This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Test Permissions of Guest/Training Accounts (OTG-IDENT-006)"
(Created page with "== Summary == Guest and Training accounts are useful ways to acquaint potential users with system functionality prior to them completing the authorisation process required fo...") |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | {{Template:OWASP Testing Guide v4}} | ||
| + | |||
== Summary == | == Summary == | ||
| Line 7: | Line 9: | ||
Evaluate consistency between access policy and guest/training account access permissions | Evaluate consistency between access policy and guest/training account access permissions | ||
| − | + | Build or validate access control matrix including guest/training accounts | |
== How to test == | == How to test == | ||
| − | + | Either with or without the help of the system developers/configurators, develop an guest/training account vs. permission matrix. The matrix should explore the permissions that assigned to guest/training accounts. If a matrix is provided with the application it should be validated by the tester, if it doesn't exist, the tester should generate it and determine whether the matrix satisfies the desired access policy for the application. | |
=== Example === | === Example === | ||
| Line 25: | Line 27: | ||
== Remediation == | == Remediation == | ||
| − | Ensure | + | Ensure guest/training accounts are provisioned with the minimum permissions required for users that are not formally authorised or trained to use the application. |
| − | |||
| − | |||
Latest revision as of 16:41, 21 November 2013
This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project
Summary
Guest and Training accounts are useful ways to acquaint potential users with system functionality prior to them completing the authorisation process required for access. However, these accounts are often modeled on business roles and may be provisioned with access to more functionality than is required for the user.
Test objectives
Evaluate consistency between access policy and guest/training account access permissions
Build or validate access control matrix including guest/training accounts
How to test
Either with or without the help of the system developers/configurators, develop an guest/training account vs. permission matrix. The matrix should explore the permissions that assigned to guest/training accounts. If a matrix is provided with the application it should be validated by the tester, if it doesn't exist, the tester should generate it and determine whether the matrix satisfies the desired access policy for the application.
Example
<insert some images of guest/training account instances>
Tools
References
Remediation
Ensure guest/training accounts are provisioned with the minimum permissions required for users that are not formally authorised or trained to use the application.
