Description: Grant a user only sufficient rights and access to perform their duties, while following a least privilege model. Considerations beyond standard rights that should be granted and monitored for applications, devices and systems-
- Governance and segregation of duties
- Policy-based access and entitlements
- Administrative access and entitlements
For access and actions beyond their normal duties, monitoring and traceability should be enforced for applications, devices and systems.
Benefit: Prevents users from having elevated privileges beyond their job role and responsibilities. Reduces the threat landscape by limiting the use of over-privileged access or invalid/obsolete accounts for the purposes of access. Detecting and automatically resolving policy-violating account access to maintain continuous compliance.
- PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
- 2.1.3: Access should also be granted with the least privileges needed to complete the task.
- 2.1.4: Least privilege principles are applied to restrict both visibility and accessibility.
|Title||Define Policies and Controls to Enforce Appropriate Access|
|Technology Components||Access Management (AM)|
Identity Management (IM)
Identity Governance and Administration (IGA)
|Description||Implement application-based access controls using Role Based Access Control (RBAC), Policy Based Access Control (PBAC), and/or Application Based Access Control (ABAC), or hybrid models supported by policies and enforced by governance and compliance.|
|Pre-requisites||Define business requirements for applications and access|
Target systems must have integration and connectivity
Role and entitlement catalog has been built and populated
Approval process is defined for each role and entitlement
Attributes and policies are defined providing conditions and constraints for access
|Member Companies||ForgeRock, Okta, Omada, Ping Identity, Remediant, SailPoint, Saviynt, SecZetta, Thales|