Fluid Attacks logo
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us

R096. Set user required privileges

This document contains the details of the security requirements related to the definition and management of access control in the organization. This requirement establishes the importance of defining the required privileges for each user to access the sensitive information of the organization.


The privileges required by the users who will access the system must be defined.


Systems should usually have a set of roles with different levels of privilege for accessing resources. The privileges of each role must be clearly defined and the role of each user should also be clearly stated.


  1. CWE-287: Improper Authentication When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

  2. CWE-306: Missing Authentication for Critical Function The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

  3. HIPAA Security Rules 164.312(a)(1): Access Control: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4)

  4. HIPAA Security Rules 164.312(d): Person or Entity Authentication: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

  5. NIST 800-53 AC-2 (6) The information system implements the following dynamic privilege management capabilities: [Assignment: organization-defined list of dynamic privilege management capabilities].

  6. NIST 800-53 AC-2 (7) a The organization establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles.

  7. NIST 800-53 AC-2 (7) b The organization monitors privileged role assignments.

  8. NIST 800-53 AC-2 (7) c The organization Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate.

  9. OWASP-ASVS v4.0.1 V1.2 Authentication Architectural Requirements.(1.2.1) Verify the use of unique or special low-privilege operating system accounts for all application components, services, and servers.

Service status - Terms of Use