Manage user accounts
Summary
The system must allow superusers or system administrators to disable user accounts.
Description
This is a security measure designed to provide administrators with the capability to deactivate or disable user accounts within a system. This control is crucial for maintaining the security and integrity of the system and its data.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🔴 |
| Advanced | 🟢 |
References
- CIS-6_2. Establish an access revoking process
- HIPAA-164_308_a_3_ii_A. Authorization or supervision (addressable)
- NERC CIP-004-6_R5. Access revocation
- SOC2®-CC6_2. Logical and physical access controls
- MITRE ATT&CK®-M1018. User account management
- MITRE ATT&CK®-M1026. Privileged account management
- HITRUST CSF-01_c. Privilege management
- ISA/IEC 62443-IAC-1_3. Account management
- ISA/IEC 62443-CR-2_1-RE_3. Permission mapping to roles
- MVSP-4_2. Operational controls - Logical access
- OWASP SCP-5. Access control
- PCI DSS-2_2_2. System components are configured and managed securely
- PCI DSS-8_2_4. User identification for users and administrators are strictly managed
- SANS 25-11. Missing authorization
- OWASP MASVS-AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices
- CWE TOP 25-862. Missing authorization
Vulnerabilities
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.