CCI-002169

Enforce a role-based access control policy over defined subjects and objects based upon organization-defined roles and users authorized to assume such roles.

Implementation Guidance

Determine if: - a role-based access control policy is enforced over defined subjects. - a role-based access control policy is enforced over defined objects. - access is controlled based on [AC-03(07)_ODP[01]; roles upon which to base control of access are defined] and [AC-03(07)_ODP[02]; users authorized to assume roles (defined in AC-03(07)_ODP[01]) are defined.]

Validation Procedures

Examine: [SELECT FROM: Access control policy; role-based access control policies; procedures addressing access enforcement; system design documentation; system configuration settings and associated documentation; list of roles, users, and associated privileges required to control system access; system audit records; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with access enforcement responsibilities; system/network administrators; organizational personnel with information security and privacy responsibilities; system developers]. Test: [SELECT FROM: Mechanisms implementing role-based access control policy].

The controls below (if any) were marked by NIST as being related to CCI-002169.