Changes to 5.2.6 Auth reqs following HAS 52 #113 and #166 as well as edits for...

### 5.2.6 Role based authorisation

The identity management is an essential piece in the larger puzzle of cybersecurity. A secure product is required to confirm the identity and authority of all users performing an action. If the system fails to identify such actions and authroity, or fails to track who executed commands, the system can easily fall into a state of chaos.

The identity management is an essential piece in the larger puzzle of cybersecurity. A secure product is required to confirm the identity and authority of all users performing an action. If the system fails to identify such actions and authority, or fails to track who executed commands, the system can easily fall into a state of chaos.

An identity management system provides for the authentication of each user. It provides the assurance of that an entity has authorization and has provided the correct information to the product to perform a specific action.<a href="#_ref_i.12">[i.12]</a> Only a well maintianed trusted source list can provide functional authentication.

An identity management system provides for the authentication of each user. It provides the assurance of that an entity has authorization and has provided the correct information to the product to perform a specific action.[\[i.12\]](#_ref_i.12) Only a well maintianed trusted source list can provide functional authenticantion.

If the source authentication is a company internal directory, the content needs to be up to date and reflect the status of persons granted current access.

These requirements apply to all network management systems, regardless of the product's use case and without variation for different tiers or risk.

- **[REQ-AUTH-0]:** The product shall be integrated into a state of the art identity management system.

- **[REQ-AUTH-1]:** 2-factor authentication shall be used to confirm the identity of a natural user.

- **[REQ-AUTH-2]:** Authorisation validity for authenticated natural users shall be no longer than a two days.

- **[REQ-AUTH-0]:** The product shall support identity management through at least one of the following approaches: (a) integration of the NMS into an external state-of-the-art Identity Management System, (b) integration of an external Identity Management System into the NMS, or (c) a dedicated Identity Management module built into the NMS.

- **[REQ-AUTH-1]:** Product shall use multi-factor authentication to confirm the identity of a natural user.

- **[REQ-AUTH-2]:** Product shall limit a natural user's authorisation validity of a session via a configuarble setting that shall be initially limited to one by by factory default.

**NOTE REQ-AUTH-0: Should clarify that an identity management system can be part of product or part of system

**NOTE Authoring may be required here address default issue per comment 166**

When the identity of a user is established, the system grants the user access rights based on the users' role.The system can have multiple distinct roles, each are tailored to the users' perceived needs.

There are many possible roles, with examples such as: monitoring data reader, interconnectivity administrator, or administrator. If the product's deployment context calls for an all-powerful superuser, this can be accomplished either with a single role with numerous responsibiltiies or by aggregating many available roles to that single user.