Gitlab hero border pattern left svg Gitlab hero border pattern right svg

IAM.1.07 - Shared Account Restrictions Control Guidance

IAM.1.07 - Shared Account Restrictions

Control Statement

Where applicable, the use of generic and shared accounts to administer systems or perform critical functions is prohibited; generic user IDs are disabled or removed.


Use of shared or generic accounts limits the ability to ensure authenticity and integrity. Someone outside the organization could exploit this and their actions could not be easily traced.


This control applies to all systems within our production environment that are in-scope for PCI compliance.

graph TB SubGraph2Flow subgraph "Out-of-Scope B" SubGraph2Flow(System D) end SubGraph1Flow subgraph "Out-of-Scope A" SubGraph1Flow(System C) end subgraph "In-Scope for PCI" Node1[Payment Processing System] --> Node2[Connected-To System A] Node1[Payment Processing System] --> Node3[Connected-To System B] Node2 --> SubGraph1Flow(System C) Node3 --> SubGraph2Flow(System D) end



Review and document required accounts for a given system and disable all unnecessary accounts. Use of shared accounts should not used. If unavoidable, compensating controls should be utilized to add accountability.

Additional control information and project tracking

Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Shared Account Restrictions control issue.

Examples of evidence an auditor might request to satisfy this control:

Policy Reference

Framework Mapping