The DBMS must enforce non-discretionary access control policies over users and resources where the policy rule set for each policy specifies access control information (i.e., position, nationality, age, project, time of day).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32205	SRG-APP-000035-DB-000007	SV-42522r1_rule		Medium

Description
Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) are employed to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains). Non-discretionary access controls are controls determined by policy makers, are managed centrally or by a central authority, and may not be changed at the discretion of ordinary application users. Data protection requirements may result in a non-discretionary access control policy being specified as part of the application design. Non-discretionary access controls are employed at the application level to restrict and control access to application data thereby providing increased information security for the organization. Policy rule sets would be developed to establish that each user receives only the information to which the user is authorized. The policy rule set will specify that each application user account will be assigned attributes including information such as, position, nationality, age, project, time of day, etc. If policy rule sets are not developed and access is not restricted based on appropriate information, data may compromised by accident or purposefully by individuals who are unauthorized to view or modify the information.

Description

Access control policies (e.g., identity-based policies, role-based policies, attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) are employed to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains). Non-discretionary access controls are controls determined by policy makers, are managed centrally or by a central authority, and may not be changed at the discretion of ordinary application users. Data protection requirements may result in a non-discretionary access control policy being specified as part of the application design. Non-discretionary access controls are employed at the application level to restrict and control access to application data thereby providing increased information security for the organization. Policy rule sets would be developed to establish that each user receives only the information to which the user is authorized. The policy rule set will specify that each application user account will be assigned attributes including information such as, position, nationality, age, project, time of day, etc. If policy rule sets are not developed and access is not restricted based on appropriate information, data may compromised by accident or purposefully by individuals who are unauthorized to view or modify the information.

STIG	Date
Database Security Requirements Guide	2012-07-02

Details

Check Text ( C-40710r2_chk )
Check DBMS settings to determine if non-discretionary policy rule sets exist and if user accounts are assigned attributes relevant to the policy rule sets. If non-discretionary policy rule sets do not exist, this is a finding. If user’s accounts do not contain attributes relevant to assigned rule sets, this is a finding.

Fix Text (F-36129r1_fix)
Add non-discretionary policy rule sets to the DBMS. Add the appropriate user account attributes required by assigned rule sets.