UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Application Server must enforce non-discretionary access control policies over users and resources.


Overview

Finding ID Version Rule ID IA Controls Severity
V-35739 SRG-APP-000035-AS-000025 SV-47026r1_rule Medium
Description
Non-discretionary access controls are controls determined by policy makers, are managed centrally or by a central authority, and may not be changed at the discretion of ordinary application server users. Data protection requirements may result in a non-discretionary access control policy being specified as part of the application design. Non-discretionary access controls are employed at the application server level in order to restrict and control access to application server data and to restrict management capabilities to specific users. The policy rule set will specify that each application server user account be assigned attributes, including information such as position or role within the application server. (e.g., admin, operator, deployer). It is not sufficient for these roles to simply exist within the application server - they must also be enforced.
STIG Date
Application Server Security Requirements Guide 2013-01-08

Details

Check Text ( C-44082r1_chk )
Review AS product documentation and configuration to determine if role-based access controls exist. Create AS user accounts in each role and test AS functionality to verify that controls are actually enforced. If the access controls are not enforced in accordance to the organization's policy, this is a finding.
Fix Text (F-40282r1_fix)
Configure the AS according to role-based access controls and corresponding membership requirements.