9-3.3 Authorization Requirements

Information resources must comply with authorization requirements including, but not limited to, the following:

  1. The information resource must not allow access to resources without invoking the authorization process and checking the assigned rights and privileges of the authenticated user.
  2. The information resource must have features to assign user privileges (i.e., access permissions) to log-on IDs, roles, groups, and information resources.
  3. Privileges on information resources (e.g., computing devices, consoles, terminals, and subsidiary networks) must not allow the user to bypass or upgrade his or her privileges established in centralized access control lists or databases.
  4. The information resource must have the capability to restrict session establishment or information resource access based on time of day, day of the week, calendar date of the login, and source of the connection. Information resources running on operating systems that do not have these capabilities must implement compensating controls (e.g., monitoring devices).
  5. The information resource must provide the administrator-configurable capability to limit the number of concurrent log-on sessions for a given user.
  6. The information resource must not offer any mechanism to bypass authorization restrictions.
  7. Access granted to the information application resource must be accurately reflected in eAccess and should not extend beyond the pre-established role definitions.
  8. Computing devices, mobile or otherwise, requesting access from remote, non-Postal Service locations must authenticate before access is granted.