AC-6(4) Least Privilege | Separate Processing Domains

Control

Provide separate processing domains to enable finer-grained allocation of user privileges.

Discussion

Providing separate processing domains for finer-grained allocation of user privileges includes using virtualization techniques to permit additional user privileges within a virtual machine while restricting privileges to other virtual machines or to the underlying physical machine, implementing separate physical domains, and employing hardware or software domain separation mechanisms.

Related Controls

AC-4, SC-2, SC-3, SC-30, SC-32, SC-39