An organization may see fit to define a policy stating certain commands contained within an application require dual authorization before they may be invoked. Dual authorization requires two distinct approving authorities to approve the use of the command prior to being invoked. When the organization defines a set of application related privileged commands requiring dual authorization, the application must support those organizational requirements.
Once an information management policy has been created, the metadata and security attributes created can be enforced using a workflow. However, as with most applications, privilege restrictions, such as dual authorizations cannot be set for the super account, Farm Administrator. When adding a workflow to a SharePoint library or list, this enforces a business process on all items in the library or list. A workflow describes the actions the system or users must perform on each item, such as obtain dual approvals.
Note: If many documents across different libraries require dual authorization, the site should consider creating a content type and adding this type as part of an information management policy.
NOTE: Please review the benchmark to ensure target compliance.
Create an approval workflow for document libraries or documents which requires dual authorization.
1. On the site home page, click Site Actions, and then click Site Settings.
2. On the Site Settings page, in the Site Administration list, click Site libraries and lists.
3. On the Site Libraries and Lists page, select a library or list.
4. On the List Settings page, in the Permissions and Management list, click Workflow Settings.
5. On the Workflow Settings page, click Add a workflow.
6. Follow the directions of the workflow wizard to create an approval workflow that requires dual approval for the documents stored in the selected library.
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Windows.