Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The Application Server must enforce non-discretionary access control policies over users and resources.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-35739 | SRG-APP-000035-AS-000025 | SV-47026r1_rule | Medium |
| Description |
|---|
| Non-discretionary access controls are controls determined by policy makers, are managed centrally or by a central authority, and may not be changed at the discretion of ordinary application server users. Data protection requirements may result in a non-discretionary access control policy being specified as part of the application design. Non-discretionary access controls are employed at the application server level in order to restrict and control access to application server data and to restrict management capabilities to specific users. The policy rule set will specify that each application server user account be assigned attributes, including information such as position or role within the application server. (e.g., admin, operator, deployer). It is not sufficient for these roles to simply exist within the application server - they must also be enforced. |
| STIG | Date |
|---|---|
| Application Server Security Requirements Guide | 2013-01-08 |
Details
| Check Text ( C-44082r1_chk ) |
|---|
| Review AS product documentation and configuration to determine if role-based access controls exist. Create AS user accounts in each role and test AS functionality to verify that controls are actually enforced. If the access controls are not enforced in accordance to the organization's policy, this is a finding. |
| Fix Text (F-40282r1_fix) |
|---|
| Configure the AS according to role-based access controls and corresponding membership requirements. |