Java Reference
In-Depth Information
table 6.2
Access Control Matrix for User Roles in Panthera's e-Commerce Application
Critical Information
Asset
Create
Privilege
Read
Privilege
Update
Privilege
Delete
Privilege
User Role
Registered
e-commerce user
User information—
username,
password, address,
telephone, email
Yes
Yes
Yes (except
username)
Yes
Customer credit
card information
Yes
Yes
(except
CVV2/
CVC2,
which is
not
stored)
Yes (except
CVV2/
CVC2,
which is
not stored)
Yes
(except
CVV2/
CVC2,
which is
not
stored)
Accounting/
billing team
users
Customer credit
card information—
primary account
number
No
Yes
No
No
Customer order
numbers
No
Yes
No
No
User
management
team users
Customer
information—
username, address,
phone, email
No
Yes
No*
No
Customer order
information
No
Yes
No *
No
Product
management
team
Stock/inventory
information
Yes
Yes
Yes
Yes
to make a payment. he gift card number and passcode are validated against the database of gift
card numbers, and if they are found to be valid and based on the dollar amount on the gift card,
they are successfully passed through as a purchase transaction. Figure 6.2 illustrates the applica-
tion architecture of Panthera's envisioned E-Commerce Application.
6.2 Security Policies for the Web Application and Requirements
We have explored the concept of security policies. Security policies are the goals or directives
that are related to the conidentiality, integrity, and availability of the critical information assets
of the application. Security policies are extremely beneicial in the threat proiling and threat
modeling activities, as the output of this activity directly feeds the threat proiling and threat
modeling activity. Let us explore the security policies of Panthera Retail's envisioned e-commerce
Web application.
Search WWH ::
Custom Search