Use/Misuse Case 5 (RBAC)

[Deeds101]

Iteration 1

[Deeds101]

Iteration 2

[Deeds101]

Iteration 3

[DoomDragoon]

I think this is pretty good. You have a nice progression. I would be more specific with actors names, like nurse, or ransomware attacker etc. like our professor mention in our check in. Im sure he will be looking to take points off for being too generic. IN our lectures, it also noted that is shouldn't be too technical. I had to google what RBAC meant. I always take the 'Would a 5-year-old understand this' approach. Other than some labels, I think you may be done!

[kdherrm88]

This works well. You progress through the steps showing how it is able to perform the needed steps to create more security for the product.

[Deeds101]

Final Itteration

Thank you guys, I was having a brain freeze on how to label the threat actors as well as the clients.

[Deeds101]

https://forum.itflow.org/d/345-allow-technicians-to-add-clients https://github.com/itflow-org/itflow/issues/530

This is where I got the idea for the IDOR vulnerability.

[Atmcalpine]

Would phishing campaigns, password spraying, or man-in-the-middle attacks be additional attack methods that made be used to exploit the Identity Management Platform?

[Deeds101]

Final with Revisions

[Deeds101]

https://github.com/itflow-org/itflow/issues/673

Reasoning for SQL injection in Use case

[Deeds101]

A Security Researcher discovered that the code is vulnerable with a SQL injection on the client page, this got fixed. There was also a IDOR vulnerability with the fact that people could visit vital site pages if they had a valid URL, This got put in the release milestone 1.0.