UCF STIG Viewer Logo

AC-24 ACCESS CONTROL DECISIONS


Overview

Number Title Impact Priority Subject Area
AC-24 Access Control Decisions P0 Access Control

Instructions
The organization establishes procedures to ensure Assignment: organization-defined access control decisions are applied to each access request prior to access enforcement.
Guidance
Access control decisions (also known as authorization decisions) occur when authorization information is applied to specific accesses. In contrast, access enforcement occurs when information systems enforce access control decisions. While it is very common to have access control decisions and access enforcement implemented by the same entity, it is not required and it is not always an optimal implementation choice. For some architectures and distributed information systems, different entities may perform access control decisions and access enforcement.

Enhancements
AC-24 (1) Transmit Access Authorization Information
In distributed information systems, authorization processes and access control decisions may occur in separate parts of the systems. In such instances, authorization information is transmitted securely so timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit as part of the access authorization information, supporting security attributes. This is due to the fact that in distributed information systems, there are various access control decisions that need to be made and different entities (e.g., services) make these decisions in a serial fashion, each requiring some security attributes to make the decisions. Protecting access authorization information (i.e., access control decisions) ensures that such information cannot be altered, spoofed, or otherwise compromised during transmission.

The information system transmits Assignment: organization-defined access authorization information using Assignment: organization-defined security safeguards to Assignment: organization-defined information systems that enforce access control decisions.

AC-24 (2) No User Or Process Identity
In certain situations, it is important that access control decisions can be made without information regarding the identity of the users issuing the requests. These are generally instances where preserving individual privacy is of paramount importance. In other situations, user identification information is simply not needed for access control decisions and, especially in the case of distributed information systems, transmitting such information with the needed degree of assurance may be very expensive or difficult to accomplish.

The information system enforces access control decisions based on Assignment: organization-defined security attributes that do not include the identity of the user or process acting on behalf of the user.