The macOS system must require individuals to be authenticated with an individual authenticator prior to using a group authenticator.

Administrator users must never log in directly as root. To assure individual accountability and prevent unauthorized access, logging in as root over a remote connection must be disabled. Administrators must only run commands as root after first authenticating with their individual usernames and passwords.