GSA · aj-stein-gsa · Oct 31, 2024 · Oct 1, 2024 · Oct 4, 2024 · Oct 4, 2024
@@ -145,6 +145,20 @@ Examples:
   | security-level-PASS.yaml |
   | security-sensitivity-level-matches-security-impact-level-FAIL.yaml |
   | security-sensitivity-level-matches-security-impact-level-PASS.yaml |
+  | user-has-authorized-privilege-FAIL.yaml |
+  | user-has-authorized-privilege-PASS.yaml |
+  | user-has-privilege-level-FAIL.yaml |
+  | user-has-privilege-level-PASS.yaml |
+  | user-has-role-id-FAIL.yaml |
+  | user-has-role-id-PASS.yaml |
+  | user-has-sensitivity-level-FAIL.yaml |
+  | user-has-sensitivity-level-PASS.yaml |
+  | user-has-user-type-FAIL.yaml |
+  | user-has-user-type-PASS.yaml |
+  | user-privilege-level-FAIL.yaml |
+  | user-privilege-level-PASS.yaml |
+  | user-sensitivity-level-FAIL.yaml |
+  | user-sensitivity-level-PASS.yaml |
   | user-type-FAIL.yaml |
   | user-type-PASS.yaml |
 #END_DYNAMIC_TEST_CASES
@@ -227,5 +241,12 @@ Examples:
   | scan-type |
   | security-level |
   | security-sensitivity-level-matches-security-impact-level |
+  | user-has-authorized-privilege |
+  | user-has-privilege-level |
+  | user-has-role-id |
+  | user-has-sensitivity-level |
+  | user-has-user-type |
+  | user-privilege-level |
+  | user-sensitivity-level |
   | user-type |
 #END_DYNAMIC_CONSTRAINT_IDS
@@ -151,8 +151,15 @@
     <user uuid="44444444-0000-4000-9000-000000000004">
       <title>System Administrator</title>
       <prop name="type" value="internal"/>
-      <prop name="privilege-level" value="read-write"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="privilege-level" value="read-write"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="sensitivity" value="high-risk"/>
       <role-id>system-admin</role-id>
+      <authorized-privilege>
+        <title>Admin</title>
+        <description><p>admin user</p></description>
+        <function-performed>administration</function-performed>
+      </authorized-privilege>
+
     </user>
 
     <component uuid="55555555-0000-4000-9000-000000000005" type="this-system">

@@ -5,7 +5,7 @@
                       uuid="12345678-1234-4321-8765-123456789012">
   <system-implementation>
     <user uuid="44444444-0000-4000-9000-000000000004">
-      <prop name="privilege-level" value="unsupported-access-type"/>
+      <prop ns="https://fedramp.gov/ns/oscal" name="privilege-level" value="unsupported-access-type"/>
     </user>
   </system-implementation>
 </system-security-plan>
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" uuid="12345678-1234-4321-8765-123456789012">
+  <system-implementation>
+    <user uuid="44444444-0000-4000-9000-000000000004">
+    </user>
+  </system-implementation>
+</system-security-plan>
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" uuid="12345678-1234-4321-8765-123456789012">
+  <system-implementation>
+    <user uuid="44444444-0000-4000-9000-000000000004">
+      <prop ns="https://fedramp.gov/ns/oscal" name="privilege-level" value="invalid"/>
+    </user>
+  </system-implementation>
+</system-security-plan>
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<system-security-plan xmlns="http://csrc.nist.gov/ns/oscal/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" uuid="12345678-1234-4321-8765-123456789012">
+  <system-implementation>
+    <user uuid="44444444-0000-4000-9000-000000000004">
+      <prop ns='https://fedramp.gov/ns/oscal' name="sensitivity" value="infinite-risk"/>
+    </user>
+  </system-implementation>
+</system-security-plan>
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<metaschema-meta-constraints xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0">
+<metaschema-meta-constraints xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 https://raw.githubusercontent.com/metaschema-framework/metaschema/refs/heads/develop/schema/xml/metaschema-meta-constraints.xsd">
     <!-- ================== -->
     <!-- FedRAMP Extensions -->
     <!-- ================== -->
@@ -155,6 +155,7 @@
             <allowed-values id="user-type" target="system-implementation/user/prop[@name='type']/@value" allow-other="no" level="ERROR">
                 <formal-name>User Type</formal-name>
                 <description>The type of user.</description>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#user"/>
                 <enum value="internal">Internal</enum>
                 <enum value="external">External</enum>
                 <enum value="privileged">Privileged</enum>
@@ -164,9 +165,10 @@
                 <description>The system used for categorizing information types.</description>
                 <enum value="https://doi.org/10.6028/NIST.SP.800-60v2r1">NIST SP 800-60 Volume 2 Revision 1</enum>
               </allowed-values>
-              <allowed-values id="privilege-level" target="system-implementation/user/prop[@name='privilege-level']/@value" allow-other="no" level="ERROR">
+              <allowed-values id="privilege-level" target="system-implementation/user/prop[@name='privilege-level'][@ns='https://fedramp.gov/ns/oscal']/@value" allow-other="no" level="ERROR">
                 <formal-name>Privilege Level</formal-name>
                 <description>The privilege level of the user.</description>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#user"/>
                 <enum value="read">Read</enum>
                 <enum value="read-write">Read-Write</enum>
                 <enum value="write">Write</enum>
@@ -377,6 +379,26 @@
                 <enum value="D.9.4">Industry Sector Income Stabilization</enum>
             </allowed-values>
 
+
+            <allowed-values id="user-privilege-level" target="//user/prop[@ns='https://fedramp.gov/ns/oscal' and @name='privilege-level']/@value" allow-other="no" level="ERROR">
+                <formal-name>Privilege Level</formal-name>
+                <description>The privilege level of the user.</description>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#user"/>
+                <enum value="read">Read</enum>
+                <enum value="read-write">Read-Write</enum>
+                <enum value="write">Write</enum>
+                <enum value="no-access">No Access</enum>
+            </allowed-values>
+            <allowed-values id="user-sensitivity-level" target="//user/prop[@ns='https://fedramp.gov/ns/oscal' and @name='sensitivity']/@value"  allow-other="no" level="ERROR">
+                <formal-name>User Sensitvity Level</formal-name>
+                <description>Sensitivity level of the user.</description>
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#user"/>
+                <enum value="high-risk">High Risk</enum>
+                <enum value="severe">Severe</enum>
+                <enum value="moderate">Moderate</enum>
+                <enum value="limited">Limited</enum>
+                <enum value="not-applicable">Not Applicable</enum>
+            </allowed-values>
         </constraints>
 
     </context>

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<metaschema-meta-constraints xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0">
+<metaschema-meta-constraints xmlns="http://csrc.nist.gov/ns/oscal/metaschema/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://csrc.nist.gov/ns/oscal/metaschema/1.0 https://raw.githubusercontent.com/metaschema-framework/metaschema/refs/heads/develop/schema/xml/metaschema-meta-constraints.xsd">
     <!-- ================== -->
     <!-- FedRAMP Extensions -->
     <!-- ================== -->
@@ -42,6 +42,32 @@
             </expect>
         </constraints>
     </context>
+    <context>
+        <metapath target="//user"/>
+        <constraints>
+
+            <expect id="user-has-user-type" target="." test="count(prop[@name='type']) = 1">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#user"/>
+                <message>A FedRAMP document MUST define a user with a type.</message>
+            </expect>
+            <expect id="user-has-privilege-level" target="." test="count(prop[@name='privilege-level'][@ns='https://fedramp.gov/ns/oscal']) = 1">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#user"/>
+                <message>A FedRAMP document MUST define a user with a privilege for their use of the system.</message>
+            </expect>
+            <expect id="user-has-sensitivity-level" target="." test="count(prop[@name='sensitivity']) = 1">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#user"/>
+                <message>A FedRAMP document MUST define a user with a sensitivity level of their use of the system.</message>
+            </expect>
+            <expect id="user-has-role-id" target="." test="count(role-id) gt 0">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#user"/>
+                <message>A FedRAMP document MUST define a user with at least one role by a role identifier.</message>
+            </expect>
+            <expect id="user-has-authorized-privilege" target="." test="count(authorized-privilege) gt 0">
+                <prop namespace="https://docs.oasis-open.org/sarif/sarif/v2.1.0" name="help-url" value="https://automate.fedramp.gov/documentation/ssp/4-ssp-template-to-oscal-mapping/#user"/>
+                <message>A FedRAMP document MUST define a user with at least one authorized privilege by a privilege identifier.</message>
+            </expect>
+        </constraints>
+    </context>
     <context>
         <metapath target="/system-security-plan"/>
         <constraints>

@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for user-has-authorized-privilege
+  description: >-
+    This test case validates the behavior of constraint
+    user-has-authorized-privilege
+  content: ../content/ssp-user-INVALID.xml
+  expectations:
+    - constraint-id: user-has-authorized-privilege
+      result: fail
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for user-has-authorized-privilege
+  description: >-
+    This test case validates the behavior of constraint
+    user-has-authorized-privilege
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: user-has-authorized-privilege
+      result: pass
@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for user-has-privilege-level
+  description: This test case validates the behavior of constraint user-has-privilege-level
+  content: ../content/ssp-user-INVALID.xml
+  expectations:
+    - constraint-id: user-has-privilege-level
+      result: fail
@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for user-has-privilege-level
+  description: This test case validates the behavior of constraint user-has-privilege-level
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: user-has-privilege-level
+      result: pass
@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for user-has-role-id
+  description: This test case validates the behavior of constraint user-has-role-id
+  content: ../content/ssp-user-INVALID.xml
+  expectations:
+    - constraint-id: user-has-role-id
+      result: fail
@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for user-has-role-id
+  description: This test case validates the behavior of constraint user-has-role-id
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: user-has-role-id
+      result: pass
@@ -0,0 +1,9 @@
+test-case:
+  name: Negative Test for user-has-sensitivity-level
+  description: >-
+    This test case validates the behavior of constraint
+    user-has-sensitivity-level
+  content: ../content/ssp-user-INVALID.xml
+  expectations:
+    - constraint-id: user-has-sensitivity-level
+      result: fail
@@ -0,0 +1,9 @@
+test-case:
+  name: Positive Test for user-has-sensitivity-level
+  description: >-
+    This test case validates the behavior of constraint
+    user-has-sensitivity-level
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: user-has-sensitivity-level
+      result: pass
@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for user-has-user-type
+  description: This test case validates the behavior of constraint user-has-user-type
+  content: ../content/ssp-user-INVALID.xml
+  expectations:
+    - constraint-id: user-has-user-type
+      result: fail
@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for user-has-user-type
+  description: This test case validates the behavior of constraint user-has-user-type
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: user-has-user-type
+      result: pass
@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for user-privilege-level
+  description: This test case validates the behavior of constraint user-privilege-level
+  content: ../content/ssp-user-privilege-level-INVALID.xml
+  expectations:
+    - constraint-id: user-privilege-level
+      result: fail
@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for user-privilege-level
+  description: This test case validates the behavior of constraint user-privilege-level
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: user-privilege-level
+      result: pass
@@ -0,0 +1,7 @@
+test-case:
+  name: Negative Test for user-sensitivity-level
+  description: This test case validates the behavior of constraint user-sensitivity-level
+  content: ../content/ssp-user-sensitivity-level-INVALID.xml
+  expectations:
+    - constraint-id: user-sensitivity-level
+      result: fail
@@ -0,0 +1,7 @@
+test-case:
+  name: Positive Test for user-sensitivity-level
+  description: This test case validates the behavior of constraint user-sensitivity-level
+  content: ../content/ssp-all-VALID.xml
+  expectations:
+    - constraint-id: user-sensitivity-level
+      result: pass