AC-2 (7) - Privileged User Accounts

Control requirements

AC-2 (7) (a)

Establish and administer privileged user accounts in accordance with [Selection: a role-based access scheme; an attribute-based access scheme].

AC-2 (7) (b)

Monitor privileged role or attribute assignments.

AC-2 (7) (c)

Monitor changes to roles or attributes.

AC-2 (7) (d)

Revoke access when privileged role or attribute assignments are no longer appropriate.

NIST supplemental guidance

Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes.