R095. Define users with privileges


The users that will access the system with administrator or root privileges must be defined.


Systems should usually have a set of roles with different levels of privilege for accessing resources. The privileges of each role must be clearly defined and the role of each user should also be clearly stated. That includes the set of users that will have administrator or root privileges, as this should not be a default role.


  1. CWE-276: Incorrect Default Permissions. The product, upon installation, sets incorrect permissions for an object that exposes it to an unintended actor.

  2. HIPAA Security Rules 164.308(a)(3)(i): Workforce Security: Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.

  3. HIPAA Security Rules 164.310(a)(2)(iii): Access Control and Validation Procedures: Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.

  4. NIST 800-53 AC-2 (6) The information system implements the following dynamic privilege management capabilities: [Assignment: organization-defined list of dynamic privilege management capabilities].

  5. NIST 800-53 AC-2 (7) a The organization establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles.

  6. NIST 800-53 AC-2 (7) b The organization monitors privileged role assignments.

  7. NIST 800-53 AC-2 (7) c The organization Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate.

  8. OWASP-ASVS v4.0.1 V4.1 General Access Control Design.(4.1.4) Verify that the principle of deny by default exists whereby new users/roles start with minimal or no permissions and users/roles do not receive access to new features until access is explicitly assigned.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy