The BIG-IP APM module must require users to reauthenticate when the user's role or information authorizations are changed.

Description

<VulnDiscussion>Without reauthentication, users may access resources or perform tasks for which authorization has been removed. In addition to the reauthentication requirements associated with session locks, organizations may require reauthentication of individuals and/or devices in other situations. Within the DOD, the minimum circumstances requiring reauthentication are privilege escalation and role changes. This requirement only applies to components where this is specific to the function of the device or has the concept of user authentication (e.g., VPN or ALG capability). This does not apply to authentication for the purpose of configuring the device itself (i.e., device management).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>