@@ -795,15 +795,15 @@ These requirements are generally binding, and there is no low-medium-high tierin
### 5.2.6 Identity and access management
### 5.2.6 Identity and access management
The identity and access management (IAM) and authorisation grants are essential pieces in the larger puzzle of cybersecurity.
The identity and access management (IAM) and authorisation grants are essential pieces in the larger puzzle of cybersecurity.
A secure product confirms the identity and authority of all users and performing an action.
A secure product is able confirm the identity and authority of all users performing an action.
As there natural user and machine user can sometimes be used interchangeably in the context, both are referred as subjects from now on.
As the natural user and machine user can sometimes be used interchangeably in the context the term subject in this document refers to both unless specified.
Depending on the design of the product, authorisation to execute a single or a set of commands and general identity management can use the same system or two distinct systems.
Depending on the design of the product, authorisation to execute a single or a set of commands and general identity management can use the same system or two distinct systems.
The choice to use a single or sepertate systems often relates to system and network size and in smaller systems identity management and authorization are often combined.
The choice to use a single or sepertate systems often relates to system and network size and in smaller systems identity management and authorization are often combined.
Machine users can often have more exact limits on what functions they require. [\[i.13\]](#_ref_i.13)
Machine users can often have more exact limits on what functions they require. [\[i.13\]](#_ref_i.13)
The same interfaces can be used by the machine users and the privileged users.
The interfaces designed for the machine users can be used by other privileged subjects.
As adminstrator is a priviledged users, but the machine user making changes is not an administrator, this document refers to both as privileged users whom are often connecting to privileged interfaces.
As adminstrator is often a priviledged natural user, but the machine user making changes is not nessesarily an administrator, this document refers to both as privileged subject whom are often connecting to privileged interfaces.
The product can serve traffic that is not meant to be identified.
The product can serve traffic that is not meant to be identified.
For example, an in-home router often trusts that the physical access to its port is enough to identify the subscriber line.
For example, an in-home router often trusts that the physical access to its port is enough to identify the subscriber line.
@@ -812,12 +812,12 @@ The operative context is described in more datail in the section [4.8 Operationa
#### Identity management
#### Identity management
An identity management system is a mechanism to assure the identity of each subject which can be privileged or non-privileged within the system deployment context.
An identity management system is assures the identity of each subject which can be privileged or non-privileged within the system deployment context.
Identity management system maintains a list of trusted sources, one or more, that describes what subjects are valid.
The identity management system maintains a list of trusted sources, one or more, that describes what subjects are valid.
An up-to-date source of identity is essential.
An up-to-date source of identity is essential.
If a company internal employee directory is the source of the identity, its functionality is dependent on the accuracy and timeliness of its content.
If a company internal employee directory is the source of the identity, its functionality is dependent on the accuracy and timeliness of its content.
If an employee exits the company, the identity is expected to vanish or at least reflect the contractual status of the employee.
If an employee exits the company, their identity is expected to vanish or at least reflect the contractual status of the employee.
The idenity management is often assessed as part of certification processes, and is outside of this document. [\[i.12\]](#_ref_i.12)
The idenity management is often assessed as part of certification processes, and is outside of this document. [\[i.12\]](#_ref_i.12)
Identity management system design and implementation is outside of the scope of this standard.
Identity management system design and implementation is outside of the scope of this standard.
