Discretionary Access Control (DAC)

3.2.5.1

The COE Platform implementation shall provide the capability to define access between named users and/or defined sets of users and named objects (for example, files, database elements, and programs).

3.2.5.2

The COE Platform implementation shall provide the capability to control access between named users and/or defined sets of users and named objects (for example, files, database elements, and programs).

3.2.5.3

The COE Platform implementation shall restrict access to objects based on the user's and/or defined sets of user's identity and on access rights (for example, read, write, execute).

3.2.5.3.1

The COE Platform implementation shall provide the capability to restrict access to objects based on the user's role.

3.2.5.3.2

The COE Platform implementation shall provide the capability to restrict access to objects based on the user's organization.

3.2.5.4

The COE Platform implementation shall provide the capability for users to specify and control sharing of objects by named users or defined sets of users (for example, UNIX groups, access control lists), or by both.

3.2.5.5

The COE Platform implementation shall provide controls to limit the propagation of access rights.

3.2.5.6

The COE Platform implementation shall, either by explicit user action or by default, protect objects from unauthorized access.

3.2.5.7

The COE Platform implementation shall provide the capability to assign access rights to authorized users.

3.2.5.8

The COE Platform implementation shall permit a user to grant or revoke access to an object if the user has control permission (for example, file owner) for that object.

3.2.5.9

The COE Platform implementation shall provide a means to associate applications with a work environment (that is, profiles) and allow users to specify the work environment (that is, profile selection) during a session.

3.2.5.9.1

The COE Platform implementation shall permit a user to hold membership in multiple groups of users simultaneously and have all the access rights of those groups.

3.2.5.11

The COE Platform implementation shall be capable of restricting access to input/output (I/O) devices (for example, floppy disks and tape drives).

3.2.5.11.1

The COE Platform implementation shall provide a capability to specify which users may access which I/O devices.

3.2.5.12

The COE Platform implementation shall provide a deadman capability that is activated if user input devices have been idle for longer than a time period of n minutes, where n is configurable by a trusted user (for example, a system administrator).

3.2.5.12.1

When the deadman capability is activated after n minutes, the COE Platform implementation shall discontinue the user session (log the user off).

3.2.5.12.2

The configurable time period n shall default to 30 minutes.

3.2.5.16

The COE Platform implementation shall provide a screen-lock capability that is activated if user input devices have been idle for longer than a time period of n minutes, where n is configurable by a trusted user (for example, a system administrator).

3.2.5.16.1

When the screen-lock capability is activated after n minutes, the COE Platform implementation shall screen-lock the terminal and display a selected screensaver.

3.2.5.16.2

The configurable time period n shall default to 15 minutes.

3.2.5.16.5

Any user-input device shall be used to initiate actions to restore a screen-locked terminal.

3.2.5.16.6

The specific input value (whether from keyboard, mouse, or other input device) used to restore a screen-locked terminal shall be ignored except to initiate actions to unlock the terminal.

3.2.5.16.7

The COE Platform implementation shall require that users re-authenticate themselves to unlock a screen-locked terminal.

3.2.5.16.8

The screen-lock capability shall be available for users to activate via icon, menu selection, or button.

3.2.5.16.9

The COE Platform implementation shall provide the capability for a trusted user (for example, a system administrator) to unlock a screen-locked terminal irrespective of which user was logged in to that terminal.