AC.L2-3.1.6—Non-Privileged Account Use
Level 2
800-171: 3.1.6
>Control Description
Use non-privileged accounts or roles when accessing nonsecurity functions.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •How do you determine which transactions and functions each user role should be permitted to execute?
- •What is your process for documenting authorized transactions and functions for each user role?
- •How are changes to user permissions governed and approved?
- •Who reviews and validates that users only have access to necessary functions?
- •How do you enforce segregation of duties in your access control model?
Technical Implementation:
- •What technical controls enforce transaction and function restrictions (RBAC, ABAC)?
- •How are role-based permissions configured in your systems?
- •What mechanisms prevent users from executing unauthorized functions?
- •How do applications enforce function-level access control?
- •What audit logging captures attempted unauthorized function executions?
Evidence & Documentation:
- •What documentation demonstrates your access control policies and procedures?
- •What access control matrices or permissions documentation can you provide?
- •What access request and approval records can you show?
- •What access review documentation demonstrates periodic reviews?
- •What audit logs demonstrate access control enforcement?
- •What screenshots or configuration exports show access control settings?
Ask AI
Configure your API key to use AI features.