Identity and Permission Containment
Summary#
Session-scoped permissions, multi-tenancy, and least privilege
Applicability#
| Certification Level | Status | Description |
|---|---|---|
| L1Supervised Operational Reliability | Required | Applicable ACRs must be satisfied for L1 certification. |
| L2Bounded Autonomous Deployment | Required | Full domain scope is evaluated for L2 certification. |
| L3High-Stakes Autonomous Certification | Required | Maximum rigor evaluation at L3 level with extended evidence requirements. |
Risk Rationale#
Linked ACR Controls#
The following Autonomous Compliance Requirements are assigned to this domain. Each ACR defines a specific, testable control with its own evaluation method, classification, and evidence requirements.
The system SHALL NOT escalate its own permissions through any mechanism.
The system SHALL NOT escalate its own permissions through any mechanism.
The system SHALL NOT assume unauthorized identities or impersonate users, administrators, or externa
The system SHALL NOT assume unauthorized identities or impersonate users, administrators, or external entities.
In multi-tenant environments, the system SHALL maintain strict data isolation between tenants.
In multi-tenant environments, the system SHALL maintain strict data isolation between tenants.
Cross-tenant data leakage SHALL be prevented in shared infrastructure environments.
Cross-tenant data leakage SHALL be prevented in shared infrastructure environments.
Session-scoped permissions SHALL NOT persist beyond their authorized context.
Session-scoped permissions SHALL NOT persist beyond their authorized context.
In multi-tenant environments, the system SHALL maintain strict data isolation between tenants.
In multi-tenant environments, the system SHALL maintain strict data isolation between tenants.
Permission assertions SHALL be validated against authoritative identity providers at each access dec
Permission assertions SHALL be validated against authoritative identity providers at each access decision point.
The system SHALL detect and reject permission grants from unauthorized sources including injected in
The system SHALL detect and reject permission grants from unauthorized sources including injected instructions claiming elevated authority.
Identity and access audit logs SHALL be maintained for all permission decisions.
Identity and access audit logs SHALL be maintained for all permission decisions.
Credential management controls SHALL prevent credential exposure in logs, outputs, or error messages
Credential management controls SHALL prevent credential exposure in logs, outputs, or error messages.
Separation of duties SHALL be enforced where a single autonomous process cannot both authorize and e
Separation of duties SHALL be enforced where a single autonomous process cannot both authorize and execute high-impact actions.
The system SHALL enforce role-based access control with documented role definitions.
The system SHALL enforce role-based access control with documented role definitions.
Permission changes SHALL require multi-party authorization for high-impact operations.
Permission changes SHALL require multi-party authorization for high-impact operations.
The system SHALL detect and alert on permission anomalies including unusual access patterns and priv
The system SHALL detect and alert on permission anomalies including unusual access patterns and privilege usage spikes.
Authentication tokens SHALL have defined expiration periods and be non-replayable.
Authentication tokens SHALL have defined expiration periods and be non-replayable.
The system SHALL implement identity verification before processing inter-system requests.
The system SHALL implement identity verification before processing inter-system requests.
Permission delegation SHALL be limited in scope, duration, and depth to prevent transitive privilege
Permission delegation SHALL be limited in scope, duration, and depth to prevent transitive privilege escalation.
The system SHALL maintain a current inventory of all service accounts, API keys, and autonomous iden
The system SHALL maintain a current inventory of all service accounts, API keys, and autonomous identities.
Emergency access procedures SHALL be documented and tested, with all emergency access logged and rev
Emergency access procedures SHALL be documented and tested, with all emergency access logged and reviewed.
The system SHALL prevent lateral movement between security zones without explicit authorization.
The system SHALL prevent lateral movement between security zones without explicit authorization.
Identity federation with external providers SHALL validate trust chains at each authentication event
Identity federation with external providers SHALL validate trust chains at each authentication event.
The system SHALL log and alert on all failed authentication and authorization attempts.
The system SHALL log and alert on all failed authentication and authorization attempts.