secure-access-controllisted

# Secure access control (`access.authz` / `access.privileged` / `access.authn`) — authoring-time guidance > Scope: this skill helps you *implement* the technical access-control controls in code. It does > **not** make a system "compliant" — certification is the auditor's call. It makes the code satisfy > the control and produces machine-detectable evidence. > > **Framework-neutral by design.** Code emits stable Throughproof *control keys* (`access.authz`, > `access.privileged`), not framework ids. The crosswalk resolves them to SOC 2 (`CC6.1`–`CC6.3`), > ISO 27001 (`A.8.2` / `A.8.3` / `A.8.5`), PCI-DSS v4 (`Req 7.2` / `7.2.5` / `8.3`), and > HIPAA (`164.312(a)(1)` / `164.308(a)(4)` / `164.312(d)`) at once. ## When this applies Apply this skill whenever the code under edit **enforces or grants access**: - **Authorization decision**: a check that gates an action or resource on a role, permission, ownership, or scope (`require_role`, policy check, `if not user.can(...)`). - **Privileged / admin operation**: impersonation, granting/revoking access, changing another user's data, config or feature-flag overrides, destructive admin jobs. - **Authentication**: login, password set/verify/reset, session/token issuance, MFA. If the code is an ordinary, already-authorized read with no access decision, do **not** add an access event — over-logging is itself a finding. ## 1. Authorization — deny by default, least privilege - **Deny by default.** The absence of an explicit *allow