NIST 800-171 R-3.1.2
Limit Access to Permitted Transactions and Functions
Official citation: 3.1.2
Class: core · Severity: high
Statement of the obligation — verify against source
3.1.2
What it means
Being allowed onto a system isn't the same as being allowed to do everything on it. Define what each account or account type is permitted to do — by account, by type, or a combination — and enforce it, so users and the processes acting for them can only run the transactions and functions their role requires. Authorizing attributes can also include limits on time-of-day, day-of-week, and point-of-origin.
Educational reference only — not legal advice. Consult a qualified assessor or attorney for binding compliance determinations.