26 lines
No EOL
911 B
Markdown
26 lines
No EOL
911 B
Markdown
# Security Requirements
|
|
|
|
## Authentication
|
|
1. All authentication must use TLS 1.3 with modern ciphers (AES256-GCM, CHACHA20)
|
|
2. Client certificate pinning required (SHA-256 fingerprints)
|
|
3. Signed OU claims for role mapping (HMAC-SHA256)
|
|
|
|
## Authorization
|
|
1. Role-Based Access Control (RBAC) with:
|
|
- Role inheritance hierarchy
|
|
- Permission composition
|
|
- Boundary enforcement (GLOBAL, INTERNAL, RESTRICTED)
|
|
2. Least privilege principle enforced
|
|
3. All privileged operations require ADMIN role
|
|
|
|
## Data Protection
|
|
1. AES-256 encryption for all secrets
|
|
2. Audit logs with integrity protection (HMAC-SHA256)
|
|
3. 90-day audit log retention
|
|
|
|
## New Requirements for Role Inheritance
|
|
1. Roles can inherit permissions from parent roles
|
|
2. Inheritance must respect boundary restrictions
|
|
3. Circular inheritance must be prevented
|
|
4. Admin role inherits all permissions
|
|
5. Developer role inherits basic permissions |