search

GSA / fedramp-automation

FedRAMP Automation
https://www.fedramp.gov/using-the-fedramp-oscal-resources-and-templates/
Other
285 stars 87 forks source link

Validator should not require a <role-id> tag in <system-implementation> <user> #266

Closed telosBA closed 2 weeks ago

telosBA commented 2 years ago

Describe the bug

There is currently validation test that checks for a tag within . image image This raises challenges, as not every frontend user is going to be responsible for one of the FedRAMP required roles. This could be resolved by defining a blanket role that could be assumed by all users that are not assigned one of those organizationally-defined roles. This does exist in NIST’s documentation, but it is not required for this reason. image

{A clear and concise description of what the bug is.}

Who is the bug affecting?

Telos

Is this report specifically related to the Word or Excel files from fedramp.gov?

If so, please do not open an issue here. Follow the guidance in this repository's README and contact info@fedramp..gov.

What version of OSCAL are you using? (Check our info on supported OSCAL versions)

What is affected by this bug?

Validation {Describe the impact the bug is having.}

When does this occur?

During Validation {Describe the conditions under which the bug is occurring.}

How do we replicate the issue?

{What are the steps to reproduce the behavior?}

  1. Create SSP without role-id tag in system-implementation user
  2. Run through UI validator
  3. Note errors

{If applicable, add screenshots to help explain your problem.}

Expected behavior (i.e. solution)

role-id should not be required and yield no error. {A clear and concise description of what you expected to happen.}

Other Comments

{Add any other context about the problem here.}

markXLIX commented 2 years ago

The intent here appears to be to itemize roles within the Personnel Roles and Privileges. Thus users without a role should not be included.

This likely requires more description and explanation by the FedRAMP Documentation for clarity.

telosBA commented 2 years ago

This could work, except NIST requires at least one user to be included in the ssp. image

This would not be an issue if role-id was not required, as NIST indicates in its cardinality for role-id.

volpet2014 commented 1 year ago

Added @Rene2mt for addressing in Rev 4/5 documentation updates.

aj-stein-gsa commented 2 weeks ago

Re ADR 7, we will not use the previous constraint architecture as-is and the relevant code will soon be removed. I am closing this issue as not planned.