Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

4.1.6 - Verify implementation of access control design #2058

Closed
EnigmaRosa opened this issue Sep 4, 2024 · 4 comments
Closed

4.1.6 - Verify implementation of access control design #2058

EnigmaRosa opened this issue Sep 4, 2024 · 4 comments
Assignees
@EnigmaRosa
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet V4 Temporary label for grouping authorization related issues _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@EnigmaRosa
Copy link
Contributor

EnigmaRosa commented Sep 4, 2024
edited
Loading

Note: this was referenced in #2033 as 4.1.7, but I have re-numbered according to what was agreed on eliminating.

I propose a new verification requirement ensuring that the access control system outlined in design documentation is what is actually implemented.

# Description L1 L2 L3 CWE
4.1.6 [ADDED] Verify that access controls are implemented as per the design documentation. 284
This was referenced Sep 4, 2024
Closed
Closed
@elarlang
Copy link
Collaborator

elarlang commented Sep 5, 2024

Summary from feedback and discussion from #2033. Personally, I think we don't need this requirement, but we need that proposed documentation requirement and all implementation requirements to work as a unit.

We should have all "implementation requirements" covered as other separate requirements. If the documentation says something extra than we don't have already written as separate requirement, it means we need to have this new separate requirement to address this precise technical problem, but not the abstract "check the implementation" requirement.

To achieve "check the implementation" we need to validate, are all preconditions for testing the implementation requirement are covered by the documentation requirement.

@elarlang elarlang added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet V4 Temporary label for grouping authorization related issues labels Sep 5, 2024
@tghosth tghosth added the _5.0 - prep This needs to be addressed to prepare 5.0 label Sep 5, 2024
@elarlang elarlang added the next meeting Filter for leaders label Sep 5, 2024
@tghosth
Copy link
Collaborator

tghosth commented Sep 5, 2024

Yeah I think that the consensus was that we should make sure that the other specific requirements in V4 correspond to anything mentioned in the documentation requirement and that we should not have the separate discussed in this issue thread.

Does that make sense @EnigmaRosa?

@tghosth tghosth removed the next meeting Filter for leaders label Sep 5, 2024
@jmanico
Copy link
Member

jmanico commented Sep 5, 2024

I think just stating that access control policy needs to be documentation is enough, I agree this is redundant.

@EnigmaRosa
Copy link
Contributor Author

I'm iffy on this, but I am okay nixing this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@EnigmaRosa EnigmaRosa

Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet V4 Temporary label for grouping authorization related issues _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jmanico @tghosth @elarlang @EnigmaRosa