← Back to Application Server Security Requirements Guide

V-278961

CAT II (Medium)

The application server must enforce attribute-based control access over defined subjects and objects based upon organization-defined attributes to assume access permissions.

Rule ID

SV-278961r1137594_rule

STIG

Application Server Security Requirements Guide

Version

V4R4

CCIs

CCI-003652

Discussion

Attribute-based access control is an access control policy that restricts system access to authorized users based on specified organizational attributes (e.g., job function, identity), action attributes (e.g., read, write, delete), environmental attributes (e.g., time of day, location), and resource attributes (e.g., classification of a document). Organizations can create rules based on attributes and the authorizations (i.e., privileges) to perform needed operations on the systems associated with organization-defined attributes and rules. When users are assigned to attributes defined in attribute-based access control policies or rules, they can be provisioned to a system with the appropriate privileges or dynamically granted access to a protected resource. This requirement also applies to Zero Trust initiatives.

Check Content

Verify the application server is configured enforce attribute-based control access over defined subjects and objects based upon organization-defined attributes to assume access permissions.

If the application server does not enforce attribute-based control access over defined subjects and objects based upon organization-defined attributes to assume access permissions, this is a finding.

Fix Text

Configure the application server to enforce attribute-based control access over defined subjects and objects based upon organization-defined attributes to assume access permissions.