Prefer privileged user over admin (ee4407f7) · Commits · STAN4CRA / EN 304 621 Network Management Systems

EN-304-621.md

+15 −14

Original line number	Original line	Diff line number	Diff line
	@@ -791,7 +791,7 @@ These requirements are generally binding, and there is no low-medium-high tierin
	- [REQ-SBOM-1b]: The SBOM identifier format shall be consistent with common vulnerability handling standards.		- [REQ-SBOM-1b]: The SBOM identifier format shall be consistent with common vulnerability handling standards.
	- [REQ-SBOM-2]: The SBOM shall be consistent with [5.3.4 Secure updates] practices.		- [REQ-SBOM-2]: The SBOM shall be consistent with [5.3.4 Secure updates] practices.

	### 5.2.6 Role based authorisation		### 5.2.6 Identity and authorisation

	The identity management is an essential piece in the larger puzzle of cybersecurity.		The identity management is an essential piece in the larger puzzle of cybersecurity.
	A secure product confirms the identity and authority of all users performing an action.		A secure product confirms the identity and authority of all users performing an action.
	@@ -802,7 +802,7 @@ As necessary functions as identification and authorisation are, a NMS can still
	For example, residential routers are often configured in a way that physical access to a local port is sufficient to identify a Service Requesting User. authorisation is provided by proximity and a user with physical access becomes the beneficiary of the provisioned configuration.		For example, residential routers are often configured in a way that physical access to a local port is sufficient to identify a Service Requesting User. authorisation is provided by proximity and a user with physical access becomes the beneficiary of the provisioned configuration.
	This does not mean that every access channel should provide authorisation with physical access. A managed device can have a configuration port, a management API, a firmware update channel, and even a debugging interface, all of them classified as privileged and requiring complex authorisation depending on the device, and its use.		This does not mean that every access channel should provide authorisation with physical access. A managed device can have a configuration port, a management API, a firmware update channel, and even a debugging interface, all of them classified as privileged and requiring complex authorisation depending on the device, and its use.

	An identity management system is a mechanism to assure the identity of each administrative user.		An identity management system is a mechanism to assure the identity of each privileged user or entity.
	It provides that an entity is not only authorised to interact with the system, but has given the NMS the correct information to perform a specific action.[\[i.12\]](#_ref_i.12)		It provides that an entity is not only authorised to interact with the system, but has given the NMS the correct information to perform a specific action.[\[i.12\]](#_ref_i.12)
	To function Identity management systems maintain a list of trusted sources and only a well maintianed trusted source list can provide functional identity.		To function Identity management systems maintain a list of trusted sources and only a well maintianed trusted source list can provide functional identity.

	@@ -827,10 +827,12 @@ If the product's deployment context calls for an all-powerful superuser, this ca
	In many systems identity information includes a group assignment matched to a role inside the system.		In many systems identity information includes a group assignment matched to a role inside the system.

	Role Based Access Control design and depth is outside of the scope of this standard.		Role Based Access Control design and depth is outside of the scope of this standard.
	Both natural users, machine users, or any privileged action performing entities needs roles or comparable control structures like Attribute-Based Access Control, to limit individual access credentials to the smallest possible set of access grants.		Both natural users, machine users, or any privileged action performing entities needs roles or comparable control structures like Attribute-Based Access Control, to limit individual access credentials to the smallest possible set.
	This is the reason for [REQ-AUTH-3], but as the evaluating the fit of the implementation to the intented use, the design validation is only vaguely specified in [REQ-AUTH-4].		This is the reason for [REQ-AUTH-3], but as the evaluating the fit of the implementation to the intented use, the design validation is only vaguely specified in [REQ-AUTH-4].

	Machine users can often have more exact limits on what functions they require. [\[i.13\]](#_ref_i.13)		Machine users can often have more exact limits on what functions they require. [\[i.13\]](#_ref_i.13)
			The same interfaces can be used by the machine users and the admin users.
			As adminstrator is a priviledged users, but the machine user making changes is not an administrator, this document refers to both as privileged users whom are often connecting to privileged interfaces.

	The product can serve traffic that is not meant to be identified.		The product can serve traffic that is not meant to be identified.
	For example, an in-home router often trusts that the physical access to its port is enough to identify the subscriber line.		For example, an in-home router often trusts that the physical access to its port is enough to identify the subscriber line.
	@@ -839,19 +841,18 @@ The operative context is described in more datail in the section [4.8 Operationa

	- [REQ-AUTH-3]: When a user or system identity has been authenticated, the product shall apply authorisation controls based on assigned roles or equivalent access-control attributes.		- [REQ-AUTH-3]: When a user or system identity has been authenticated, the product shall apply authorisation controls based on assigned roles or equivalent access-control attributes.
	- [REQ-AUTH-4]: The authorisation model shall enforce separation of privileges appropriate to the intended and reasonably foreseeable use of the product.		- [REQ-AUTH-4]: The authorisation model shall enforce separation of privileges appropriate to the intended and reasonably foreseeable use of the product.
	- [REQ-AUTH-5]: The product technical documentation shall describe the authorization model implemented by the product.		- [REQ-AUTH-5]: The product technical documentation shall describe the identity and authorization model implemented by the product.
	- [REQ-AUTH-6]: The product shall implement and document authorization controls in the technical documentation and in the user documentation, like RBAC or ABAC, suitable for privileged interfaces and sensitive operations.		- [REQ-AUTH-6]: All access to privileged interfaces, control functions, and sensitive operations shall be subject to strong authentication of users, services, or integrated components.
	- [REQ-AUTH-7]: All access to administrative interfaces, control functions, and sensitive operations shall be subject to strong authentication of users, services, or integrated components.		- [REQ-AUTH-7]: Privileged interfaces shall be protected with [5.2.4 State-of-the-art cryptographic libraries].
	- [REQ-AUTH-8]: Privileged interfaces shall be protected with [5.2.4 State-of-the-art cryptographic libraries].		- [REQ-AUTH-8]: The product shall report all relevant events related to authorisation including, but not limited to, successful and unsuccessful use of identity, object access, policy change, privileged function use, data access and deletions, data changes and permission changes.
	- [REQ-AUTH-9]: The product shall report all relevant events related to authorisation including, but not limited to, successful and unsuccessful use of identity, object access, policy change, privileged function use, data access and deletions, data changes and permission changes.		- [REQ-AUTH-9]: The product shall record the source of the identity in authoritative event monitoring data.
	- [REQ-AUTH-10]: The product shall record the source of the identity in authoritative event monitoring data.