AC-2 (7) - Role-based Schemes

Control requirements

The organization:

AC-2 (7) (a)

Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;

AC-2 (7) (b)

Monitors privileged role assignments; and

AC-2 (7) (c)

Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate.

Implementation guidance

See the resources that follow to learn more about how to implement this control.

• Audit logging of application provider events and SIEM
• Audit logging of IBM Cloud events
• IBM Cloud account setup

NIST supplemental guidance

Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. These privileged roles include, for example, key management, account management, network and system administration, database administration, and web administration.