Enforcing Access Control: NIST 800-171 in Action

As part of our journey to align with NIST SP 800-171, particularly the Access Control (3.1) family, we’ve built a detailed and flexible permission system within our SaaS platform that powers BreakEven PLUS™, FALIB™ reporting, and estimation workflows.

🔐 Role-Based Access Control (RBAC)

Each super user in our platform—typically an admin at the subscriber company—has access to a full Access Control Interface. This system allows them to grant or restrict permissions for their team, down to individual actions like:

• Employee Management: List, Create, Edit, Delete, Import/Export employees

• Customer/Vendor Management: Full CRUD and file access

• File Storage: Segmented access to FALIB™, Attendance, and Sales Reports (No external files supported)

• Estimates & Reports: Access creation, editing, and export of estimates and critical business reports

• Settings & Configuration: Fine-grained control over invoice formats, work orders, job costing, etc.

These actions are bound to user role, logged, and auditable.

🔍 Built-In Audit Traceability

Beyond access control, BreakEven PLUS™ provides detailed, field-level audit logging across financial and operational modules.

Each logged event includes:

• Timestamp (date and time)

• User identity

• Module or model affected

• Action performed (INSERT, UPDATE, etc.)

• IP address

• Device ID

• Request ID

• User agent (browser/device fingerprint)

• System-generated message summary

Field-Level Change Tracking

When financial configurations or reporting values are modified, the system captures: