Possible Bug in the Constraint: non-provider-responsible-role-references-user

[JoseGHdz]

This relates to ...

• the FedRAMP OSCAL Registry
• the FedRAMP OSCAL baselines
• the Guide to OSCAL-based FedRAMP Content
• the Guide to OSCAL-based FedRAMP System Security Plans (SSP)
• the Guide to OSCAL-based FedRAMP Security Assessment Plans (SAP)
• the Guide to OSCAL-based FedRAMP Security Assessment Results (SAR)
• the Guide to OSCAL-based FedRAMP Plan of Action and Milestones (POA&M)
• the FedRAMP SSP OSCAL Template (JSON or XML Format)
• the FedRAMP SAP OSCAL Template (JSON or XML Format)
• the FedRAMP SAR OSCAL Template (JSON or XML Format)
• the FedRAMP POA&M OSCAL Template (JSON or XML Format)
• the FedRAMP OSCAL Validations

What happened?

This is related to Issue #893.

When the criteria for the privilege-uuid in the components are not met, I receive the error shown in the Relevant Log Output in Validation.

According to the FedRAMP SSP Example, the following conditions should be satisfied:

1. The components can include:
   • leveraged-authorization-uuid
   • implementation-point set to external
   • responsible-roles with a privilege-uuid value tied to an authorized user.
2. The responsible-roles section should link to:
   • A user with the corresponding uuid and valid authorized-privileges.
   • The provider party under party-uuids.

** My Implementation**:

Snippet of the components JSON:

{
  "uuid": "4cb40000-0000-0000-0000-00009a37a1cf",
  "type": "service",
  "title": "Component Service Name",
  "props": [
    {
      "name": "leveraged-authorization-uuid",
      "value": "10da0000-0000-0000-0000-000071784f9e"
    },
    {
      "name": "implementation-point",
      "value": "external"
    }
  ],
  "responsible-roles": [
    {
      "role-id": "asset-administrator",
      "props": [
        {
          "name": "privilege-uuid",
          "value": "66600000-0000-0000-0000-000016a32830",
          "ns": "http://fedramp.gov/ns/oscal"
        }
      ]
    },
    {
      "role-id": "provider",
      "party-uuids": ["017a0000-0000-0000-0000-00009e957746"]
    }
  ],
  "status": { "state": "operational" }
}

The leveraged-authorization is configured as follows:

{
          "title": "Account Information",
          "uuid": "10da0000-0000-0000-0000-000071784f9e",
          "party-uuid": "017a0000-0000-0000-0000-00009e957746",
          "date-authorized": "2019-05-03",
          "remarks": "Remarks of Account",
          "props": [
            {
              "ns": "https://fedramp.gov/ns/oscal",
              "name": "leveraged-system-identifier",
              "value": "F1209051525"
            },
            {
              "ns": "https://fedramp.gov/ns/oscal",
              "name": "authorization-type",
              "value": "JAB Authorization"
            },
            {
              "ns": "https://fedramp.gov/ns/oscal",
              "name": "impact-level",
              "value": "fips-199-high"
            },
            {
              "ns": "http://fedramp.gov/ns/oscal",
              "name": "user-uuid",
              "value": "66600000-0000-0000-0000-000016a32830"
            }
          ]
        }

The users is configured as follows:

 {
          "uuid": "66600000-0000-0000-0000-000016a32830",
          "title": "Admin",
          "props": [
            {
              "ns": "https://fedramp.gov/ns/oscal",
              "name": "privilege-level",
              "value": "read-write"
            },
            {
              "name": "type",
              "value": "privileged"
            },
            {
              "ns": "https://fedramp.gov/ns/oscal",
              "name": "sensitivity",
              "value": "high-risk"
            }
          ],
          "role-ids": [
            "asset-administrator"
          ],
          "authorized-privileges": [
            {
              "title": "DevAdmin",
              "functions-performed": [
                "System Development"
              ]
            },
            {
              "title": "Admin",
              "functions-performed":[
                "administration"
              ]
            }
          ]
        }

The parties is configured as follows:

{
          "uuid": "017a0000-0000-0000-0000-00009e957746",
          "type": "person",
          "name": "User for Leveraged Authorization"
        }

Based on the contents of the example FedRAMP SSP File, I made this Diagram:

Which is pretty much the same as to what I have as well:

What would be causing this error? Is it on my end?

Relevant log output

[ERROR] [/system-security-plan] non-provider-responsible-role-references-user: A FedRAMP SSP MUST have each component describing leveraged systems, interconnections, or authorized services reference at least one user with an authorized privilege and function performed via the "privilege-uuid" property.

How do we replicate this issue?

That's the content that I have in my SSP.

Where, exactly?

Parts included are Users, Roles, Leveraged Authorizations, Components, and Parties

Other relevant details

OSCAL CLI Version: 2.4.0
OSCAL Version: 1.1.2
I used the most recent version of the fedramp-external-constraints.xml and fedramp-external-allowed-values.xml files.

[JoseGHdz]

Error Found. Components linked to leveraged systems need to be set as "system" and not "service"