Admin access auditing

Severity: Recommended

Check automatically:

1. Find admin user management:

# Look for admin user model/table
grep -riE "admin.*(user|role|permission)|role.*admin" --include="*.ts" --include="*.js" --include="*.prisma" --include="*.sql" | head -10

# Find admin list/index endpoints
grep -riE "(list|index|all).*(admin|user)|getAdmins|fetchAdmins" --include="*.ts" --include="*.js" | head -10

2. Check for activity tracking fields:

# Look for last_login, last_activity fields
grep -riE "last_login|lastLogin|last_activity|lastActivity|last_seen" --include="*.ts" --include="*.js" --include="*.prisma" | head -10

3. Look for role/permission system:

# Find role definitions
grep -riE "enum.*role|type.*role|roles?\s*=" --include="*.ts" --include="*.js" --include="*.prisma" | head -10

Cross-reference with:

• ACCESS-001 (tiered access model)
• ACCESS-002 (minimal production access)

Ask user:

• Can you list all admin users and when they last logged in?
• Is there a process/schedule for reviewing admin access? (monthly, quarterly?)
• When was the last admin access audit?
• How do you suspend/remove admin users who shouldn't have access?

Pass criteria:

• Can enumerate all admin users with access levels
• Process exists (even informal) to periodically review who has admin access
• Easy to suspend/disable users identified as no longer needing access (via UI, not DB)

Fail criteria:

• No way to list all admin users
• No process for periodic access review
• Difficult or dangerous to remove admin access (requires direct DB changes)

Evidence to capture:

• How to list admin users
• Last audit date (if known)
• Process for removing access
• Any users identified as needing review

---