AC-2(7): Privileged User Accounts
Control Family:
Parent Control:
Threats Addressed:
Baselines:
(Not part of any baseline)
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- AC-2(7): Role-Based Schemes
Control Statement
- Establish and administer privileged user accounts in accordance with [Assignment: a role-based access scheme, an attribute-based access scheme];
- Monitor privileged role or attribute assignments;
- Monitor changes to roles or attributes; and
- Revoke access when privileged role or attribute assignments are no longer appropriate.
Supplemental Guidance
Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes.