Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >SP 800-53
  3. >Access Control
  4. >SP800-53-AC-2(7)
SP800-53-AC-2(7)Active

Privileged User Accounts

Statement

Establish and administer privileged user accounts in accordance with a role-based access scheme; an attribute-based access scheme; Monitor privileged role or attribute assignments; Monitor changes to roles or attributes; and Revoke access when privileged role or attribute assignments are no longer appropriate.

Location

Control Family
Access Control

Control Details

Identifier
SP800-53-AC-2(7)
Family
AC
Parent Control
SP800-53-AC-2

Organisation-Defined Parameters

ac-02.07_odp
a role-based access scheme; an attribute-based access scheme

Supplemental Guidance

Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes.

Assessment Objective

privileged user accounts are established and administered in accordance with a role-based access scheme; an attribute-based access scheme; privileged role or attribute assignments are monitored; changes to roles or attributes are monitored; access is revoked when privileged role or attribute assignments are no longer appropriate.

No cross-framework mappings available

← Back to Access Control
Access Control147 controls
SP800-53-AC-1Policy and ProceduresSP800-53-AC-2Account ManagementSP800-53-AC-2(1)Automated System Account ManagementSP800-53-AC-2(2)Automated Temporary and Emergency Account ManagementSP800-53-AC-2(3)Disable AccountsSP800-53-AC-2(4)Automated Audit ActionsSP800-53-AC-2(5)Inactivity LogoutSP800-53-AC-2(6)Dynamic Privilege ManagementSP800-53-AC-2(7)Privileged User AccountsSP800-53-AC-2(8)Dynamic Account ManagementSP800-53-AC-2(9)Restrictions on Use of Shared and Group AccountsSP800-53-AC-2(10)Shared and Group Account Credential ChangeSP800-53-AC-2(11)Usage ConditionsSP800-53-AC-2(12)Account Monitoring for Atypical UsageSP800-53-AC-2(13)Disable Accounts for High-risk IndividualsSP800-53-AC-3Access EnforcementSP800-53-AC-3(1)Restricted Access to Privileged FunctionsSP800-53-AC-3(2)Dual AuthorizationSP800-53-AC-3(3)Mandatory Access ControlSP800-53-AC-3(4)Discretionary Access ControlSP800-53-AC-3(5)Security-relevant InformationSP800-53-AC-3(6)Protection of User and System InformationSP800-53-AC-3(7)Role-based Access ControlSP800-53-AC-3(8)Revocation of Access AuthorizationsSP800-53-AC-3(9)Controlled ReleaseSP800-53-AC-3(10)Audited Override of Access Control MechanismsSP800-53-AC-3(11)Restrict Access to Specific Information TypesSP800-53-AC-3(12)Assert and Enforce Application AccessSP800-53-AC-3(13)Attribute-based Access ControlSP800-53-AC-3(14)Individual AccessSP800-53-AC-3(15)Discretionary and Mandatory Access ControlSP800-53-AC-4Information Flow EnforcementSP800-53-AC-4(1)Object Security and Privacy AttributesSP800-53-AC-4(2)Processing DomainsSP800-53-AC-4(3)Dynamic Information Flow ControlSP800-53-AC-4(4)Flow Control of Encrypted InformationSP800-53-AC-4(5)Embedded Data TypesSP800-53-AC-4(6)MetadataSP800-53-AC-4(7)One-way Flow MechanismsSP800-53-AC-4(8)Security and Privacy Policy FiltersSP800-53-AC-4(9)Human ReviewsSP800-53-AC-4(10)Enable and Disable Security or Privacy Policy FiltersSP800-53-AC-4(11)Configuration of Security or Privacy Policy FiltersSP800-53-AC-4(12)Data Type IdentifiersSP800-53-AC-4(13)Decomposition into Policy-relevant SubcomponentsSP800-53-AC-4(14)Security or Privacy Policy Filter ConstraintsSP800-53-AC-4(15)Detection of Unsanctioned InformationSP800-53-AC-4(16)Information Transfers on Interconnected SystemsSP800-53-AC-4(17)Domain AuthenticationSP800-53-AC-4(18)Security Attribute BindingSP800-53-AC-4(19)Validation of MetadataSP800-53-AC-4(20)Approved SolutionsSP800-53-AC-4(21)Physical or Logical Separation of Information FlowsSP800-53-AC-4(22)Access OnlySP800-53-AC-4(23)Modify Non-releasable InformationSP800-53-AC-4(24)Internal Normalized FormatSP800-53-AC-4(25)Data SanitizationSP800-53-AC-4(26)Audit Filtering ActionsSP800-53-AC-4(27)Redundant/Independent Filtering MechanismsSP800-53-AC-4(28)Linear Filter PipelinesSP800-53-AC-4(29)Filter Orchestration EnginesSP800-53-AC-4(30)Filter Mechanisms Using Multiple ProcessesSP800-53-AC-4(31)Failed Content Transfer PreventionSP800-53-AC-4(32)Process Requirements for Information TransferSP800-53-AC-5Separation of DutiesSP800-53-AC-6Least PrivilegeSP800-53-AC-6(1)Authorize Access to Security FunctionsSP800-53-AC-6(2)Non-privileged Access for Nonsecurity FunctionsSP800-53-AC-6(3)Network Access to Privileged CommandsSP800-53-AC-6(4)Separate Processing DomainsSP800-53-AC-6(5)Privileged AccountsSP800-53-AC-6(6)Privileged Access by Non-organizational UsersSP800-53-AC-6(7)Review of User PrivilegesSP800-53-AC-6(8)Privilege Levels for Code ExecutionSP800-53-AC-6(9)Log Use of Privileged FunctionsSP800-53-AC-6(10)Prohibit Non-privileged Users from Executing Privileged FunctionsSP800-53-AC-7Unsuccessful Logon AttemptsSP800-53-AC-7(1)Automatic Account LockSP800-53-AC-7(2)Purge or Wipe Mobile DeviceSP800-53-AC-7(3)Biometric Attempt LimitingSP800-53-AC-7(4)Use of Alternate Authentication FactorSP800-53-AC-8System Use NotificationSP800-53-AC-9Previous Logon NotificationSP800-53-AC-9(1)Unsuccessful LogonsSP800-53-AC-9(2)Successful and Unsuccessful LogonsSP800-53-AC-9(3)Notification of Account ChangesSP800-53-AC-9(4)Additional Logon InformationSP800-53-AC-10Concurrent Session ControlSP800-53-AC-11Device LockSP800-53-AC-11(1)Pattern-hiding DisplaysSP800-53-AC-12Session TerminationSP800-53-AC-12(1)User-initiated LogoutsSP800-53-AC-12(2)Termination MessageSP800-53-AC-12(3)Timeout Warning MessageSP800-53-AC-13Supervision and Review — Access ControlSP800-53-AC-14Permitted Actions Without Identification or AuthenticationSP800-53-AC-14(1)Necessary UsesSP800-53-AC-15Automated MarkingSP800-53-AC-16Security and Privacy AttributesSP800-53-AC-16(1)Dynamic Attribute AssociationSP800-53-AC-16(2)Attribute Value Changes by Authorized IndividualsSP800-53-AC-16(3)Maintenance of Attribute Associations by SystemSP800-53-AC-16(4)Association of Attributes by Authorized IndividualsSP800-53-AC-16(5)Attribute Displays on Objects to Be OutputSP800-53-AC-16(6)Maintenance of Attribute AssociationSP800-53-AC-16(7)Consistent Attribute InterpretationSP800-53-AC-16(8)Association Techniques and TechnologiesSP800-53-AC-16(9)Attribute Reassignment — Regrading MechanismsSP800-53-AC-16(10)Attribute Configuration by Authorized IndividualsSP800-53-AC-17Remote AccessSP800-53-AC-17(1)Monitoring and ControlSP800-53-AC-17(2)Protection of Confidentiality and Integrity Using EncryptionSP800-53-AC-17(3)Managed Access Control PointsSP800-53-AC-17(4)Privileged Commands and AccessSP800-53-AC-17(5)Monitoring for Unauthorized ConnectionsSP800-53-AC-17(6)Protection of Mechanism InformationSP800-53-AC-17(7)Additional Protection for Security Function AccessSP800-53-AC-17(8)Disable Nonsecure Network ProtocolsSP800-53-AC-17(9)Disconnect or Disable AccessSP800-53-AC-17(10)Authenticate Remote CommandsSP800-53-AC-18Wireless AccessSP800-53-AC-18(1)Authentication and EncryptionSP800-53-AC-18(2)Monitoring Unauthorized ConnectionsSP800-53-AC-18(3)Disable Wireless NetworkingSP800-53-AC-18(4)Restrict Configurations by UsersSP800-53-AC-18(5)Antennas and Transmission Power LevelsSP800-53-AC-19Access Control for Mobile DevicesSP800-53-AC-19(1)Use of Writable and Portable Storage DevicesSP800-53-AC-19(2)Use of Personally Owned Portable Storage DevicesSP800-53-AC-19(3)Use of Portable Storage Devices with No Identifiable OwnerSP800-53-AC-19(4)Restrictions for Classified InformationSP800-53-AC-19(5)Full Device or Container-based EncryptionSP800-53-AC-20Use of External SystemsSP800-53-AC-20(1)Limits on Authorized UseSP800-53-AC-20(2)Portable Storage Devices — Restricted UseSP800-53-AC-20(3)Non-organizationally Owned Systems — Restricted UseSP800-53-AC-20(4)Network Accessible Storage Devices — Prohibited UseSP800-53-AC-20(5)Portable Storage Devices — Prohibited UseSP800-53-AC-21Information SharingSP800-53-AC-21(1)Automated Decision SupportSP800-53-AC-21(2)Information Search and RetrievalSP800-53-AC-22Publicly Accessible ContentSP800-53-AC-23Data Mining ProtectionSP800-53-AC-24Access Control DecisionsSP800-53-AC-24(1)Transmit Access Authorization InformationSP800-53-AC-24(2)No User or Process IdentitySP800-53-AC-25Reference Monitor