Reformatted intro text about RBAC

If the product's deployment context calls for an all-powerful superuser, this can be accomplished either with a single role with numerous responsibiltiies or by aggregating many available roles to that single user.

If the product's deployment context calls for an all-powerful superuser, this can be accomplished either with a single role with numerous responsibiltiies or by aggregating many available roles to that single user.

In many systems identity information includes a group assignment matched to a role inside the system.

In many systems identity information includes a group assignment matched to a role inside the system.

Role Based Access Control design and depth is outside of the scope of this standard, but the productshall use some form of RBAC.

Role Based Access Control design and depth is outside of the scope of this standard.

Both natural users, machine users, or equivalent structures shall be assigned roles, despite often performing differently. Machine users can often have more exact limits on what functions they require. [\[i.13\]](#_ref_i.13)

Both natural users, machine users, or any privileged action performing entities needs roles or comparable control structures like Attribute-Based Access Control, to limit individual access credentials to the smallest possible set of access grants.

This is the reason for [REQ-AUTH-3], but as the evaluating the fit of the implementation to the intented use, the design validation is only vaguely specified in [REQ-AUTH-4].

Machine users can often have more exact limits on what functions they require. [\[i.13\]](#_ref_i.13)

The product can serve traffic that is not meant to be identified.

The product can serve traffic that is not meant to be identified.

For example, an in-home router often trusts that the physical access to its port is enough to identify the subscriber line.

For example, an in-home router often trusts that the physical access to its port is enough to identify the subscriber line.