CDP 35948474: Environment Access (app) #5

New Issue

Closed

opened 2026-04-16 08:16:45 +02:00 by Hartmut · 2 comments

Hartmut commented 2026-04-16 08:16:45 +02:00

Owner

Copy Link

Copy Source

CDP Control ID: 35948474
Category: Least Privileged Access
Frequency: Annually
Owner: h.noerenberg
Parent: #1

Requirement & Guidance

Least Privileged Access Requirement: Logically separate access between environments (e.g. dev/test/prod) so that an individual can be granted access to one environment without being able to access others. Guidance: Confirm that access IDs used for different environments such as development, testing, production is logically separated so an individual should not be granted access to other environments(e.g. test or prod) from current working environment(e.g. dev). Additional information can be found on CDP website Least Privileged Access

**CDP Control ID:** `35948474` **Category:** Least Privileged Access **Frequency:** Annually **Owner:** h.noerenberg **Parent:** #1 ## Requirement & Guidance Least Privileged Access Requirement: Logically separate access between environments (e.g. dev/test/prod) so that an individual can be granted access to one environment without being able to access others. Guidance: Confirm that access IDs used for different environments such as development, testing, production is logically separated so an individual should not be granted access to other environments(e.g. test or prod) from current working environment(e.g. dev). Additional information can be found on CDP website Least Privileged Access

Hartmut added the cdpsecurity labels 2026-04-16 08:16:45 +02:00

Hartmut referenced this issue 2026-04-16 08:16:53 +02:00

CDP Compliance Epic — alle Controls #1

Hartmut commented 2026-04-16 08:32:37 +02:00

Author

Owner

Copy Link

Copy Source

CapaKraken Action Plan — 35948474 Environment Access Segregation

Scope: Dev / Test / Prod logisch getrennte Zugänge (ein User darf nicht automatisch auf prod zugreifen wenn er dev hat).

Aktueller Stand:

• Drei Environments dokumentiert? Check docker-compose.yml, docker-compose.prod.yml, CI
• Gemeinsame User-DB Dev/Prod? Laut LEARNINGS ist die Dev-DB separat

Todos:

• Explizit dokumentieren: welche Environments existieren, welche Credentials pro Env
• Prüfen: DB-Dumps Prod → Dev verboten (bereits: 3.2.3.03 OK — fiktive Seed-Daten)
• Admin-UI zeigt Env-Banner (NEXT_PUBLIC_ENV) klar an
• Env-Variables in .env.production und .env.example strikt getrennt dokumentieren
• Evidence: docs/environment-segregation.md (neu)

Dateien:

• docker-compose.yml / docker-compose.prod.yml / docker-compose.ci.yml

### CapaKraken Action Plan — 35948474 Environment Access Segregation **Scope:** Dev / Test / Prod logisch getrennte Zugänge (ein User darf nicht automatisch auf prod zugreifen wenn er dev hat). **Aktueller Stand:** - Drei Environments dokumentiert? Check `docker-compose.yml`, `docker-compose.prod.yml`, CI - Gemeinsame User-DB Dev/Prod? Laut LEARNINGS ist die Dev-DB separat **Todos:** - [ ] Explizit dokumentieren: welche Environments existieren, welche Credentials pro Env - [ ] Prüfen: DB-Dumps Prod → Dev verboten (bereits: 3.2.3.03 OK — fiktive Seed-Daten) - [ ] Admin-UI zeigt Env-Banner (`NEXT_PUBLIC_ENV`) klar an - [ ] Env-Variables in `.env.production` und `.env.example` strikt getrennt dokumentieren - [ ] Evidence: `docs/environment-segregation.md` (neu) **Dateien:** - `docker-compose.yml` / `docker-compose.prod.yml` / `docker-compose.ci.yml`

Hartmut commented 2026-04-16 10:02:25 +02:00

Author

Owner

Copy Link

Copy Source

CapaKraken Compliance-Status

EAPPS-Mapping: 3.2.3.03
Status: ✅ OK (laut docs/acn-security-compliance-status.md)

Zusammenfassung

Dev/Test/Prod sind logisch getrennt über separate DATABASE_URL, Docker-Compose-Profiles und fiktive Seed-Daten. Ein User mit Dev-Zugang hat nicht automatisch Prod-Zugang (separate User-Tabellen pro DB).

Nachweis

• Separate Compose-Stacks: docker-compose.yml (dev) vs. docker-compose.prod.yml
• Seed-Daten sind fiktiv (Marvel Characters) — packages/db/prisma/dev-seed.sql
• Compliance-Doc: EAPPS 3.2.3.03 = OK — Keine Prod-Daten in Non-Prod

---

Entscheidung: Control ist nachweislich erfüllt → Ticket wird geschlossen.

## CapaKraken Compliance-Status **EAPPS-Mapping:** `3.2.3.03` **Status:** ✅ **OK** (laut `docs/acn-security-compliance-status.md`) ### Zusammenfassung Dev/Test/Prod sind logisch getrennt über separate `DATABASE_URL`, Docker-Compose-Profiles und fiktive Seed-Daten. Ein User mit Dev-Zugang hat nicht automatisch Prod-Zugang (separate User-Tabellen pro DB). ### Nachweis - Separate Compose-Stacks: [`docker-compose.yml`](../blob/main/docker-compose.yml) (dev) vs. [`docker-compose.prod.yml`](../blob/main/docker-compose.prod.yml) - Seed-Daten sind fiktiv (Marvel Characters) — [`packages/db/prisma/dev-seed.sql`](../blob/main/packages/db/prisma/dev-seed.sql) - Compliance-Doc: EAPPS 3.2.3.03 = **OK** — *Keine Prod-Daten in Non-Prod* --- **Entscheidung:** Control ist nachweislich erfüllt → Ticket wird geschlossen.

Hartmut closed this issue 2026-04-16 10:02:25 +02:00

Hartmut referenced this issue 2026-04-16 10:20:07 +02:00

CDP Compliance Epic — alle Controls #1

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

security/password-policy-blacklist

security/audit-2026-04-17

pre-rename-backup

Labels

Clear labels

cdp

CDP (Client Data Protection) compliance

epic

Parent/umbrella ticket

not-applicable

Control does not apply to CapaKraken scope

security

Security / compliance work

No Label cdp security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Hartmut

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Hartmut/CapaKraken#5