TCMax must enforce a role-based access control (RBAC) policy over defined subjects and objects.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-281380 | TCMA-09-000340 | SV-281380r1186164_rule | CCI-002169 | medium |
| Description | ||||
| RBAC enables users to control, at both broad and granular levels, what administrators and end users can do. RBAC also enables users to more closely align the roles assigned to users and administrators to the actual roles they hold within the organization. | ||||
| STIG | Date | |||
| Soaring Software Solutions TCMax 9.x Security Technical Implementation Guide | 2026-03-05 | |||
Details
Check Text (C-281380r1186164_chk)
Role-Based Access Control hierarchy is to be defined by the authorizing authority (AO). Separation of duties must be configured.
1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options.
2. Evaluate the users using the combo box in the top right to change users.
3. Ensure users have the minimal permissions required to perform their duties.
4. Verify least two users have different role types such as "admin" and "user".
If only one assigned role exists, this is a finding.
If users have excessive permissions, this is a finding.
Fix Text (F-85846r1186163_fix)
Role-Based Access Control hierarchy is to be defined by the AO. Separation of duties must be configured.
1. Using an account of appropriate privileges to access TCMax, go to Settings >> User Options.
2. Assign minimal permissions to each user required to perform their job.
3. Assign two or more roles (as defined by the AO) to at least two different user types.