Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

4.1.7 - Real time access control decision making #2059

Open
EnigmaRosa opened this issue Sep 4, 2024 · 3 comments
Open

4.1.7 - Real time access control decision making #2059

EnigmaRosa opened this issue Sep 4, 2024 · 3 comments
Assignees
@EnigmaRosa
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet V4 Temporary label for grouping authorization related issues _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@EnigmaRosa
Copy link
Contributor

Note: this is referenced as 4.1.10 in #2033, but I updating the numbering to account for the skipped requirements.

I propose the addition of a new requirement that addresses the need for access decisions to be made on the most current permissions information. For example, let's say a user's access permissions are modified while that user has an active session (i.e. admin revokes access to edit files) - if the system does not check the user's permissions in real time (i.e. instead relying on cached access information), the user would be able to edit a file, which they should no longer be able to do.

# Description L1 L2 L3 CWE
4.1.7 [ADDED] Verify that the access control system makes real-time access control decisions based on current permissions values.
This was referenced Sep 4, 2024
Closed
Closed
@elarlang
Copy link
Collaborator

elarlang commented Sep 5, 2024

We have a requirement

# Description L1 L2 L3 CWE NIST §
3.5.7 [ADDED] Verify that all active stateless tokens, which are being relied upon for access control decisions, are revoked when admins change the entitlements or roles of the user. 613

I have proposed to move it to access control in #1917

We don't have a matching requirement for the same situation in the "classical session management" - if the permissions for the user are changed, it must have immediate effect. Such as in case those are buffered to session data, those also must be "revoked".

So maybe we need to make this requirement to cover both situations and to be more abstract. Or do we need to have another requirement for "classical session management".

It may make sense to read the issue, as there are other related comments, but let's continue the discussion in this issue.

@elarlang elarlang added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet V4 Temporary label for grouping authorization related issues labels Sep 5, 2024
@tghosth tghosth added the _5.0 - prep This needs to be addressed to prepare 5.0 label Sep 5, 2024
@jmanico
Copy link
Member

jmanico commented Sep 5, 2024

Note: revoking the token is pretty dramatic. I'd rather set up a rule with the new access control policy for that user (using some caching method) so the user experience is not effected. If you can revoke an active token, then having a "access control over-ride" list is just as easy.

@randomstuff
Copy link

Verify that all active stateless tokens

Apparently (today I learned), the blessed lingo for that would be/become "self-encoded tokens"?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@EnigmaRosa EnigmaRosa

Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet V4 Temporary label for grouping authorization related issues _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jmanico @randomstuff @tghosth @elarlang @EnigmaRosa