Open elarlang opened 2 years ago
PS I think 4.2.2 is not access control per https://github.com/OWASP/ASVS/issues/1652
This looks good to me!
I strongly believe that 4.3.3 does not belong in access control. I understand why 4.3.1 is relevant to access control - as access to the admin interface can enable changes to user permissions. However, I think it is important to have language that clarifies what that actually means. Administrative interfaces for individual instances (in a multi-tenant SaaS app)? Probably no need to restrict access location.
@EnigmaRosa - I think it is better to open a separate issue for that discussion, to keep the focus on this issue for V4 reorg and overview.
I have a large list of requirements from the ABAC standard I'd like to include for consideration. Would it be ok if I added them here @elarlang or would you prefer I add a new issue?
@jmanico please can you confer with @EnigmaRosa on this as she is currently working on this chapter.
As a reminder, we want to avoid to many in-depth requirements and would prefer to have slightly higher level requirements which refer to external more detailed documentation like cheatsheets or specific standards.
I hear you Josh. I admittedly have been more detailed-oriented but will switch gears.
Hey @EnigmaRosa can you kindly contact me at jim@manicode.com please?
Master issue for Access Control related requirements - input for lead-meetings and for collection feedback from community.
Updated:
Related requirements (2022-08-26):
V1.4 Access Control Architecture
V4.1 General Access Control Design
V4.2 Operation Level Access Control
To-do:
934
1183
1191
Master issue for V1 cleanup - https://github.com/OWASP/ASVS/issues/1063
Solved:
Solved, but...: