UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Applications must enforce non-discretionary access control policies over users and resources where the policy rule set for each policy specifies: access control information (i.e., attributes) employed by the policy rule set (e.g., position, nationality, age, project, time of day).


Overview

Finding ID Version Rule ID IA Controls Severity
V-26748 SRG-APP-000035 SV-33996r1_rule Medium
Description
Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) are employed to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains). Non-discretionary access controls are controls determined by policy makers, are managed centrally or by a central authority and may not be changed at the discretion of ordinary application users. Data protection requirements may result in a non-discretionary access control policy being specified as part of the application design. Non-discretionary access controls are employed at the application level to restrict and control access to application data thereby providing increased information security for the organization. Policy rule sets would be developed to establish that each user receives only the information to which the user is authorized. The policy rule set will specify that each application user account will be assigned attributes including information such as position, nationality, age, project, time of data, etc. Applications must enforce these non-discretionary access control policies over application users and resources.
STIG Date
Application Security Requirements Guide 2011-12-28

Details

Check Text ( None )
None
Fix Text (None)
None