Navigate

AC-24 (2)

AC-24 (2): No User Or Process Identity

The information system enforces access control decisions based on [Assignment: organization-defined security attributes] that do not include the identity of the user or process acting on behalf of the user.

Supplemental

In certain situations, it is important that access control decisions can be made without information regarding the identity of the users issuing the requests. These are generally instances where preserving individual privacy is of paramount importance. In other situations, user identification information is simply not needed for access control decisions and, especially in the case of distributed information systems, transmitting such information with the needed degree of assurance may be very expensive or difficult to accomplish.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
None

Related Controls

The controls below (if any) were marked by NIST as being related to AC-24 (2).

Control	Description
No controls

Enhancements

The controls below (if any) add on to the requirements of AC-24 (2).

Control	Description
No controls

Related CCIs

The CCIs below are tied to AC-24 (2).

CCI	Definition
CCI-002354	The organization defines the security attributes, not to include the identity of the user or process acting on behalf of the user, to be used as the basis for enforcing access control decisions.
CCI-002355	The information system enforces access control decisions based on organization-defined security attributes that do not include the identity of the user or process acting on behalf of the user.