@@ -815,7 +815,6 @@ These requirements apply to all network management systems, regardless of the pr
-**[REQ-AUTH-2]:** Product shall limit a natural user's authorisation validity of a session via a configuarble setting that shall be initially limited by factory default. [NOTE: Was the period for initial session length ever resolved?]
Depending on the product design, the identity management referred in [REQ-AUTH-0] can be either part of the deliverable product, part of the deployment context as outside source or both, where redundancy is deseriable or necessary.
For forensic needs, the product shall record the source of the identity in authoritative event monitoring data. [NOTE: Should this be its own requirement? Is it optional?]
Integration into 3rd party identity management systems is preferred due to the higher likelihood that a dedicated indentity management system is more likely to properly update or invalidate users credentials when necessary.
@@ -843,7 +842,7 @@ In addition, the managed device can have a configuration port, management API, f
-**[REQ-AUTH-7]:** All access to administrative interfaces, control functions, and sensitive operations shall be subject to strong [Note: Define?] authentication of users, services, or integrated components.
-**[REQ-AUTH-8]:** Privileged interfaces [NOTE: Needs definition?] shall be protected with [5.2.4 State-of-the-art cryptographic libraries].
-**[REQ-AUTH-9]:** The product shall report all relevant events related to authorisation including, but not limited to, successful and unsuccessful use of identity, object access, policy change, privileged function use, data access and deletions, data changes and permission changes.
-**[REQ-AUTH-10]:**Product audit events shall include the source of the identity [Note: which identity?].
-**[REQ-AUTH-10]:**The product shall record the source of the identity in authoritative event monitoring data.
