@@ -872,9 +872,16 @@ This is the reason for the requirement [REQ-AUTH-3], but as the evaluating the f
-**[REQ-AUTH-8]:** The product shall report all relevant events related to authorisation including, but not limited to, successful and unsuccessful use of identity, object access, policy change, privileged function use, data access and deletions, data changes and permission changes.
-**[REQ-AUTH-9]:** The product shall record the source of the identity in authoritative event monitoring data.
-**[REQ-AUTH-10]:** The product shall verify an explicit authorization decision immediately before execution of any privileged action that can, including but not limited to, modify managed-element configuration, control-plane behaviour, routing or forwarding state, security policy, identity or authorization configuration, cryptographic trust material, software state, availability, or network reachability.
-**[REQ-AUTH-11]:** The authorization decision shall be bound to the acting identity, whether natural user or machine user, role or permission set, target managed element or elements, requested operation, material request parameters, policy version or rule identifier, and validity interval.
-**[REQ-AUTH-12]:** The product shall prevent execution of such privileged action when the authorization decision is absent, expired, inconsistent with current policy or context, or cannot be recorded as an auditable event except if the action aims to enable or restore auditability of the product.
The requirement [REQ-AUTH-5] is itentionally vague.
The model can be complex, and there can be multiple different overlapping mechanisms in place that can used to enable the same function.
The authorative decission making requirement listed as [REQ-AUTH-10] directs the product not to cache the credentials.
While the requirement calls for active checking, in combination with [REQ-AUTH-2] the wording leaves room to implement a fluent GUI experience when viewing the content and performing privileged actions are separated.
#### Machine users
Credential rotation addressed by [REQ-AUTH-11], is one of the key elements, that enable organisation to build resilience in a compromised network.
@@ -882,10 +889,10 @@ The rotation can replace keys or tokens to limit exposure from compromised crede
It can built on top of existing authority structures, or it can re-run some parts of the device initialisation procedures.
How the retake of the authority is implemented is between the product and the device.
-**[REQ-AUTH-10]:** The product shall not implement a design where default machine user credentials are used.
-**[REQ-AUTH-11]:** The product shall support machine credential rotation or comparable structure.
-**[REQ-AUTH-12]:** The product shall provide passwordless authentication for machine users such as certificates or tokens.
-**[REQ-AUTH-13]:** The privileged interfaces like APIs shall support minimal access grants for the machine user.
-**[REQ-AUTH-13]:** The product shall not implement a design where default machine user credentials are used.
-**[REQ-AUTH-14]:** The product shall support machine credential rotation or comparable structure.
-**[REQ-AUTH-15]:** The product shall provide passwordless authentication for machine users such as certificates or tokens.
-**[REQ-AUTH-16]:** The privileged interfaces like APIs shall support minimal access grants for the machine user.
