Access Control Policy


This Access Control Policy explains the implementation and management of access control to protect the confidentiality, integrity, and availability of Redgate’s information assets.


This Policy applies to all Redgaters, contractors, suppliers, and third-party entities that have access to Redgate’s information systems and data.


Access Control

Access to systems is managed by the IT Operations team or Business System Owners, with requests for access to Restricted information requiring approval by the information owner. Elevated privileged access to critical systems requires approval by first line management and above and the Security Team.

Access to critical systems shall be audited annually.

Termination of employment

Upon notification (by the People Team) of an employee termination or departure, all access to our critical systems must be revoked within 24 hours. Access to non-critical systems will be revoked within a week.

All activities shall be confirmed against the support ticket for audit purposes.

Internal transfers/change of role

For Redgate staff transfers between departments, current employee access that is no longer required will be revoked. Appropriate access will be provisioned by the IT Operations Team based on the new role and at the request of the new Line Manager.

Identity Management

Unless there is a clear, documented business case for not doing so:

  • Access to Restricted information and/or critical systems must be from a Redgate account (or suitable security controls must be in place)
  • All user credentials must be traceable to individual employees
  • Shared access may be appropriate in some circumstances, but these credentials should be phased out wherever possible
  • Shared account information must be kept in shared credential storage, such as approved team password vaults

Authentication Information

Logical access shall require unique username/password combinations (where passwords meet our Password Policy requirements) or SSH keys (where appropriate). Multi Factor Authentication (MFA, 2FA) should be used where available.