When an employee leaves your organization, how long does it take to revoke their access to every system that touches Aramco data? If the answer is "we would need to check each system individually" or "it depends on who remembers to do it," your organization has a TPC-6 compliance gap that auditors will find. Identity and access lifecycle management is one of the most operationally challenging SACS-002 controls because it requires coordination across every system, every time someone joins, changes roles, or leaves. This guide explains exactly what TPC-6 and TPC-18 require and how to implement centralized access lifecycle management.
The SACS-002 Access Lifecycle Controls
Two TPC controls form the core of SACS-002's access lifecycle requirements. Together, they ensure that only authorized individuals have access to systems containing Aramco data, and that access is promptly removed when no longer needed.
TPC-6: Third Party must notify Saudi Aramco within 24 hours when any employee with Saudi Aramco credentials is terminated or no longer requires access. All access must be revoked within 24 hours of separation.
TPC-18: Third Party must implement formal off-boarding procedures that include return of all Saudi Aramco assets, deactivation of all credentials, removal of access to all systems, and documented evidence of completion.
Why These Controls Matter
Former employees with active credentials represent one of the highest-risk attack vectors in supply chain security. A terminated employee who retains VPN access, email access, or file storage access can exfiltrate Aramco data days or weeks after leaving. The 24-hour requirement in TPC-6 exists precisely because Aramco has seen real incidents where former contractor employees accessed systems long after their engagement ended.
The Access Lifecycle: Joiner, Mover, Leaver
Identity and access management follows a three-phase lifecycle. Each phase has specific SACS-002 implications.
Joiner (New Employee Onboarding)
When a new employee is hired who will work on Aramco-related projects, they need access to specific systems. The principle of least privilege applies -- they should receive only the minimum access necessary for their role, not blanket admin access to everything.
Compliant onboarding includes:
- Formal access request approved by the employee's manager
- Role-based access assignment (not individual permission grants)
- MFA enrollment before first access (TPC-2/TPC-3)
- Security awareness training completion before system access (TPC-7)
- AUP acknowledgment signed (TPC-1)
- Documented record of what access was granted, when, and by whom
Mover (Role Change)
When an employee changes roles within the organization, their access requirements change. A common audit finding is "access creep" -- employees accumulate access from previous roles without having old permissions revoked. An engineer who moves to a project management role should lose their server admin access but retain document access.
Compliant role changes include:
- Review of current access against new role requirements
- Revocation of access no longer needed for the new role
- Grant of new access required for the new role (with manager approval)
- Documented record of the access change
Leaver (Termination or Contract End)
This is where TPC-6 and TPC-18 apply directly. When an employee leaves -- whether through resignation, termination, or contract completion -- all access must be revoked within 24 hours.
Compliant off-boarding includes:
- Immediate revocation of all system access (email, file hosting, VPN, RDP, admin panels)
- Deactivation of all credentials and MFA tokens
- Return of all physical and digital assets (laptops, access cards, tokens)
- Notification to Saudi Aramco within 24 hours if the employee had Aramco credentials
- Documented evidence of each step with timestamps
TPC-6 and TPC-18 Audit Evidence
| Evidence Item | What Auditors Expect |
|---|---|
| Off-boarding procedure | Written procedure document listing each step: access revocation, asset return, notification, documentation |
| Recent off-boarding records | Completed checklists for employees who left in the last 12 months, showing timestamps for each step |
| 24-hour compliance proof | Timestamps showing access was revoked within 24 hours of separation date (compare HR termination date to system access revocation date) |
| Aramco notification records | Email or ticket records showing 24-hour notification to Aramco for employees with Aramco credentials |
| Access review reports | Most recent quarterly access review showing all current users and their access levels |
| No orphaned accounts | Cross-reference of active system accounts against current employee list -- no accounts for former employees |
Quarterly Access Reviews
Beyond the joiner/mover/leaver lifecycle, SACS-002 expects periodic reviews of who has access to what. Access reviews catch dormant accounts, excessive permissions, and unauthorized access that may have been granted outside normal processes.
A compliant access review process includes:
- Quarterly frequency: Review all user access at least every 90 days
- Manager approval: Each user's manager confirms that the user still needs their current access level
- Privileged account focus: Admin and root accounts receive extra scrutiny -- who has them and why
- Service account review: Automated service accounts are reviewed for necessity and credential rotation
- Documented results: Review findings, approved access, revoked access, and remediation actions all documented
Privileged Access Management (PAM)
Privileged accounts (admin, root, superuser) pose the highest risk because they have unrestricted access to systems and data. SACS-002's access control requirements apply with extra force to these accounts.
PAM Best Practices for CCC
- Separate admin accounts: Administrators use separate privileged accounts for admin tasks, not their daily-use accounts
- MFA required: All privileged access requires multi-factor authentication (TPC-2/TPC-3)
- Session recording: All privileged sessions are recorded for forensic review and audit evidence
- Just-in-time access: Privileged access is granted temporarily and revoked automatically after use
- Password vaulting: Shared admin credentials stored in encrypted vaults with checkout/checkin workflows
- Break-glass procedures: Emergency access procedures documented with post-use review
Service Account Management
Service accounts -- non-human accounts used by applications and automated processes -- are often overlooked in access reviews. Yet they frequently have elevated privileges and rarely have their passwords rotated. SACS-002 auditors will check for:
- Inventory of all service accounts with documented purpose and owner
- Regular password rotation (every 90 days, consistent with TPC-2)
- Least-privilege principle applied (service accounts should not have admin access unless operationally required)
- Monitoring of service account activity for anomalous behavior
- Disabled interactive login for service accounts that only need programmatic access
Common IAM Audit Failures
- Orphaned accounts: Active system accounts belonging to employees who left months ago. This is the most damaging finding because it demonstrates a fundamental breakdown in access lifecycle management.
- No formal off-boarding procedure: When asked for the off-boarding checklist, the vendor cannot produce one. Access revocation happens informally (or not at all) when someone happens to remember.
- 24-hour violation: The auditor compares HR termination dates to system access revocation dates and finds accounts that remained active for days or weeks after the employee left.
- Access creep: Employees who changed roles retain access from their previous position. A quarterly access review would have caught this, but no reviews were conducted.
- Shared accounts: Multiple employees share a single login. This makes it impossible to track who did what and violates individual accountability requirements.
- No access review evidence: The vendor claims to review access regularly but cannot produce any documentation showing when reviews occurred or what was found.
- Privileged accounts without MFA: Admin accounts that can be accessed with just a password, without multi-factor authentication.
- Unmonitored service accounts: Service accounts with admin privileges that have not had their passwords changed since creation and have no activity monitoring.
How MassiveGRID's IAM Lifecycle Component Works
Managing access lifecycle across multiple disconnected systems -- email, file hosting, VPN, RDP, firewall rules, monitoring dashboards -- is operationally difficult. When an employee leaves, someone must remember to revoke access in each system individually. Miss one system, and you have an orphaned account that the auditor will find.
MassiveGRID's Identity and Access Lifecycle component, included in the CCC-Compliant Infrastructure Package, centralizes this into a single platform:
- Centralized identity dashboard: Single pane of glass showing all user accounts across every package component (email, file hosting, RDP, VPN, monitoring)
- Automated de-provisioning: When a user is terminated in the dashboard, access is revoked across all connected systems simultaneously -- in minutes, not days
- Joiner/mover/leaver workflows: Structured workflows for onboarding, role changes, and off-boarding with required approval steps
- Role-based access templates: Pre-defined access profiles for common roles (general staff, IT admin, manager, executive) implementing least-privilege by default
- Quarterly access review campaigns: Automated review campaigns that present each manager with their team's access for confirmation or revocation
- Privileged session recording: All admin sessions automatically recorded and stored for forensic review
- Service account inventory: Automated discovery and monitoring of service accounts with password rotation reminders
- Complete audit trail: Every access change is logged: who was granted access, by whom, when, what was changed, and why
- Aramco notification integration: Automated notification templates for the 24-hour TPC-6 requirement when employees with Aramco credentials are terminated
- Compliance reports: One-click export of access review results, off-boarding records, and orphaned account checks for auditor review
Integration with Other SACS-002 Controls
IAM lifecycle management connects directly to several other SACS-002 controls:
- TPC-2/TPC-3 (Password and MFA): The IAM component enforces password policies and MFA enrollment at provisioning time
- TPC-7 (Training): New user provisioning triggers training enrollment -- access is not granted until training is completed
- TPC-1 (AUP): AUP acknowledgment is a required step in the onboarding workflow
- TPC-23 (Incident Response): If a compromised account is detected, the IAM component supports immediate emergency access revocation
- Monitoring: User activity across all systems is correlated through the centralized identity, enabling detection of anomalous access patterns
Key insight: IAM is the connecting tissue between most other SACS-002 controls. Without centralized identity management, each control operates in isolation -- password policies in one system, MFA in another, training records in a spreadsheet. The IAM component ties them together into a coherent compliance posture.
Get IAM as Part of the Full CCC Package
Identity and access lifecycle management is one of ten components in the MassiveGRID Aramco CCC-Compliant Infrastructure Package. Together with email hosting, encrypted file hosting, firewall, VPN, monitoring, security training, patch management, and backup/DR, it provides everything you need to satisfy the infrastructure and operational controls of SACS-002.