E.3.3 Role-based access control

Control Details

Objective

Controlling access to resources where permitted actions on resources are identified with roles rather than with individual subject identities; provide traceability between actors and actions

Definition

Define a set of roles and accounts with an associated access control/authorization level considering remote access requirements, the period for which access is needed, and careful vetting of contractor personnel. These roles can be used for access control to ensure proper traceability of actions and actors. A process should be implemented to manage mission-critical systems' temporary or emergency access. Role-based access is enforced by physical and logical access enforcement mechanisms.

Assessment Questions

1. How are authorization levels for accounts associated with roles and the associated level of access control, including remote access, proper vetting of contractors, and that authorization does not exceed the period of performance?
2. How are access control violations handled?

Reference sources

1. 800-161 AC-2 AC-3 AC-6 AC-17 IA-2
2. CNCF-SSC A-CE Limit which artifacts any given party is authorized to certify SC-CE Establish and adhere to contribution policies SC-CE Define roles aligned to functional responsibilities BP-SA Define user roles