Role Separation / Duty Segregation
Description
Structure application roles around single-responsibility privilege domains, ensuring that capabilities in one domain cannot be leveraged to gain privileges in an unrelated domain. Each role governs a bounded set of operations (e.g., user management, deployment, financial operations) and cannot modify its own scope, create tokens with elevated scope, or grant itself additional roles. Token and session scopes are minted to the specific capability required for each operation rather than the user's maximum privilege set. Role definitions enforce mutual exclusion where domain separation requires it (e.g., the role that configures authentication policies cannot also be the role that manages user accounts). Prevents privilege chaining attacks where compromising one admin capability bootstraps into full system compromise.
CVSS Vector Impacts
| Metric | Transition | Rationale |
|---|---|---|
| Scope (S) | C → U | Compromise of one admin capability is confined to that capability's privilege domain; the attacker cannot leverage it to affect resources in unrelated domains (e.g., compromising container management cannot yield host filesystem access, compromising profile editing cannot yield role assignment). Each role's blast radius is bounded by its single-responsibility scope. |
CWE Relationships
Verification
Inspect application role definitions for single-responsibility scoping; verify that no role can modify its own permission grants; test that token scopes are operation-bounded
# Expected: Role definitions with explicit scope boundaries or mutual exclusion constraints
# Expected: No code paths allowing a role to modify its own scope or grant itself new roles