Clarify horizontal and vertical access control (4.2.1) #1934

tghosth · 2024-04-18T12:47:06Z

4.2.1 alludes to horizontal access control but we should decide whether we want to be more specific about access control types, e.g.

Making sure that the user has permission to perform a particular operation, on a particular data value of a particular entity of a particular type.

I have a slide about this somewhere....

tghosth · 2024-04-18T13:04:07Z

This came from a discussion in #1312

elarlang · 2024-04-18T13:34:30Z

issue for authorization reorg #1352

EnigmaRosa · 2024-05-26T00:14:06Z

I also feel that 4.2.1 is 1. a bit of a mouthful and 2. a roundabout way of calling for horizontal access controls. What if we replace it with

Verify that a users is authorized to perform a given operation on a given item by checking the user's permissions to both the function and the item.

elarlang · 2024-05-26T08:04:08Z

I add here my concern mentioned in V4 regorg issue (#1352 (comment)):

Q8 - what is actual difference between 4.1.3 and 4.2.1?

Current requirements:

#	Description	L1	L2	L3	CWE
4.1.3	Verify that the principle of least privilege exists - users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege.	✓	✓	✓	285
4.2.1	Verify that sensitive data and APIs are protected against Insecure Direct Object Reference (IDOR) attacks targeting creation, reading, updating and deletion of records, such as creating or updating someone else's record, viewing everyone's records, or deleting all records.	✓	✓	✓	639

CWE:

CWE-285: Improper Authorization
- It's a category / class and should not used for mapping
CWE-639: Authorization Bypass Through User-Controlled Key

From @tghosth :

Making sure that the user has permission to perform a particular operation, on a particular data value of a particular entity of a particular type.

The main question here is the level of abstraction - do we want to have a separate requirement for each check (checklist style) or one requirement to list them all (principle style)?

jmanico · 2024-05-26T12:29:03Z

The principle of least privledge is a very general principle. Addressing IDOR is a very specific risk to be addressed. IDOR and horizontal access control is such a specific top risk in software that I would like make sure we are directly addressing it in a requirement by itself.

tghosth added _5.0 - prep This needs to be addressed to prepare 5.0 V4 Temporary label for grouping authorization related issues 4b Major-rework These issues need to be part of a full chapter rework labels Apr 18, 2024

tghosth mentioned this issue Apr 18, 2024

Is 13.1.4 a duplicate with Access Control? #1312

Closed

elarlang mentioned this issue May 26, 2024

Access Control requirements reorg #1352

Open

elarlang assigned tghosth, elarlang and EnigmaRosa May 26, 2024

elarlang mentioned this issue May 27, 2024

4.1.4 - how should we relate to "deny by default"? #1085

Open

elarlang added the next meeting Filter for leaders label May 30, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Clarify horizontal and vertical access control (4.2.1) #1934

Clarify horizontal and vertical access control (4.2.1) #1934

tghosth commented Apr 18, 2024

tghosth commented Apr 18, 2024

elarlang commented Apr 18, 2024

EnigmaRosa commented May 26, 2024

elarlang commented May 26, 2024

jmanico commented May 26, 2024 via email

Clarify horizontal and vertical access control (4.2.1) #1934

Clarify horizontal and vertical access control (4.2.1) #1934

Comments

tghosth commented Apr 18, 2024

tghosth commented Apr 18, 2024

elarlang commented Apr 18, 2024

EnigmaRosa commented May 26, 2024

elarlang commented May 26, 2024

jmanico commented May 26, 2024 via email