Rule ID
SV-281380r1186164_rule
Version
V1R1
RBAC enables users to control, at both broad and granular levels, what administrators and end users can do. RBAC also enables users to more closely align the roles assigned to users and administrators to the actual roles they hold within the organization.
Role-Based Access Control hierarchy is to be defined by the authorizing authority (AO). Separation of duties must be configured. 1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options. 2. Evaluate the users using the combo box in the top right to change users. 3. Ensure users have the minimal permissions required to perform their duties. 4. Verify least two users have different role types such as "admin" and "user". If only one assigned role exists, this is a finding. If users have excessive permissions, this is a finding.
Role-Based Access Control hierarchy is to be defined by the AO. Separation of duties must be configured. 1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options. 2. Assign minimal permissions to each user required to perform their job. 3. Assign two or more roles (as defined by the AO) to at least two different user types.