System owners define how user management takes place, including who is authorised to request changes to which user roles and how this can be requested/managed.
System owners determine the access control models used for which types of users.
Specification
System owners may decide to use Discretionary Access Controls (DAC) for most end-users, as is customary in environments such as Office365 where end-users determine who has access to what.
It is recommended to only allow Rol-Based Access Controls (RBAC) for more sensitive access. User authorisations are then based on the role a user has.
ISO 27001 & 27002:2022
A5.2,
A5.3,
A5.15,
A5.16,
A5.17,
A5.18,
A6.5,
A8.2,
A8.3,
A8.4,
A8.5
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
ID.02 Access rights administration