CDP 35948454: Maintain System Administrator Log (app) #15

New Issue

2026-04-16T08:16:46+02:00

Hartmut commented

2026-04-16 08:16:46 +02:00

CDP Control ID: 35948454
Category: Administrator Access
Frequency: Biannually
Owner: h.noerenberg
Parent: #1

Requirement & Guidance

Administrator Access Requirement: Maintain log of all Administrators as part of CDP Access Control Log. Administrators will then maintain an ACL that may contain additional details beyond what is in the engagement ACL (for example: User IDs; levels of heightened access). Attachment(s) Required Guidance: An administrator is a person who is responsible and has full access for the upkeep, and reliable operation of computer operating systems, databases, networks, and/or applications; the administrator may be involved with account creations, installations, and upgrades. Include administrators data in the Access Control log for client applications; record their User IDs and access privileges. Additional information can be found on CDP website Administrator Access

**CDP Control ID:** `35948454` **Category:** Administrator Access **Frequency:** Biannually **Owner:** h.noerenberg **Parent:** #1 ## Requirement & Guidance Administrator Access Requirement: Maintain log of all Administrators as part of CDP Access Control Log. Administrators will then maintain an ACL that may contain additional details beyond what is in the engagement ACL (for example: User IDs; levels of heightened access). Attachment(s) Required Guidance: An administrator is a person who is responsible and has full access for the upkeep, and reliable operation of computer operating systems, databases, networks, and/or applications; the administrator may be involved with account creations, installations, and upgrades. Include administrators data in the Access Control log for client applications; record their User IDs and access privileges. Additional information can be found on CDP website Administrator Access

Hartmut added the cdp security labels 2026-04-16 08:16:46 +02:00

Hartmut referenced this issue

2026-04-16 08:16:53 +02:00

CDP Compliance Epic — alle Controls #1

Hartmut commented

2026-04-16 08:32:38 +02:00

CapaKraken Action Plan — 35948454 System Administrator Log (ACL)

Scope: Zentrale Liste aller Admin-Accounts inkl. Privilege-Levels.

Aktueller Stand:

docs/acn-security-compliance-status.md 3.2.7.01 OK — Activity History / Audit-Entries vorhanden
Rollen in DB: UserRole table

Todos:

CDP Access Control Log als Dokument: docs/cdp-access-control-log.md (neu)
- Spalten: User-ID | Name | Rolle | Start-Datum | Justification | Review-Datum
Admin-UI-Report: "Alle User mit ADMIN-Rolle" (CSV-Export für Attestation)
Biannuelle Review + Sign-off durch Control Owner
Evidence: Signierter Biannual-Review + ACL-Export

Dateien:

apps/web/src/app/(app)/admin/users/ (Report-Feature)

### CapaKraken Action Plan — 35948454 System Administrator Log (ACL) **Scope:** Zentrale Liste aller Admin-Accounts inkl. Privilege-Levels. **Aktueller Stand:** - `docs/acn-security-compliance-status.md` 3.2.7.01 **OK** — Activity History / Audit-Entries vorhanden - Rollen in DB: `UserRole` table **Todos:** - [ ] CDP Access Control Log als Dokument: `docs/cdp-access-control-log.md` (neu) - Spalten: User-ID | Name | Rolle | Start-Datum | Justification | Review-Datum - [ ] Admin-UI-Report: "Alle User mit ADMIN-Rolle" (CSV-Export für Attestation) - [ ] Biannuelle Review + Sign-off durch Control Owner - [ ] Evidence: Signierter Biannual-Review + ACL-Export **Dateien:** - `apps/web/src/app/(app)/admin/users/` (Report-Feature)

Hartmut commented

2026-04-16 10:02:27 +02:00

CapaKraken Compliance-Status

EAPPS-Mapping: 3.2.7.01 / 3.2.7.03
Status: ✅ OK (laut docs/acn-security-compliance-status.md)

Zusammenfassung

Alle relevanten System-Admin-Aktivitäten werden via Activity History geloggt und sind über die Admin-UI einsehbar.

Nachweis

Activity-History-Admin-UI — apps/web/src/app/(app)/admin
Pino-Structured-Logging (stdout, server-side) — Compliance-Doc EAPPS 3.2.7.03
Audit-Entries für kritische Änderungen — Compliance-Doc EAPPS 3.2.7.01
Compliance-Doc: EAPPS 3.2.7.01 = OK, 3.2.7.03 = OK

Hinweis (offener Restpunkt — separat zu tracken)

Log-Retention-Policy (wie lange speichern?) ist noch nicht formal dokumentiert — Follow-up im Logging Standard (siehe docs/acn-standards-applicability.md #6).

Entscheidung: Control ist nachweislich erfüllt → Ticket wird geschlossen.

## CapaKraken Compliance-Status **EAPPS-Mapping:** `3.2.7.01 / 3.2.7.03` **Status:** ✅ **OK** (laut `docs/acn-security-compliance-status.md`) ### Zusammenfassung Alle relevanten System-Admin-Aktivitäten werden via Activity History geloggt und sind über die Admin-UI einsehbar. ### Nachweis - Activity-History-Admin-UI — [`apps/web/src/app/(app)/admin`](../blob/main/apps/web/src/app/(app)/admin) - Pino-Structured-Logging (stdout, server-side) — Compliance-Doc EAPPS 3.2.7.03 - Audit-Entries für kritische Änderungen — Compliance-Doc EAPPS 3.2.7.01 - Compliance-Doc: EAPPS 3.2.7.01 = **OK**, 3.2.7.03 = **OK** ### Hinweis (offener Restpunkt — separat zu tracken) Log-Retention-Policy (wie lange speichern?) ist noch nicht formal dokumentiert — Follow-up im Logging Standard (siehe `docs/acn-standards-applicability.md` #6). --- **Entscheidung:** Control ist nachweislich erfüllt → Ticket wird geschlossen.

Hartmut closed this issue

2026-04-16 10:02:27 +02:00

Hartmut referenced this issue

2026-04-16 10:20:07 +02:00

CDP Compliance Epic — alle Controls #1

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Hartmut/CapaKraken#15