Access control enforcement
Description
Simpl-Open shall enforce robust and testable access control mechanisms to ensure that only authorised entities (users, roles, systems) can access protected resources. These mechanisms shall be consistently applied across business processes, user stories and technical components, using standard approaches such as OAuth and JWT. Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) must be implemented where appropriate and their rules must be clear, scalable, and traceable across participants and systems.
SMART Breakdown
- Specific: All protected resources must be governed by access control policies that explicitly define authorised roles and/or attributes.
- Measurable: Effectiveness shall be validated through audit logs, automated access control tests, and role coverage reviews.
- Achievable: Development teams shall implement and document access rules within their scope, ensuring linkage to the shared dictionary and to the access gateways.
- Realistic: Access control must support participant-level roles, inter-gateway communication, and compliance with EU security standards.
- Timely: Access control mechanisms shall be in place before production deployment and reviewed periodically, at minimum prior to each major release.
Detailed Non-Functional Requirement | Issue ID: SIMPL-9935 | Status: Proposed |