Preventing nonprivileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.
Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Nonprivileged users are individuals that do not possess appropriate authorizations.
One method to meet this requirement is to separate APIs into roles and functions to limit access based on need.
Check
Review access controls for API privileged features and functions (administrative operations, configuration management, data modification, and access to sensitive information).
If unauthorized users can access any of these privileged capabilities, this is a finding.
Fix
Build or configure the API to Implement and enforce access controls that restrict privileged API features and functions (administrative actions, configuration changes, data modification, and sensitive data access) to authorized users only.