Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify behavior for conflicts in role, location, party, and reference identifiers across imported OSCAL content #1290

Open
6 tasks
david-waltermire opened this issue May 27, 2022 · 2 comments
Labels
Aged A label for issues older than 2023-01-01 enhancement Research User Story

Comments

@david-waltermire
Copy link
Contributor

david-waltermire commented May 27, 2022

User Story:

As an OSCAL content creator or tool developer, I need to understand what behavior a tool should exhibit when encountering conflicting role, location, party, and reference definitions with the same identifier.

For example:

An OSCAL SSP might define:

--- 
system-security-plan:
  uuid: ...
  metadata:
    
    roles:
    - id: custom-role-id
    - title: Custom Role
--- 

An OSCAL assessment plan might define:

--- 
assessment-plan:
  uuid: ...
  metadata:
    
    roles:
    - id: custom-role-id
    - title: Adjusted Custom Role
  import-ssp:
    href: link-to-ssp

What is the correct behavior?

Goals:

  • Document correct behavior in OSCAL model documentation
    • Write general documentation in the "concepts" section of the website
    • Integrate general documentation as links in relevant model documentation
  • Define follow-on issue(s) for implementing this using constraints to consistently enforce the best-practices.

Dependencies:

None.

Acceptance Criteria

  • All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
  • A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
  • The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.
@david-waltermire
Copy link
Contributor Author

david-waltermire commented May 31, 2022

This was discussed during the 5/27 model review. @david-waltermire-nist presented slides identifying possible options. There was a consensus around option 4, which is to disallow identifier clashes in content both importing a role from another OSCAL document and defining a role with the same identifier. These cases should result in a content validation error.

Documentation needs to be updated to make this default behavior more clear. Metaschema constraints need to be developed to enforce these errors. This work will be completed as part of #1066 (PR #1263).

There was also discussion around identifying a policy-driven behavior that could be used to allow other behavioral options to be "turned on". This will be explored separately as an additional feature in a future revision of OSCAL.

@aj-stein-nist
Copy link
Contributor

As Dave rolled off the project, we will move this to the next sprint and one of us will take it on.

@aj-stein-nist aj-stein-nist moved this from In Progress to Todo in NIST OSCAL Work Board Feb 2, 2023
@aj-stein-nist aj-stein-nist removed their assignment Feb 2, 2023
@aj-stein-nist aj-stein-nist removed this from the v1.1.0 milestone Jul 27, 2023
@aj-stein-nist aj-stein-nist moved this from Todo to Needs Triage in NIST OSCAL Work Board Sep 20, 2023
@Compton-US Compton-US added the Aged A label for issues older than 2023-01-01 label Nov 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Aged A label for issues older than 2023-01-01 enhancement Research User Story
Projects
Status: Needs Triage
Development

No branches or pull requests

3 participants