Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

CDP 35948455: Provide Role Related Access (app) #13

New Issue
Closed
opened 2026-04-16 08:16:46 +02:00 by Hartmut · 2 comments
Hartmut commented 2026-04-16 08:16:46 +02:00
Owner
Copy Link
Copy Source

CDP Control ID: 35948455
Category: Least Privileged Access
Frequency: Annually
Owner: h.noerenberg
Parent: #1

Requirement & Guidance

Least Privileged Access Requirement: Provide access to individuals that is appropriate for their role and responsibilities, using the concept of Least Privileged Access, meaning individuals are only granted access to those resources and systems that are required to enable their delivery role. To give proper access it may be appropriate to create a separate new user ID rather than extending access rights of an existing ID. Guidance: Confirm Role Based Access Control is maintained in all systems and applications to ensure that no resource has been assigned additional privileges than required for the services. Maintain and review the access levels of resources for appropriateness (right people having right access to right systems) and record any changes for tracking and auditing purposes. Additional information can be found on CDP website Least Privileged Access

**CDP Control ID:** `35948455` **Category:** Least Privileged Access **Frequency:** Annually **Owner:** h.noerenberg **Parent:** #1 ## Requirement & Guidance Least Privileged Access Requirement: Provide access to individuals that is appropriate for their role and responsibilities, using the concept of Least Privileged Access, meaning individuals are only granted access to those resources and systems that are required to enable their delivery role. To give proper access it may be appropriate to create a separate new user ID rather than extending access rights of an existing ID. Guidance: Confirm Role Based Access Control is maintained in all systems and applications to ensure that no resource has been assigned additional privileges than required for the services. Maintain and review the access levels of resources for appropriateness (right people having right access to right systems) and record any changes for tracking and auditing purposes. Additional information can be found on CDP website Least Privileged Access
Hartmut added the cdpsecurity labels 2026-04-16 08:16:46 +02:00
Hartmut commented 2026-04-16 08:32:37 +02:00
Author
Owner
Copy Link
Copy Source

CapaKraken Action Plan — 35948455 Role-Based Access (Least Privilege)

Scope: Role-Based Access Control, individuell je Rolle.

Aktueller Stand:

  • docs/acn-security-compliance-status.md 3.2.2.3.11 OK — RBAC mit adminProcedure
  • Rollen: Role enum + UserRole join table (packages/db/prisma/schema.prisma)

Todos:

  • Rollen-Matrix dokumentieren: welche Rolle darf welche Aktion (nach Route / tRPC-Procedure)
  • Review: jede adminProcedure/protectedProcedure auf Least Privilege prüfen
  • Access-Review-Rhythmus definieren (jährlich pro Annually-Frequency dieses Controls)
  • Evidence: docs/rbac-matrix.md (neu) + Review-Log

Dateien:

  • packages/api/src/router/trpc.ts — Procedure-Levels
  • packages/db/prisma/schema.prisma — Role enum
### CapaKraken Action Plan — 35948455 Role-Based Access (Least Privilege) **Scope:** Role-Based Access Control, individuell je Rolle. **Aktueller Stand:** - `docs/acn-security-compliance-status.md` 3.2.2.3.11 **OK** — RBAC mit `adminProcedure` - Rollen: `Role` enum + `UserRole` join table (`packages/db/prisma/schema.prisma`) **Todos:** - [ ] Rollen-Matrix dokumentieren: welche Rolle darf welche Aktion (nach Route / tRPC-Procedure) - [ ] Review: jede `adminProcedure`/`protectedProcedure` auf Least Privilege prüfen - [ ] Access-Review-Rhythmus definieren (jährlich pro Annually-Frequency dieses Controls) - [ ] Evidence: `docs/rbac-matrix.md` (neu) + Review-Log **Dateien:** - `packages/api/src/router/trpc.ts` — Procedure-Levels - `packages/db/prisma/schema.prisma` — Role enum
Hartmut commented 2026-04-16 10:02:26 +02:00
Author
Owner
Copy Link
Copy Source

CapaKraken Compliance-Status

EAPPS-Mapping: 3.2.2.3.11 / Access Control Standard
Status: OK (laut docs/acn-security-compliance-status.md)

Zusammenfassung

Zugriff wird strikt rollenbasiert erteilt. Jede Rolle hat defaultPermissions: PermissionKey[]; einzelne User können zusätzlich individuelle Overrides erhalten.

Nachweis

Entscheidung: Control ist nachweislich erfüllt → Ticket wird geschlossen.

## CapaKraken Compliance-Status **EAPPS-Mapping:** `3.2.2.3.11 / Access Control Standard` **Status:** ✅ **OK** (laut `docs/acn-security-compliance-status.md`) ### Zusammenfassung Zugriff wird strikt rollenbasiert erteilt. Jede Rolle hat `defaultPermissions: PermissionKey[]`; einzelne User können zusätzlich individuelle Overrides erhalten. ### Nachweis - `SystemRoleConfig` mit `defaultPermissions Json @db.JsonB` — [`packages/db/prisma/schema.prisma`](../blob/main/packages/db/prisma/schema.prisma:1545) - `User.permissionOverrides` für Feingranularität — [`packages/db/prisma/schema.prisma`](../blob/main/packages/db/prisma/schema.prisma) - Rollen-Zuweisung + Permission-UI im Admin-Bereich — [`apps/web/src/app/(app)/admin`](../blob/main/apps/web/src/app/(app)/admin) - Compliance-Doc: Access Control Standard = **HOCH** (RBAC vorhanden) --- **Entscheidung:** Control ist nachweislich erfüllt → Ticket wird geschlossen.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
cdp
CDP (Client Data Protection) compliance
 epic
Parent/umbrella ticket
 not-applicable
Control does not apply to CapaKraken scope
 security
Security / compliance work
No Label cdp security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Hartmut
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Hartmut/CapaKraken#13
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?