Strong access controls are critical to securing the application server. The application server must employ access control policies (e.g., identity-based, role-based, and attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, and cryptography) to control access between users (or processes acting on behalf of users) and objects (e.g., applications, files, records, processes, and application domains) in the application server. Without stringent logical access and authorization controls, an adversary may have the ability, with little effort, to compromise the application server and associated supporting infrastructure. Satisfies: SRG-APP-000033, SRG-APP-000158, SRG-APP-000211, SRG-APP-000233, SRG-APP-000340, SRG-APP-000342, SRG-APP-000328, SRG-APP-000380, SRG-APP-000386, SRG-APP-000472, SRG-APP-000473, SRG-APP-000715, SRG-APP-000720, SRG-APP-000725, SRG-APP-000730, SRG-APP-000735
Role-Based Access Control hierarchy is to be defined by the authorizing official (AO). Separation of duties must be configured. Select the gear icon (System Settings) >> Access Management >> LDAP & SAML. Depending on the multifactor type configured, under LDAP or SAML, locate "User Assignment Settings". If only one assigned role exists, this is a finding.
Role-Based Access Control hierarchy is to be defined by the AO. Separation of duties must be configured. Select the gear icon (System Settings) >> Access Management >> LDAP & SAML. Depending on the multifactor type configured, under LDAP or SAML, locate "User Assignment Settings". Assign two or more roles as defined by the AO and tie them to an LDAP/SAML user or group.