The Application Server must enforce non-discretionary access control policies over users and resources.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35739	SRG-APP-000035-AS-000025	SV-47026r1_rule		Medium

Description
Non-discretionary access controls are controls determined by policy makers, are managed centrally or by a central authority, and may not be changed at the discretion of ordinary application server users. Data protection requirements may result in a non-discretionary access control policy being specified as part of the application design. Non-discretionary access controls are employed at the application server level in order to restrict and control access to application server data and to restrict management capabilities to specific users. The policy rule set will specify that each application server user account be assigned attributes, including information such as position or role within the application server. (e.g., admin, operator, deployer). It is not sufficient for these roles to simply exist within the application server - they must also be enforced.

Description

Non-discretionary access controls are controls determined by policy makers, are managed centrally or by a central authority, and may not be changed at the discretion of ordinary application server users. Data protection requirements may result in a non-discretionary access control policy being specified as part of the application design. Non-discretionary access controls are employed at the application server level in order to restrict and control access to application server data and to restrict management capabilities to specific users. The policy rule set will specify that each application server user account be assigned attributes, including information such as position or role within the application server. (e.g., admin, operator, deployer). It is not sufficient for these roles to simply exist within the application server - they must also be enforced.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-44082r1_chk )
Review AS product documentation and configuration to determine if role-based access controls exist. Create AS user accounts in each role and test AS functionality to verify that controls are actually enforced. If the access controls are not enforced in accordance to the organization's policy, this is a finding.

Fix Text (F-40282r1_fix)
Configure the AS according to role-based access controls and corresponding membership requirements.