Editing intro to Authorization section for grammar and flow

### 5.2.6 Role based authorisation

The identity management is an essential piece in the larger puzzle of cybersecurity.

A secure product is required to confirm the identity and authority of all users performing an action.

Identity and authorization to execute a single or a set of commands can be two different systems depending on the design.

In smaller systems, these two are often combined.

A secure product confirms the identity and authority of all users performing an action.

Depending on the design of the product, identity management and the authorisation to execute a single or a set of commands can use the same system or two distinct systems.

The choice to use a single or sepertate systems often relates to system and network size and in smaller systems, identity management and authorization are often combined.

An NMS can serve also traffic without running an identification routine of the distant entity:

A router in residential use is often configured in a way that the physical access to a local port is sufficient to identify Service Requesting User.

The user whom benefits from the provisioned configuration.

In addition, a managed device can have a configuration port, a management API, a firmware update channel, and even a debugging interface, whereas all of them are classified as privileged and require proper authorisation.

As necessary functions as identification and authorisation are, an NMS can still serve traffic without perfroming an identification routine as long as that traffic is authorised in another way. 

For example, residential routers are often configured in a way that physical access to a local port is sufficient to identify a Service Requesting User. Identification is provided by proximity and the user with physical access is the beneficiary of the provisioned configuration. (EDIT NOTE: I AM UNSURE WHAT IS BEING SAID HERE? - AB)

This does not mean that every access channel should provide authorization because of phsycial access. A managed device can have a configuration port, a management API, a firmware update channel, and even a debugging interface, all of them classified as privileged and requiring proper authorisation depending on the device and its use.

An identity management system provides for the identity of each administrative user.

It provides the assurance of that an entity has authorization and has provided the correct information to the product to perform a specific action.[\[i.12\]](#_ref_i.12)

An identity management system provides a mechanism to assure the identity of each administrative user.

It provides that an entity has authorization for access but has also given the NMS the correct information to perform a specific action.[\[i.12\]](#_ref_i.12)

Only a well maintianed trusted source list can provide functional identity.

If the source identity is a company internal directory, the content needs to be up to date and reflect the status of persons granted current access.

This means that only an up to date source of idnetity credentails is essential. If the source identity is a company internal directory, it can only function if its content reflects the status of persons granted current access.

These requirements apply to all network management systems, regardless of the product's use case and without variation for different tiers or risk.

-AB EDIT END 28-4-26

- **[REQ-AUTH-0]:** The product shall support identity management through at least one of the following approaches: (a) integration of the NMS into an external state-of-the-art Identity Management System, (b) integration of an external Identity Management System into the NMS, or (c) a dedicated Identity Management module built into the NMS.

- **[REQ-AUTH-1]:** Product shall use multi-factor authentication to confirm the identity of a natural user appropriate to the intended and reasonably foreseeable use.

- **[REQ-AUTH-2]:** Product shall limit a natural user's authorisation validity of a session via a configuarble setting that shall be initially limited to one by by factory default.