The repository shall log and review all access management failures and anomalies.

This is necessary in order to identify security threats and access management system failures.

Access logs, capability of the system to use automated analysis/monitoring tools and generate problem/error messages; notes of reviews undertaken or action taken as a result of reviews.

A repository should have some automated mechanism to note anomalous or unusual denials and use them to identify either security threats or failures in the access management system, such as valid users’ being denied access. This does not mean looking at every denied access.

APTrust follows the standard security advice of granting least privilege — that is, granting only the permissions required to perform a task. Otherwise we default to DENY ALL. This means that all access is denied by default and only granted to specific users if absolutely necessary. The types of authorized and unauthorized access as well as security logs and records generated during APTrust operations are explained in Key Management, Security, and Logging.