The users that will access the system with administrator or root
privileges must be defined.
Systems should usually have a set of roles with different levels of
privilege for accessing resources.
The privileges of each role must be clearly defined and the role of each user
should also be clearly stated.
That includes the set of users that will have administrator or root privileges,
as this should not be a default role.
HIPAA Security Rules 164.308(a)(3)(i):
Workforce Security: Implement policies and procedures
to ensure that all members of its workforce have appropriate access
to electronic protected health information,
as provided under paragraph (a)(4) of this section,
and to prevent those workforce members who do not have access
under paragraph (a)(4) of this section
from obtaining access to electronic protected health information.
HIPAA Security Rules 164.310(a)(2)(iii):
Access Control and Validation Procedures: Implement procedures
to control and validate a person’s access to facilities
based on their role or function, including visitor control,
and control of access to software programs for testing and revision.
NIST 800-53 AC-2 (6)
The information system implements the following
dynamic privilege management capabilities:
[Assignment: organization-defined list
of dynamic privilege management capabilities].
NIST 800-53 AC-2 (7) a
The organization establishes and administers privileged user accounts
in accordance with a role-based access scheme
that organizes allowed information system access and privileges into roles.