AC-2 (7) - Role-based Schemes
Control requirements
The organization:
- AC-2 (7) (a)
- Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;
- AC-2 (7) (b)
- Monitors privileged role assignments; and
- AC-2 (7) (c)
- Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate.
Implementation guidance
See the resources that follow to learn more about how to implement this control.
NIST supplemental guidance
Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration.