Disabled Account Assigned to Privileged Role

When an administrator or power user leaves or changes jobs, promptly remove their privileges. Start by disabling the account, then unassigning it from privileged roles to prevent accidental reactivation and to ensure that only authorized accounts retain privileged access. This also allows other administrators to verify quickly that only legitimate accounts have privileged roles.

When decommissioning a privileged user or when an administrator leaves their position, follow this procedure:

• Deactivate the corresponding user.
• Unassign the account from all privileged roles.
• Move the account into a special Administrative Unit for archival purposes.

Excluding disabled accounts from privileged roles prevents accidental reactivation and simplifies user management by reducing the number of assignees to these critical roles.

Name: Disabled Account Assigned to Privileged Role

Codename: DISABLED-ACCOUNT-ASSIGNED-TO-PRIVILEGED-ROLE

Severity: Low