Previous Topic: How Organization Security Requirements Are Defined

Next Topic: Define Task-Assessment Requirements

Identify Resources and Roles

The second part of establishing organization requirements is to identify resources and map resources to roles.

The purpose of this step is to link resources with roles. By linking these two components, you will have a better understanding of what needs protection and what type of protection is required.

When identifying resources:

How this applies to policies:

Resources are defined in realms and rules. Roles of users are implied based on the user group to which they belong or based on their user attributes. In an airline application, for example, a user belonging to the Pilot user group would perform tasks associated with the Pilot role.

To identify resources and roles

  1. Using a table or chart similar to the security model table described earlier in this chapter, list the resources in the Resources column.
  2. Identify all subdivisions of a single resource. For example, if a directory called /bidding had two subdirectories below, such as /bidding/flights and /bidding/standby, both subdirectories would be listed as resources. By treating each subdirectory as a separate resource, it will be easier to determine if each resource requires separate security.
  3. Next to each resource, list the roles that will need access to the resource.


Copyright © 2010 CA. All rights reserved. Email CA about this topic