Transaction & Function Control
Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
Creating roles for each user that gives them access to certain information and systems based on their role. If someone is on a project give them a project role so they can access what systems they need for said project. If IT needs to access a machine system they should have a role to do so
Example
You supervise the team that manages DoD contracts for your company. Members of your team need to access the contract information to perform their work properly. Because some of that data contains FCI, you work with IT to set up your group’s systems so that users can be assigned access based on their specific roles [a]. Each role limits whether an employee has read-access or create/read/delete/update -access [b]. Implementing this access control restricts access to FCI information unless specifically authorized.
References
-ANSI/ISA-62443-4-1-2018 Page 29 5.3
-NIST SP 800-171r2 Page 22
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf
-NIST SP 800-162
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-162.pdf