Ax-OS must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-276005	SRG-APP-000033	AXOS-00-000025	SV-276005r1122665_rule	2025-11-25	1

Description
Strong access controls are critical to securing the application server. The application server must employ access control policies (e.g., identity-based, role-based, and attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, and cryptography) to control access between users (or processes acting on behalf of users) and objects (e.g., applications, files, records, processes, and application domains) in the application server. Without stringent logical access and authorization controls, an adversary may have the ability, with little effort, to compromise the application server and associated supporting infrastructure. Satisfies: SRG-APP-000033, SRG-APP-000158, SRG-APP-000211, SRG-APP-000233, SRG-APP-000340, SRG-APP-000342, SRG-APP-000328, SRG-APP-000380, SRG-APP-000386, SRG-APP-000472, SRG-APP-000473, SRG-APP-000715, SRG-APP-000720, SRG-APP-000725, SRG-APP-000730, SRG-APP-000735

Description

Strong access controls are critical to securing the application server. The application server must employ access control policies (e.g., identity-based, role-based, and attribute-based policies) and access enforcement mechanisms (e.g., access control lists, access control matrices, and cryptography) to control access between users (or processes acting on behalf of users) and objects (e.g., applications, files, records, processes, and application domains) in the application server. Without stringent logical access and authorization controls, an adversary may have the ability, with little effort, to compromise the application server and associated supporting infrastructure. Satisfies: SRG-APP-000033, SRG-APP-000158, SRG-APP-000211, SRG-APP-000233, SRG-APP-000340, SRG-APP-000342, SRG-APP-000328, SRG-APP-000380, SRG-APP-000386, SRG-APP-000472, SRG-APP-000473, SRG-APP-000715, SRG-APP-000720, SRG-APP-000725, SRG-APP-000730, SRG-APP-000735

ℹ️ Check
Role-Based Access Control hierarchy is to be defined by the authorizing official (AO). Separation of duties must be configured. Select the gear icon (System Settings) >> Access Management >> LDAP & SAML. Depending on the multifactor type configured, under LDAP or SAML, locate "User Assignment Settings". If only one assigned role exists, this is a finding.

✔️ Fix
Role-Based Access Control hierarchy is to be defined by the AO. Separation of duties must be configured. Select the gear icon (System Settings) >> Access Management >> LDAP & SAML. Depending on the multifactor type configured, under LDAP or SAML, locate "User Assignment Settings". Assign two or more roles as defined by the AO and tie them to an LDAP/SAML user or group.