CDP 35948452: Confirm Uniqueness of IDs and Passwords (app/AI) #9

New Issue

Closed

opened 2026-04-16 08:16:45 +02:00 by Hartmut · 2 comments

Hartmut commented 2026-04-16 08:16:45 +02:00

Owner

Copy Link

Copy Source

CDP Control ID: 35948452
Category: User Access Management
Frequency: Biannually
Owner: h.noerenberg
Parent: #1

Requirement & Guidance

User Access Management Requirement: Confirm uniqueness of user IDs and passwords for each individual. Individual User IDs must not be shared. Guidance: Confirm that the User Ids and Passwords in client applications are unique and personal to all the resources. Confirm that there are no common or shared IDs between resources. Passwords must be stored securely (in password vault or equivalent). For password vaults, internet access can be allowed for these if the following 3 controls are in place: Strong Auth (no access keys, secrets, RBAC integration with Entra): https://learn.microsoft.com/en-us/azure/key-vault/general/authentication KeyVault Logs must be enabled: https://learn.microsoft.com/en-us/azure/key-vault/general/logging?tabs=Vault Azure Defender for KeyVault must be used and alerts delivered to SIEM and actioned upon: https://learn.microsoft.com/en-us/azure/defender-for-cloud/tutorial-enable-key-vault-planFollow the Identification and Authentication standard for further requirements on approved Password vaults and specific requirements. Additional information can be found on CDP website User Access Management

**CDP Control ID:** `35948452` **Category:** User Access Management **Frequency:** Biannually **Owner:** h.noerenberg **Parent:** #1 ## Requirement & Guidance User Access Management Requirement: Confirm uniqueness of user IDs and passwords for each individual. Individual User IDs must not be shared. Guidance: Confirm that the User Ids and Passwords in client applications are unique and personal to all the resources. Confirm that there are no common or shared IDs between resources. Passwords must be stored securely (in password vault or equivalent). For password vaults, internet access can be allowed for these if the following 3 controls are in place: Strong Auth (no access keys, secrets, RBAC integration with Entra): https://learn.microsoft.com/en-us/azure/key-vault/general/authentication KeyVault Logs must be enabled: https://learn.microsoft.com/en-us/azure/key-vault/general/logging?tabs=Vault Azure Defender for KeyVault must be used and alerts delivered to SIEM and actioned upon: https://learn.microsoft.com/en-us/azure/defender-for-cloud/tutorial-enable-key-vault-planFollow the Identification and Authentication standard for further requirements on approved Password vaults and specific requirements. Additional information can be found on CDP website User Access Management

Hartmut added the cdpsecurity labels 2026-04-16 08:16:45 +02:00

Hartmut referenced this issue 2026-04-16 08:16:53 +02:00

CDP Compliance Epic — alle Controls #1

Hartmut commented 2026-04-16 08:32:37 +02:00

Author

Owner

Copy Link

Copy Source

CapaKraken Action Plan — 35948452 Unique IDs & Passwords

Scope: Eindeutige User-IDs + Passwörter, keine geteilten Logins, Passwort-Vault, MFA für Vault-Nutzung.

Aktueller Stand:

• docs/acn-security-compliance-status.md 3.2.2.1.01 OK — Auth.js v5 + Argon2 + TOTP MFA
• User-IDs unique via DB-Unique-Constraint (User.email)

Todos:

• Password-Vault für Team-Secrets evaluieren (Bitwarden/1Password/Azure Key Vault)
  • Azure KV Docs: https://learn.microsoft.com/en-us/azure/key-vault/general/authentication
  • KV Logging: https://learn.microsoft.com/en-us/azure/key-vault/general/logging?tabs=Vault
  • Defender: https://learn.microsoft.com/en-us/azure/defender-for-cloud/tutorial-enable-key-vault-plan
• Policy dokumentieren: keine Passwörter in .env ausserhalb Secrets-Manager
• Audit: alle UserRole=ADMIN-Konten haben MFA aktiviert
• Evidence: docs/secrets-management.md (neu) + Admin-MFA-Report

Dateien:

• packages/api/src/router/auth/*, packages/db/prisma/schema.prisma (User model)

### CapaKraken Action Plan — 35948452 Unique IDs & Passwords **Scope:** Eindeutige User-IDs + Passwörter, keine geteilten Logins, Passwort-Vault, MFA für Vault-Nutzung. **Aktueller Stand:** - `docs/acn-security-compliance-status.md` 3.2.2.1.01 **OK** — Auth.js v5 + Argon2 + TOTP MFA - User-IDs unique via DB-Unique-Constraint (`User.email`) **Todos:** - [ ] Password-Vault für Team-Secrets evaluieren (Bitwarden/1Password/Azure Key Vault) - Azure KV Docs: https://learn.microsoft.com/en-us/azure/key-vault/general/authentication - KV Logging: https://learn.microsoft.com/en-us/azure/key-vault/general/logging?tabs=Vault - Defender: https://learn.microsoft.com/en-us/azure/defender-for-cloud/tutorial-enable-key-vault-plan - [ ] Policy dokumentieren: keine Passwörter in `.env` ausserhalb Secrets-Manager - [ ] Audit: alle `UserRole=ADMIN`-Konten haben MFA aktiviert - [ ] Evidence: `docs/secrets-management.md` (neu) + Admin-MFA-Report **Dateien:** - `packages/api/src/router/auth/*`, `packages/db/prisma/schema.prisma` (User model)

Hartmut commented 2026-04-16 10:02:25 +02:00

Author

Owner

Copy Link

Copy Source

CapaKraken Compliance-Status

EAPPS-Mapping: 3.2.2.1.01
Status: ✅ OK (laut docs/acn-security-compliance-status.md)

Zusammenfassung

Jeder User hat eine eindeutige E-Mail-ID, Passwörter sind Argon2id-gehasht mit zufälligem Salt. Keine shared/default Credentials.

Nachweis

• User.email @unique (Prisma) — packages/db/prisma/schema.prisma
• Argon2id Hashing in User-Creation und Password-Reset — packages/api/src/router/auth.ts, scripts/setup-admin.mjs
• Default-Passwörter gibt es nicht (Seed setzt $argon2id$ Hash) — scripts/import-dev-seed.mjs
• Compliance-Doc: EAPPS 3.2.2.1.01 = OK

---

Entscheidung: Control ist nachweislich erfüllt → Ticket wird geschlossen.

## CapaKraken Compliance-Status **EAPPS-Mapping:** `3.2.2.1.01` **Status:** ✅ **OK** (laut `docs/acn-security-compliance-status.md`) ### Zusammenfassung Jeder User hat eine eindeutige E-Mail-ID, Passwörter sind Argon2id-gehasht mit zufälligem Salt. Keine shared/default Credentials. ### Nachweis - `User.email @unique` (Prisma) — [`packages/db/prisma/schema.prisma`](../blob/main/packages/db/prisma/schema.prisma) - Argon2id Hashing in User-Creation und Password-Reset — [`packages/api/src/router/auth.ts`](../blob/main/packages/api/src/router/auth.ts), [`scripts/setup-admin.mjs`](../blob/main/scripts/setup-admin.mjs) - Default-Passwörter gibt es nicht (Seed setzt `$argon2id$` Hash) — [`scripts/import-dev-seed.mjs`](../blob/main/scripts/import-dev-seed.mjs) - Compliance-Doc: EAPPS 3.2.2.1.01 = **OK** --- **Entscheidung:** Control ist nachweislich erfüllt → Ticket wird geschlossen.

Hartmut closed this issue 2026-04-16 10:02:25 +02:00

Hartmut referenced this issue 2026-04-16 10:20:07 +02:00

CDP Compliance Epic — alle Controls #1

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

security/password-policy-blacklist

security/audit-2026-04-17

pre-rename-backup

Labels

Clear labels

cdp

CDP (Client Data Protection) compliance

epic

Parent/umbrella ticket

not-applicable

Control does not apply to CapaKraken scope

security

Security / compliance work

No Label cdp security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Hartmut

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Hartmut/CapaKraken#9