In order to access the system, a user must request an access role. This should be done through self-service and then approved through a chain of command in order to validate
need to access the system
the appropriate level of access has been requested
user identification information
valid/current security training/clearance
An example of this process and one that needs to be supported is the Department of Defense Form DD-2875; however, this form is specific to the Defense Department and should not be directly implemented as other agencies have their own processes which should be honored.
Regardless of specific artifacts, the system should
gather information from authoritative sources (CAC/PIV)
support customized workflow
produce necessary artifacts
ensure that appropriate timeout/re-certification of need are honored
be tied to RBAC authorizations
enforce basic separation of duties (tied to RBAC authorizations)
obfuscate identifying information about users and ensure that no single penetration can tie a user's identity to their transactions
In order to access the system, a user must request an access role. This should be done through self-service and then approved through a chain of command in order to validate
An example of this process and one that needs to be supported is the Department of Defense Form DD-2875; however, this form is specific to the Defense Department and should not be directly implemented as other agencies have their own processes which should be honored.
Regardless of specific artifacts, the system should