7.2.2 Access is assigned to users, including privileged users, based on:
Defined Approach Requirements
7.2.2 Access is assigned to users, including privileged users, based on:
- Job classification and function.
- Least privileges necessary to perform job responsibilities.
Customized Approach Objective
Access to systems and data is limited to only the access needed to perform job functions, as defined in the related access roles.
Defined Approach Testing Procedures
7.2.2.a Examine policies and procedures to verify they cover assigning access to users in accordance with all elements specified in this requirement. 7.2.2.b Examine user access settings, including for privileged users, and interview responsible management personnel to verify that privileges assigned are in accordance with all elements specified in this requirement. 7.2.2.c Interview personnel responsible for assigning access to verify that privileged user access is assigned in accordance with all elements specified in this requirement.
Purpose
Assigning least privileges helps prevent users without sufficient knowledge about the applicationfrom incorrectly or accidentally changing application configuration or altering its security settings. Enforcing least privilege also helps to minimize the scope of damage if an unauthorized person gains access to a user ID.
Good Practice
Access rights are granted to a user by assignment to one or several functions. Access is assigned depending on the specific user functions and with the minimum scope required for the job.
When assigning privileged access, it is important to assign individuals only the privileges they need to perform their job (the “least privileges”). For example, the database administrator or backup administrator should not be assigned the same privileges as the overall systems administrator.
Once needs are defined for user functions (per PCI DSS requirement 7.2.1), it is easy to grant individuals access according to their job classification and function by using the already created roles.
Entities may wish to consider use of Privileged Access Management (PAM), which is a method to grant access to privileged accounts only when those privileges are required, immediately revoking that access once they are no longer needed.
purpose
Ensure access rights are granted based on job classification and function.
compliance strategies
- Access provisioning workflows
- Manager approval
typical policies
- Access Request and Approval Policy
common pitfalls
- Access granted without approval
- No job function mapping
type
Process Control
difficulty
Low
key risks
- Unauthorized access
recommendations
- Automate access provisioning with workflow tools
Eligible SAQ
- SAQ-A-EP
- SAQ-B
- SAQ-B-IP
- SAQ-C
- SAQ-C-VT
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy