Rule ID
SV-284862r1227142_rule
Version
V1R1
Successful identification and authentication must not automatically give an entity full access to a network device or security domain. The lack of authorization-based access control could result in the immediate compromise and unauthorized access to sensitive information. All DoW systems must be properly configured to incorporate access control methods that do not rely solely on authentication for authorized access. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset or set of resources. Information systems use access control policies and enforcement mechanisms to implement this requirement. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Some network devices are preconfigured with security groups. Other network devices enable operators to create custom security groups with custom permissions. For example, an information system security manager (ISSM) may require read-only access to audit the network device. Operators may create an audit security group, define permissions and access levels for members of the group, and then assign the ISSM's user persona to the audit security group. This is still considered privileged access, but the ISSM's security group is more restrictive than the network administrator's security group. Network devices that rely on AAA brokers for authentication and authorization services may need to identify the available security groups or access levels available on the network devices and convey that information to the AAA operator. Once the AAA broker identifies the user persona on the centralized directory service, the user's security group memberships can be retrieved. The AAA operator may need to create a mapping that links target security groups from the directory service to the appropriate security groups or access levels on the network device. Once these mappings are configured, authorizations can happen dynamically, based on each user's directory service group membership. This requirement also applies to Zero Trust initiatives. Satisfies: SRG-APP-000033-NDM-000212, SRG-APP-000153-NDM-000249, SRG-APP-000329-NDM-000287
Verify the Cisco SNA is configured to assign appropriate user roles to authenticated users. This requirement may be verified by demonstrating users logging in with various privilege levels. The configuration may also be compared as shown below: Navigate to SNA Dashboard >> Configure >> User Management >> Users >> Select a User >> Actions.... Examine the assigned Data Role. If the Cisco SNA appliance does not enforce the assigned privilege level for each administrator and authorizations for access to all commands relative to the privilege level, this is a finding.
Configure the Cisco SNA appliance to assign appropriate user roles or access levels to authenticated users: Navigate to SNA Dashboard >> Configure >> User Management >> Create Dropdown (Top Right) >> Data Role. Assign Data Read/Write privileges for the role. Save. Navigate to Users >> Select a User >> Actions.... Assign an appropriate Data Role.