AC.L2-3.1.2[b] – Examine system configurations to verify that access is limited to the types of transactions and functions authorized users are permitted to execute.

This objective focuses on verifying technical enforcement of access limitations. You must demonstrate that your system configurations reflect your role-based policies and actively restrict users to only the actions and functions they’re authorized to perform.