DRAFT PR - separation of duties example - option 4

[Rene2mt]

Committer Notes

This is a DRAFT PR illustrating another option for how to represent FedRAMP's SSP separation of duties (issue #534 ). The approach in this is illustrated by the entity diagram below:

This would require require the following changes to the NIST OSCAL SSP models:

• https://github.com/GSA/OSCAL/pull/3

All Submissions:

• [ ] Have you selected the correct base branch per Contributing guidance?
• [ ] Have you set "Allow edits and access to secrets by maintainers"?
• [ ] Have you checked to ensure there aren't other open Pull Requests for the same update/change?
• [ ] Have you squashed any non-relevant commits and commit messages? [instructions]
• [ ] Have you added an explanation of what your changes do and why you'd like us to include them?
• [ ] If applicable, have all FedRAMP Documents Related to OSCAL Adoption affected by the changes in this issue have been updated.?
• [ ] If applicable, does this PR reference the issue it addresses and explain how it addresses the issue?

By submitting a pull request, you are agreeing to provide this contribution under the CC0 1.0 Universal public domain dedication.

[Rene2mt]

Updated proposal option 4 to:

• Ensure backwards compatibility

• Rolled back addition of uuid flag in the authorized-privilege assembly
• Rolled back deprecated flag in the authorized-privilege assembly

• Added constraint on component assembly requiring any of its authorized-privilege assemblies to either have a role-id or user-uuid

• Supports both user-centric and component-centric definition of authorized-privileges
• Allows association of association of authorized privileges with role, users, or both