@@ -831,9 +831,8 @@ Both natural users, machine users, or equivalent structures shall be assigned ro
The product can serve traffic that is not meant to be identified.
For example, an in-home router often trusts that the physical access to its port is enough to identify the subscriber line.
In addition, the managed device can have a configuration port, management API, firmware update channel, or debugging access, which are classified as privileged. [NOTE: Repeats above]
[NOTE: I am unsure is the above text should be here at all - while useful it is descriptive of the nature of identity managment practices rather then providing requirements for products? Should this be in another section e.g. functions or architecture?]
In addition, the managed device can have a configuration port, management API, firmware update channel, or debugging access, which are classified as privileged.
The operative context is described in more datail in the section [4.8 Operational Environment](#48-operational-environment).
-**[REQ-AUTH-3]:** When a user or system identity has been authenticated, the product shall apply authorisation controls based on assigned roles or equivalent access-control attributes.
-**[REQ-AUTH-4]:** The authorisation model shall enforce separation of privileges appropriate to the intended and reasonably foreseeable use of the product.
