CDP 35948467: Application ID (app/AI) #2

New Issue

2026-04-16T08:16:44+02:00

Hartmut commented

2026-04-16 08:16:44 +02:00

CDP Control ID: 35948467
Category: User Access Management
Frequency: Annually
Owner: h.noerenberg
Parent: #1

Requirement & Guidance

User Access Management Requirement: If an Application ID is required, each Application should be assigned a unique Application ID. Individual users, including System Administrator, must not use Application IDs to access systems. (i.e. where available disable/revoke the regular user login capability on generic IDs and consider the use of surrogacy permissions, SSH keys, etc.) Guidance: Confirm that applications IDs, when assigned to resources, are unique to the application. Application Ids are generally default id's generated by the application (e.g.: sys, oracle ids from Oracle, SA in SQL). Confirm these applications IDs are not used for accessing systems like normal User Ids.Additional information can be found on CDP website User Access Management

**CDP Control ID:** `35948467` **Category:** User Access Management **Frequency:** Annually **Owner:** h.noerenberg **Parent:** #1 ## Requirement & Guidance User Access Management Requirement: If an Application ID is required, each Application should be assigned a unique Application ID. Individual users, including System Administrator, must not use Application IDs to access systems. (i.e. where available disable/revoke the regular user login capability on generic IDs and consider the use of surrogacy permissions, SSH keys, etc.) Guidance: Confirm that applications IDs, when assigned to resources, are unique to the application. Application Ids are generally default id's generated by the application (e.g.: sys, oracle ids from Oracle, SA in SQL). Confirm these applications IDs are not used for accessing systems like normal User Ids.Additional information can be found on CDP website User Access Management

Hartmut added the cdp security labels 2026-04-16 08:16:44 +02:00

Hartmut referenced this issue

2026-04-16 08:16:46 +02:00

CDP 35948470: Segregation of Duty Access (app) #12

Hartmut referenced this issue

2026-04-16 08:16:53 +02:00

CDP Compliance Epic — alle Controls #1

Hartmut commented

2026-04-16 08:32:37 +02:00

CapaKraken Action Plan — 35948467 Application ID

Scope: Eindeutige Application IDs / Service Accounts (nicht Individual-User).

Aktueller Stand (aus docs/acn-security-compliance-status.md):

Keine dedizierten Application-IDs für externe Services im Einsatz
Auth.js v5 + Argon2 für User-Auth (3.2.2.1.01 OK)

Todos:

Inventar aller Service-Accounts / API-Keys erstellen (DB-User capakraken, Redis, SMTP-User, Sentry-DSN, ggf. Azure/OpenAI-Keys)
Pro Service-Account prüfen: ist der Login nur maschinell nutzbar? (z.B. DB-User nur von App-Container; Postgres pg_hba.conf restriktiv)
Interaktive Logins für Service-Accounts deaktivieren wo möglich (SSH-Keys statt Passwort, Role-only DB-User)
Evidence: docs/application-ids-inventory.md (neu)

Nachweis/Kontext:

docs/security-architecture.md Sek. 12 (DB Security)
.env.example — Key-Inventar als Ausgangspunkt

### CapaKraken Action Plan — 35948467 Application ID **Scope:** Eindeutige Application IDs / Service Accounts (nicht Individual-User). **Aktueller Stand (aus `docs/acn-security-compliance-status.md`):** - Keine dedizierten Application-IDs für externe Services im Einsatz - Auth.js v5 + Argon2 für User-Auth (3.2.2.1.01 OK) **Todos:** - [ ] Inventar aller Service-Accounts / API-Keys erstellen (DB-User `capakraken`, Redis, SMTP-User, Sentry-DSN, ggf. Azure/OpenAI-Keys) - [ ] Pro Service-Account prüfen: **ist der Login nur maschinell nutzbar?** (z.B. DB-User nur von App-Container; Postgres `pg_hba.conf` restriktiv) - [ ] Interaktive Logins für Service-Accounts deaktivieren wo möglich (SSH-Keys statt Passwort, Role-only DB-User) - [ ] Evidence: `docs/application-ids-inventory.md` (neu) **Nachweis/Kontext:** - `docs/security-architecture.md` Sek. 12 (DB Security) - `.env.example` — Key-Inventar als Ausgangspunkt

Hartmut commented

2026-04-16 10:02:25 +02:00

CapaKraken Compliance-Status

EAPPS-Mapping: 3.2.2.1.01 / 3.2.2.1.04
Status: ✅ OK (laut docs/acn-security-compliance-status.md)

Zusammenfassung

CapaKraken ist eine interne Web-App; es existieren keine geteilten Application IDs oder Service-Accounts auf DB-/Auth-Ebene. Jeder User hat eine eindeutige ID.

Nachweis

Prisma User.email @unique — packages/db/prisma/schema.prisma
Passwörter mit Argon2id + automatischem Salt — apps/web/src/server/auth.ts
Cron-Endpoints verwenden CRON_SECRET Header (nicht User-Login) — apps/web/src/lib/cron-auth.ts
Compliance-Doc: docs/acn-security-compliance-status.md — EAPPS 3.2.2.1.01 = OK

Entscheidung: Control ist nachweislich erfüllt → Ticket wird geschlossen.

## CapaKraken Compliance-Status **EAPPS-Mapping:** `3.2.2.1.01 / 3.2.2.1.04` **Status:** ✅ **OK** (laut `docs/acn-security-compliance-status.md`) ### Zusammenfassung CapaKraken ist eine interne Web-App; es existieren **keine geteilten Application IDs** oder Service-Accounts auf DB-/Auth-Ebene. Jeder User hat eine eindeutige ID. ### Nachweis - Prisma `User.email @unique` — [`packages/db/prisma/schema.prisma`](../blob/main/packages/db/prisma/schema.prisma) - Passwörter mit Argon2id + automatischem Salt — [`apps/web/src/server/auth.ts`](../blob/main/apps/web/src/server/auth.ts) - Cron-Endpoints verwenden `CRON_SECRET` Header (nicht User-Login) — [`apps/web/src/lib/cron-auth.ts`](../blob/main/apps/web/src/lib/cron-auth.ts) - Compliance-Doc: `docs/acn-security-compliance-status.md` — EAPPS 3.2.2.1.01 = **OK** --- **Entscheidung:** Control ist nachweislich erfüllt → Ticket wird geschlossen.

Hartmut closed this issue

2026-04-16 10:02:25 +02:00

Hartmut referenced this issue

2026-04-16 10:20:07 +02:00

CDP Compliance Epic — alle Controls #1

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Hartmut/CapaKraken#2