A PCF PAS deployment is managed via the BOSH CLI and/or the Ops Manager UI. When deployed in compliance with Pivotal reference architecture, the PCF PAS is compliant with the requirements in this control.
Regular users accessing the applications on the platform cannot access the BOSH director or the Ops Manager interface, which are expected to be running on a separate (non-routable) network / vLAN.
In addition, the DevOps users of the platform may be given different RBAC roles in the Cloud Controller, to appropriately limit their authorization level, depending upon if they are a developer, auditor, manager, and so on.
Access control for applications is the responsibility of the application developer.
More information is available about the PCF PAS reference architecture for each supported IaaS platform. More information is available about the RBAC controls present in the Cloud Foundry Cloud Controller. Additional information is also available on Cloud Foundry security concepts.
The information system separates user functionality (including user interface services) from information system management functionality.
Information system management functionality includes, for example, functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from information system management functionality is either physical or logical. Organizations implement separation of system management-related functionality from user functionality by using different computers, different central processing units, different instances of operating systems, different network addresses, virtualization techniques, or combinations of these or other methods, as appropriate. This type of separation includes, for example, web administrative interfaces that use separate authentication methods for users of any other information system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls.