-
Notifications
You must be signed in to change notification settings - Fork 0
Security Requirements and Objectives
Mihály Dobos-Kovács edited this page Oct 9, 2020
·
2 revisions
The system communicates with two different types of external interactors: the users and the administrators. Moreover, the system must be able to store the data of users and the data of CAFFs.
RequirementsDocs/system_context.png
ID | Requirement |
---|---|
SCo1 | Users must only be able to view their own personal data (email) |
SCo1.1 | Administrators must be able to view the personal data (email) of every user |
SCo2 | Users must only be able to view their own purchases |
SCo2.1 | Administrators must be able to view purchases of every user |
SCo3 | Only administrators must be able to view the log files |
SCo4 | Noone must be able to view the password of any user or administrator |
ID | Requirement |
---|---|
SI1 | Users must only be able to edit the metadata of CAFFs they uploaded |
SI1.1 | Administrators must be able to edit the metadata of any CAFF |
SI1.2 | Users must be able to view that which user or administrator edited the CAFF and when |
SI2 | Users must only be able to edit the comment they posted |
SI2.1 | Administrators must be able to edit any comment |
SI2.2 | Users must be able to view that which user or administrator edited the comment and when |
SI3 | Users must only be able to delete the comment they posted |
SI3.1 | Administrators must be able to delete any comment |
SI3.2 | Users must be able to view that which user or administrator deleted the comment and when |
SI4 | Users must only be able to edit their own personal data (mail) |
SI4.1 | Administrators must be able to edit the personal data (email) of every user |
SI5 | Only Administrators must be able to delete users |
SI6 | Users must only be able to view the purchases they made earlier |
SI6.1 | Users must only be able to download CAFFs they purchased earlier |
SI7 | Noone must be able to modify the log files |
ID | Requirement |
---|---|
SAv1 | Users must be able to access the system except for scheduled maintenance periods |
SAv2 | Administrators must be able to always access the system |
ID | Requirement |
---|---|
SAe1 | Users must only be able to use the system after login |
SAe1.1 | Administrators must only be able to use the system after login |
SAe2 | Anyone must be able to register in the system as a user |
SAe3 | Administrators must be able to register users |
SAe4 | Only administrators must be able to register administrators |
ID | Requirement |
---|---|
SAo1 | Users must be authorized before every operation to check whether they are allowed to perform it |
SAo1.1 | The system must reject the operation if the user is not authorized to perform it |
SAo2 | Administrators must be authorized before every operation to check whether they are allowed to perform it |
SAo2.1 | The system must reject the operation if the administrator is not authorized to perform it |
ID | Requirement |
---|---|
SAu1 | The system must log the activity of all users |
SAu2 | The system must log the activity of all administrators |
Based on the security requirements the following security objectives could be defined:
- User authentication mechanism: The users must be able to login to the system, and the system should not be accessed before login.
- Logging facilities: The system must log all activity, and it must provide information about by whom and when, the CAFFs and comments were edited.
- Access control: Users are allowed different operations based on whether they are the owner of the CAFF or not, or they edit their own profile or not.
- Data encryption: The personal data of users must be protected from external entities. The passwords of users should be irrecoverable.
© Grotesque Gecko, 2020
- Functional Requirements and Use Cases
- Security Requirements and Objectives
- Threat Assessment
- Quality Gates
- Chosen Technologies
- Required Security Functionalities
- Structural Model of the System
- Behavioral Model of the System