@@ -795,8 +795,10 @@ These requirements are generally binding, and there is no low-medium-high tierin
### 5.2.6 Identity and access management
### 5.2.6 Identity and access management
The identity and access management (IAM) and authorisation grants are essential pieces in the larger puzzle of cybersecurity.
Authorization is the final step that assigns execution and access rights to resources to a user.
A secure product is able confirm the identity and authority of all users performing an action.
The preparation for this step consists of identity verification and authentication.
The user identity management can be integral part of the product, but can also be provided as an external service.
The relevance, availability, and correctness of the identity management system or service is crucial for the product and therewith for the entire network security, as it is the basis for the entire sequence from identity, over authentication up to the final user authorization.
As the natural user and machine user can sometimes be used interchangeably in the context the term subject in this document refers to both unless specified.
As the natural user and machine user can sometimes be used interchangeably in the context the term subject in this document refers to both unless specified.
Depending on the design of the product, authorisation to execute a single or a set of commands and general identity management can use the same system or two distinct systems.
Depending on the design of the product, authorisation to execute a single or a set of commands and general identity management can use the same system or two distinct systems.
