← Back to catalog
AC-24

Access Control Decisions

Access Control (AC)
Baselines
Low · Not includedModerate · Not includedHigh · Not included
Description

[assignment] to ensure [assignment] are applied to each access request prior to access enforcement.

Discussion

Access control decisions (also known as authorization decisions) occur when authorization information is applied to specific accesses. In contrast, access enforcement occurs when systems enforce access control decisions. While it is common to have access control decisions and access enforcement implemented by the same entity, it is not required, and it is not always an optimal implementation choice. For some architectures and distributed systems, different entities may make access control decisions and enforce access.

Implementation guidance

No content available.

CSF 2.0 crosswalk
PR.AA-05Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of dutiesProtect