800-53|AC-3(7)

Title

ROLE-BASED ACCESS CONTROL

Description

The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles].

Supplemental

Role-based access control (RBAC) is an access control policy that restricts information system access to authorized users. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When users are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3(3) define the scope of the subjects and objects covered by the policy.

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Category: ACCESS CONTROL

Parent Title: ACCESS ENFORCEMENT

Family: ACCESS CONTROL

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1. OpenStack Compute - Policy.json - 'os_compute_api:os-cells:delete'	Unix	TNS OpenStack Nova/Compute Security Guide
1. OpenStack Identity - Policy.json - 'identity:update_domain_config'	Unix	TNS OpenStack Keystone/Identity Security Guide
1. OpenStack Networking - Policy.json - 'get_loadbalancer-agent'	Unix	TNS OpenStack Neutron/Networking Security Guide
1.2.7 Reduce the sudo timeout period	Unix	CIS Apple OSX 10.6 Snow Leopard L2 v1.0.0
1.3.1 Ensure sudo is installed	Unix	CIS Ubuntu Linux 20.04 LTS Server L1 v1.0.0
1.3.1 Ensure sudo is installed	Unix	CIS Ubuntu Linux 18.04 LTS Server L1 v2.0.1
1.3.1 Ensure sudo is installed	Unix	CIS Ubuntu Linux 20.04 LTS Workstation L1 v1.0.0
1.3.1 Ensure sudo is installed	Unix	CIS Ubuntu Linux 18.04 LTS Workstation L1 v2.0.1
1.3.2 Ensure filesystem integrity is regularly checked	Unix	CIS CentOS 7 v3.1.1 Server L1
1.3.2 Ensure filesystem integrity is regularly checked	Unix	CIS CentOS 7 v3.1.1 Workstation L1
1.3.2 Ensure sudo commands use pty	Unix	CIS CentOS Linux 8 Server L1 v1.0.0
1.3.2 Ensure sudo commands use pty	Unix	CIS Oracle Linux 7 Workstation L1 v3.0.0
1.3.2 Ensure sudo commands use pty	Unix	CIS Red Hat EL8 Server L1 v1.0.0
1.3.2 Ensure sudo commands use pty	Unix	CIS Red Hat EL8 Workstation L1 v1.0.0
1.3.2 Ensure sudo commands use pty	Unix	CIS Ubuntu Linux 18.04 LTS Server L1 v2.0.1
1.3.2 Ensure sudo commands use pty	Unix	CIS Ubuntu Linux 20.04 LTS Server L1 v1.0.0
1.3.2 Ensure sudo commands use pty	Unix	CIS Oracle Linux 8 Workstation L1 v1.0.0
1.3.2 Ensure sudo commands use pty	Unix	CIS Ubuntu Linux 18.04 LTS Workstation L1 v2.0.1
1.3.2 Ensure sudo commands use pty	Unix	CIS Red Hat EL7 Workstation L1 v3.0.1
1.3.2 Ensure sudo commands use pty	Unix	CIS CentOS Linux 8 Workstation L1 v1.0.0
1.3.2 Ensure sudo commands use pty	Unix	CIS Oracle Linux 7 Server L1 v3.0.0
1.3.2 Ensure sudo commands use pty	Unix	CIS Ubuntu Linux 20.04 LTS Workstation L1 v1.0.0
1.3.2 Ensure sudo commands use pty	Unix	CIS Red Hat EL7 Server L1 v3.0.1
1.3.2 Ensure sudo commands use pty	Unix	CIS Oracle Linux 8 Server L1 v1.0.0
1.3.4 Restrict sudo users to being able to access only required commands	Unix	CIS Apple OSX 10.6 Snow Leopard L2 v1.0.0
1.18 Ensure IAM instance roles are used for AWS resource access from instances	amazon_aws	CIS Amazon Web Services Foundations L2 1.3.0
1.340 - Users must provide a password for privilege escalation.	Unix	Tenable Fedora Linux Best Practices v2.0.0
1.350 - Users must re-authenticate for privilege escalation.	Unix	Tenable Fedora Linux Best Practices v2.0.0
10. OpenStack Compute - Policy.json - 'os_compute_api:os-console-auth-tokens'	Unix	TNS OpenStack Nova/Compute Security Guide
10. OpenStack Identity - Policy.json - 'identity:list_access_token_roles'	Unix	TNS OpenStack Keystone/Identity Security Guide
10. OpenStack Networking - Policy.json - 'get_l3-routers'	Unix	TNS OpenStack Neutron/Networking Security Guide
100. OpenStack Compute - Policy.json - 'compute_extension:admin_actions:migrate'	Unix	TNS OpenStack Nova/Compute Security Guide
100. OpenStack Identity - Policy.json - 'identity:list_policies'	Unix	TNS OpenStack Keystone/Identity Security Guide
100. OpenStack Networking - Policy.json - 'get_subnet'	Unix	TNS OpenStack Neutron/Networking Security Guide
101. OpenStack Compute - Policy.json - 'compute:create:forced_host'	Unix	TNS OpenStack Nova/Compute Security Guide
101. OpenStack Identity - Policy.json - 'identity:list_groups'	Unix	TNS OpenStack Keystone/Identity Security Guide
101. OpenStack Networking - Policy.json - 'admin_only'	Unix	TNS OpenStack Neutron/Networking Security Guide
102. OpenStack Compute - Policy.json - 'os_compute_api:os-baremetal-nodes'	Unix	TNS OpenStack Nova/Compute Security Guide
102. OpenStack Identity - Policy.json - 'identity:list_endpoints_associated_with_endpoint_group'	Unix	TNS OpenStack Keystone/Identity Security Guide
102. OpenStack Networking - Policy.json - 'get_agent'	Unix	TNS OpenStack Neutron/Networking Security Guide
103. OpenStack Compute - Policy.json - 'os_compute_api:os-simple-tenant-usage:show'	Unix	TNS OpenStack Nova/Compute Security Guide
103. OpenStack Identity - Policy.json - 'identity:list_endpoints'	Unix	TNS OpenStack Keystone/Identity Security Guide
103. OpenStack Networking - Policy.json - 'shared_subnetpools'	Unix	TNS OpenStack Neutron/Networking Security Guide
104. OpenStack Compute - Policy.json - 'compute_extension:evacuate'	Unix	TNS OpenStack Nova/Compute Security Guide
104. OpenStack Identity - Policy.json - 'identity:update_policy'	Unix	TNS OpenStack Keystone/Identity Security Guide
104. OpenStack Networking - Policy.json - 'get_network:segments'	Unix	TNS OpenStack Neutron/Networking Security Guide
105. OpenStack Compute - Policy.json - 'os_compute_api:os-flavor-extra-specs:delete'	Unix	TNS OpenStack Nova/Compute Security Guide
105. OpenStack Identity - Policy.json - 'identity:delete_endpoint_group'	Unix	TNS OpenStack Keystone/Identity Security Guide
105. OpenStack Networking - Policy.json - 'delete_metering_label'	Unix	TNS OpenStack Neutron/Networking Security Guide
106. OpenStack Compute - Policy.json - 'os_compute_api:os-flavor-extra-specs:create'	Unix	TNS OpenStack Nova/Compute Security Guide

Detections

Analytics