Access rights should require an authorization process. The process includes naming users with favored access capabilities, providing certain access rights if needed, using authorization procedures, defining requirements for closing privileged access capabilities, and regularly reviewing those with privileged access rights. Additionally, the policy should establish specific rules to avoid using generic admin IDs and allow temporary access necessary to enact approved changes. It is also important to log any favorable access to audit, not share or link favored access rights to others, and only use IDs with favorable access abilities for administrative tasks, not regular tasks. See control 5.3, also.