@@ -360,7 +360,7 @@ This is the reason for the requirement [REQ-AUTH-3], but as the evaluating the f
-**[REQ-AUTH-8]:** The product shall report all relevant events related to authorisation including, but not limited to, successful and unsuccessful use of identity, object access, policy change, privileged function use, data access and deletions, data changes and permission changes.
-**[REQ-AUTH-9]:** The product shall record the source of the identity in authoritative event monitoring data.
-**[REQ-AUTH-10]:** The product shall verify an explicit authorisation decision immediately before execution of any privileged action that can, including but not limited to, modify managed-element configuration, control-plane behaviour, routing or forwarding state, security policy, identity or authorisation configuration, cryptographic trust material, software state, availability, or network reachability.
-**[REQ-AUTH-10]:** The product shall verify successfully an explicit authorisation decision immediately before execution of any privileged action that can, including but not limited to, modify managed-element configuration, control-plane behaviour, routing or forwarding state, security policy, identity or authorisation configuration, cryptographic trust material, software state, availability, or network reachability.
-**[REQ-AUTH-11]:** The authorisation decision shall be bound to the acting identity, whether natural user or machine user, role or permission set, target managed element or elements, requested operation, material request parameters, policy version or rule identifier, and validity interval.
-**[REQ-AUTH-12]:** The product shall prevent execution of such privileged action when the authorisation decision is absent, expired, inconsistent with current policy or context, or cannot be recorded as an auditable event except if the action aims to enable or restore auditability of the product.