AC-2(7): Role-Based Schemes

Control Family:

Access Control


(Not part of any baseline)

Next Version:

Control Statement

The organization:

  1. Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;
  2. Monitors privileged role assignments; and
  3. Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate.

Supplemental Guidance

Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration.