@@ -838,14 +838,15 @@ In addition, the managed device can have a configuration port, management API, f
-**[REQ-AUTH-5]:** All privileged interfaces shall implement RBAC.
-**[REQ-AUTH-6]:** All access to administrative interfaces, control functions, and sensitive operations shall be subject to strong authentication of users, services, or integrated components.
-**[REQ-AUTH-7]:** Privileged interfaces shall be protected with [5.2.4 State-of-the-art cryptographic libraries].
-**[REQ-AUTH-8]:** Audit events shall include the source of the identity if multiple sources are used.
-**[REQ-AUTH-8]:** The product shall report all relevant events related to authorisation including, but not limited to, successful and unsuccessful use of identity, object access, policy change, privileged function use, data access and deletions, data changes and permission changes.
-**[REQ-AUTH-9]:** Audit events shall include the source of the identity.
#### Machine users
-**[REQ-AUTH-9]:** The product shall not implement a design where default machine user credentials are used.
-**[REQ-AUTH-10]:** The product shall support machine credential rotation.
-**[REQ-AUTH-11]:** The product shall implement passwordless authentication for machine users such as certificates or tokens.
-**[REQ-AUTH-12]:** The served API desing shall support minimal access grants for the machine user if applicable.
-**[REQ-AUTH-10]:** The product shall not implement a design where default machine user credentials are used.
-**[REQ-AUTH-11]:** The product shall support machine credential rotation.
-**[REQ-AUTH-12]:** The product shall implement passwordless authentication for machine users such as certificates or tokens.
-**[REQ-AUTH-13]:** The served API desing shall support minimal access grants for the machine user if applicable.
<mark>TODO: define usage of machine credentials better, consider the cli over ssh controlled scenario</mark>
