Restrict Non-Admins from Changing Permissions
Non-admin users can't change their own permissions or privileges in software with multiple user roles.
Plain language
This control means that people who aren't administrators shouldn't be able to change their own permissions in software that has different user roles. It's important because if non-administrators could change their own permissions, they might get access to sensitive information they shouldn't see.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Where software supports multiple user roles, non-administrative users are prevented from altering their profile permissions or privileges.
Why it matters
If non-admin users can alter their own permissions, they may self-escalate privileges, access restricted data, and tamper with system settings, causing a breach or outage.
Operational notes
Verify non-admin roles cannot edit their own role memberships or privileges; routinely review access controls and test that permission-change functions are restricted to administrators.
Implementation tips
- Business owners should ensure that their IT provider configures software with strict user roles. This means only administrators can change permissions, which limits the risk of unauthorised access.
- The IT team should review user roles and permissions regularly to ensure only those with administrative duties have the ability to adjust permissions. They can do this by accessing the user management settings in each system.
- Office managers should coordinate with IT to conduct training sessions for staff members about the importance of role-based access. Make sure everyone understands who can change permissions and why certain restrictions are in place.
- System administrators should implement logging and monitoring to track any changes to user permissions. Use security features in the software to set up alerts for any unauthorised changes.
- HR managers should collaborate with IT to ensure that when staff roles change, their access permissions are updated immediately. Use a checklist process during onboarding and offboarding to guarantee the right permissions are in place for each user role.
Audit / evidence tips
- AskThe current list of user roles and permissions GoodLooks like a concise list with roles clearly defined and administrators identified by job title
- GoodShows logs with no unauthorised changes
- AskTo see the procedure document or policy detailing how user roles are managed GoodIncludes clear, documented procedures that match observed practices
- GoodShows that users are educated on their roles and responsibilities regularily
- AskEvidence of regular audits or reviews of user permissions GoodIncludes regularly updated audit reports with documented responses to any issues found
Cross-framework mappings
How ISM-2048 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 5.15 | ISM-2048 requires a specific access control outcome: non-admin users are blocked from changing their own permissions or privileges in rol... | |
| Annex A 8.2 | ISM-2048 requires that non-administrative users are prevented from altering their own profile permissions or privileges in software that ... | |
| Annex A 8.3 | ISM-2048 requires that non-administrative users cannot alter their own permissions or privileges where multiple user roles exist | |
| handshake Supports (3) expand_less | ||
| Annex A 5.3 | Annex A 5.3 requires segregation of conflicting duties so users cannot combine roles that enable misuse or bypass of oversight | |
| Annex A 5.18 | Annex A 5.18 requires controlled provisioning and modification of access rights in accordance with access control rules | |
| Annex A 8.4 | Annex A 8.4 requires read and write access to source code, development tools and software libraries to be appropriately managed | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.