changes, authorized or not.
 

v9991

Trusted Information Resource
An audit trail is a no-brainer way to verify if a software tool is allowing changes, authorized or not.
Allow me highlight that., this is not about audit trail; this is about implementing suitable "controls", such that the relevant apps/tools are only accessible to the specific-designated application on the computer, and not accessible to the individual users.

Further, in the compliance domain, the audit trail is the current means & mechanism of identifying the details of the changes during the review and approval process; of course, for that, there are certain rule based controls employed during the moment/event of changes itself; However audit trail is final check/control prior to approval.

"no-brainer way to verify...',
Can you elaborate the specific point of "no-brainer way to verify...', if you are indicating design controls? or any alternate controls"
 

Tidge

Trusted Information Resource
Maintaining a state of "control" heavily implies (especially in the 21 CFR 11 arena) being able to demonstrate that the controls remain in place and that they are working as expected. IIRC, audit trails are explicitly required under part 11 for both open and closed systems, beyond "role base access" (also in part 11) and "restricted access" (also in part 11).
 
Top Bottom