9.1.10.4. Least Privilege

SIMP uses the access conf file to identify which accounts can login to a system. After all other identification and authentication checks have passed, the pam access.conf file is checked to ensure the user is allowed to login. SIMP allows root and the administrators group to login to all systems and the simp user to login to the Puppet Server. All other users must be explicitly added to the access.conf file using the SIMP pam module.

References: AC-6 : LEAST PRIVILEGE