A security strategy for controlling user access to manage security risks across interconnected systems in on-premise and off-premise networks. It is based on the concept of what a user can access based on organizational policies and responsibilities.