Create a catalogue of role-based access profiles for departments [Departments], mapping required zones, time windows, and escort rules to enforce least privilege. Include critical areas [CriticalAreas] with heightened controls (dual approval, logging frequency). Align to [RegulatoryFramework] principles and define recertification cadence. Establish thresholds for deviations (e.g., more than [Threshold_Exceptions_Percent]% exceptions triggers review).
Output format:
Profile table (Markdown): Role | Zones | Time Window | Approval Level | Review Cycle | Compensating Controls.
Constraints list for high-risk zones (bulleted).
Recertification schedule (Markdown table) for the next [Timeframe].
Exception request form template (Markdown) including justification and expiry.
Incorporate joiner-mover-leaver scenarios, temporary elevation with expiry, and metrics (exception rate, average approval time). Provide harmonisation guidance for multi-building badges to avoid overprovisioning.