Control: The organisation establishes procedures to ensure [Assignment: organisation-defined access control decisions] are applied to each access request prior to access enforcement.
Supplemental Guidance:
Access control decisions (also known as authorisation decisions) occur when authorisation information is applied to specific accesses. In contrast, access enforcement occurs when information systems enforce access control decisions. While it is very common to have access control decisions and access enforcement implemented by the same entity, it is not required and it is not always an optimal implementation choice. For some architectures and distributed information systems, different entities may perform access control decisions and access enforcement.
Access Control Decisions Control Enhancements:
AC-24 (1) Access Control Decisions - Transmit access authorisation information
The information system transmits [Assignment: organisation-defined access authorisation information] using [Assignment: organisation-defined security safeguards] to [Assignment: organisation-defined information systems] that enforce access control decisions.
Supplemental Guidance:
In distributed information systems, authorisation processes and access control decisions may occur in separate parts of the systems. In such instances, authorisation information is transmitted securely so timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit as part of the access authorisation information, supporting security attributes. This is due to the fact that in distributed information systems, there are various access control decisions that need to be made and different entities (e.g., services) make these decisions in a serial fashion, each requiring some security attributes to make the decisions. Protecting access authorisation information (i.e., access control decisions) ensures that such information cannot be altered, spoofed, or otherwise compromised during transmission.
AC-24 (2) Access Control Decisions - No user or process identity
The information system enforces access control decisions based on [Assignment: organisation- defined security attributes] that do not include the identity of the user or process acting on behalf of the user.
Supplemental Guidance:
In certain situations, it is important that access control decisions can be made without information regarding the identity of the users issuing the requests. These are generally instances where preserving individual privacy is of paramount importance. In other situations, user identification information is simply not needed for access control decisions and, especially in the case of distributed information systems, transmitting such information with the needed degree of assurance may be very expensive or difficult to accomplish.