800-53|AC-3(7)

Title

ROLE-BASED ACCESS CONTROL

Description

The information system enforces a role-based access control policy over defined subjects and objects and controls access based upon [Assignment: organization-defined roles and users authorized to assume such roles].

Supplemental

Role-based access control (RBAC) is an access control policy that restricts information system access to authorized users. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When users are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3(3) define the scope of the subjects and objects covered by the policy.

Reference Item Details

Category: ACCESS CONTROL

Parent Title: ACCESS ENFORCEMENT

Family: ACCESS CONTROL

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1. OpenStack Compute - Policy.json - 'os_compute_api:os-cells:delete'UnixTNS OpenStack Nova/Compute Security Guide
1. OpenStack Identity - Policy.json - 'identity:update_domain_config'UnixTNS OpenStack Keystone/Identity Security Guide
1. OpenStack Networking - Policy.json - 'get_loadbalancer-agent'UnixTNS OpenStack Neutron/Networking Security Guide
1.2.7 Reduce the sudo timeout periodUnixCIS Apple OSX 10.6 Snow Leopard L2 v1.0.0
1.3.1 Ensure sudo is installedUnixCIS Ubuntu Linux 20.04 LTS Server L1 v1.0.0
1.3.1 Ensure sudo is installedUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.0.1
1.3.1 Ensure sudo is installedUnixCIS Ubuntu Linux 20.04 LTS Workstation L1 v1.0.0
1.3.1 Ensure sudo is installedUnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.0.1
1.3.2 Ensure filesystem integrity is regularly checkedUnixCIS CentOS 7 v3.1.1 Server L1
1.3.2 Ensure filesystem integrity is regularly checkedUnixCIS CentOS 7 v3.1.1 Workstation L1
1.3.2 Ensure sudo commands use ptyUnixCIS CentOS Linux 8 Server L1 v1.0.0
1.3.2 Ensure sudo commands use ptyUnixCIS Oracle Linux 7 Workstation L1 v3.0.0
1.3.2 Ensure sudo commands use ptyUnixCIS Red Hat EL8 Server L1 v1.0.0
1.3.2 Ensure sudo commands use ptyUnixCIS Ubuntu Linux 20.04 LTS Server L1 v1.0.0
1.3.2 Ensure sudo commands use ptyUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.0.1
1.3.2 Ensure sudo commands use ptyUnixCIS Red Hat EL8 Workstation L1 v1.0.0
1.3.2 Ensure sudo commands use ptyUnixCIS Oracle Linux 8 Workstation L1 v1.0.0
1.3.2 Ensure sudo commands use ptyUnixCIS Red Hat EL7 Workstation L1 v3.0.1
1.3.2 Ensure sudo commands use ptyUnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.0.1
1.3.2 Ensure sudo commands use ptyUnixCIS CentOS Linux 8 Workstation L1 v1.0.0
1.3.2 Ensure sudo commands use ptyUnixCIS Oracle Linux 7 Server L1 v3.0.0
1.3.2 Ensure sudo commands use ptyUnixCIS Ubuntu Linux 20.04 LTS Workstation L1 v1.0.0
1.3.2 Ensure sudo commands use ptyUnixCIS Red Hat EL7 Server L1 v3.0.1
1.3.2 Ensure sudo commands use ptyUnixCIS Oracle Linux 8 Server L1 v1.0.0
1.3.4 Restrict sudo users to being able to access only required commandsUnixCIS Apple OSX 10.6 Snow Leopard L2 v1.0.0
1.18 Ensure IAM instance roles are used for AWS resource access from instancesamazon_awsCIS Amazon Web Services Foundations L2 1.3.0
1.340 - Users must provide a password for privilege escalation.UnixTenable Fedora Linux Best Practices v2.0.0
1.350 - Users must re-authenticate for privilege escalation.UnixTenable Fedora Linux Best Practices v2.0.0
10. OpenStack Compute - Policy.json - 'os_compute_api:os-console-auth-tokens'UnixTNS OpenStack Nova/Compute Security Guide
10. OpenStack Identity - Policy.json - 'identity:list_access_token_roles'UnixTNS OpenStack Keystone/Identity Security Guide
10. OpenStack Networking - Policy.json - 'get_l3-routers'UnixTNS OpenStack Neutron/Networking Security Guide
100. OpenStack Compute - Policy.json - 'compute_extension:admin_actions:migrate'UnixTNS OpenStack Nova/Compute Security Guide
100. OpenStack Identity - Policy.json - 'identity:list_policies'UnixTNS OpenStack Keystone/Identity Security Guide
100. OpenStack Networking - Policy.json - 'get_subnet'UnixTNS OpenStack Neutron/Networking Security Guide
101. OpenStack Compute - Policy.json - 'compute:create:forced_host'UnixTNS OpenStack Nova/Compute Security Guide
101. OpenStack Identity - Policy.json - 'identity:list_groups'UnixTNS OpenStack Keystone/Identity Security Guide
101. OpenStack Networking - Policy.json - 'admin_only'UnixTNS OpenStack Neutron/Networking Security Guide
102. OpenStack Compute - Policy.json - 'os_compute_api:os-baremetal-nodes'UnixTNS OpenStack Nova/Compute Security Guide
102. OpenStack Identity - Policy.json - 'identity:list_endpoints_associated_with_endpoint_group'UnixTNS OpenStack Keystone/Identity Security Guide
102. OpenStack Networking - Policy.json - 'get_agent'UnixTNS OpenStack Neutron/Networking Security Guide
103. OpenStack Compute - Policy.json - 'os_compute_api:os-simple-tenant-usage:show'UnixTNS OpenStack Nova/Compute Security Guide
103. OpenStack Identity - Policy.json - 'identity:list_endpoints'UnixTNS OpenStack Keystone/Identity Security Guide
103. OpenStack Networking - Policy.json - 'shared_subnetpools'UnixTNS OpenStack Neutron/Networking Security Guide
104. OpenStack Compute - Policy.json - 'compute_extension:evacuate'UnixTNS OpenStack Nova/Compute Security Guide
104. OpenStack Identity - Policy.json - 'identity:update_policy'UnixTNS OpenStack Keystone/Identity Security Guide
104. OpenStack Networking - Policy.json - 'get_network:segments'UnixTNS OpenStack Neutron/Networking Security Guide
105. OpenStack Compute - Policy.json - 'os_compute_api:os-flavor-extra-specs:delete'UnixTNS OpenStack Nova/Compute Security Guide
105. OpenStack Identity - Policy.json - 'identity:delete_endpoint_group'UnixTNS OpenStack Keystone/Identity Security Guide
105. OpenStack Networking - Policy.json - 'delete_metering_label'UnixTNS OpenStack Neutron/Networking Security Guide
106. OpenStack Compute - Policy.json - 'os_compute_api:os-flavor-extra-specs:create'UnixTNS OpenStack Nova/Compute Security Guide