← Back to General Purpose Operating System Security Requirements Guide

V-278974

CAT II (Medium)

The operating system must enforce a role-based access control (RBAC) policy over defined subjects and objects.

Rule ID

SV-278974r1137698_rule

STIG

General Purpose Operating System Security Requirements Guide

Version

V3R3

CCIs

CCI-002169 CCI-000366

Discussion

RBAC is an access control policy that restricts information system access to authorized users. Without these security policies, access control and enforcement mechanisms will not prevent unauthorized access. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on organizational information systems associated with the organization-defined roles. When users are assigned to the organizational roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a significant number of individuals for mid- to large-size organizations) but are instead acquired through role assignments. RBAC can be implemented either as a mandatory or discretionary form of access control. This requirement also applies to Zero Trust initiatives.

Check Content

Verify the operating system is configured to enforce an RBAC policy over defined subjects and objects.

If the operating system is not configured to enforce an RBAC policy over defined subjects and objects, this is a finding.

Fix Text

Configure the operating system to enforce an RBAC policy over defined subjects and objects.