Users in a reader-role must be authorized.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-250342	SRG-APP-000340-AS-000185	IBMW-LS-000790	SV-250342r961353_rule	2025-02-11	2

Description
The reader role is a management role that allows read-only access to select administrative REST APIs as well as the Admin Center UI (adminCenter-1.0). Preventing non-privileged users from viewing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Users granted reader role access must be authorized.

ℹ️ Check
As a user with access to the ${server.config.dir}/server.xml file. Review the contents and identify if users have been granted the reader-role. grep -i reader-role ${server.config.dir}/server.xml If the reader-role has been created, users in that role must be documented and approved. If users in the reader-role are not approved, this is a finding. EXAMPLE: <featureManager><feature>appSecurity-2.0</feature></featureManager> <reader-role> <group>group</group> <group-access-id>group:realmName/groupUniqueId</group-access-id> <user>user</user> <user-access-id>user:realmName/userUniqueId</user-access-id> </reader-role>

ℹ️ Check

As a user with access to the ${server.config.dir}/server.xml file. Review the contents and identify if users have been granted the reader-role. grep -i reader-role ${server.config.dir}/server.xml If the reader-role has been created, users in that role must be documented and approved. If users in the reader-role are not approved, this is a finding. EXAMPLE: <featureManager><feature>appSecurity-2.0</feature></featureManager> <reader-role> <group>group</group> <group-access-id>group:realmName/groupUniqueId</group-access-id> <user>user</user> <user-access-id>user:realmName/userUniqueId</user-access-id> </reader-role>

✔️ Fix
Edit the ${server.config.dir}/server.xml file. If unauthorized users have been added to the reader-role, remove those users. Otherwise, document the users who are granted the reader-role access. To allow read-only access to select administrative REST APIs, the ${server.config.dir}/server.xml must be configured as follows. Additionally, the users and groups they are a part of must be defined within LDAP. EXAMPLE: <featureManager> <feature>appSecurity-2.0</feature> </featureManager> <reader-role> <group>group</group><group-access-id> group:realmName/groupUniqueId</group-access-id><user>user</user><user-access-id>user:realmName/userUniqueId</user-access-id> </reader-role> <ldapRegistry id="ldap" realm="SampleLdapRealm" host="${ldap.server.name}" port="${ldap.server.port}" ignoreCase="true" baseDN="${ldap.server.base.dn}" ldapType="${ldap.vendor.type}" searchTimeout="8m"> </ldapRegistry>

✔️ Fix

Edit the ${server.config.dir}/server.xml file. If unauthorized users have been added to the reader-role, remove those users. Otherwise, document the users who are granted the reader-role access. To allow read-only access to select administrative REST APIs, the ${server.config.dir}/server.xml must be configured as follows. Additionally, the users and groups they are a part of must be defined within LDAP. EXAMPLE: <featureManager> <feature>appSecurity-2.0</feature> </featureManager> <reader-role> <group>group</group><group-access-id> group:realmName/groupUniqueId</group-access-id><user>user</user><user-access-id>user:realmName/userUniqueId</user-access-id> </reader-role> <ldapRegistry id="ldap" realm="SampleLdapRealm" host="${ldap.server.name}" port="${ldap.server.port}" ignoreCase="true" baseDN="${ldap.server.base.dn}" ldapType="${ldap.vendor.type}" searchTimeout="8m"> </ldapRegistry>