It is important that access rights for users are based on a defined policy. This should consider factors such as the security requirements of individual applications, the need to know principle, classification of information and relevant legislation.