Require point-of-execution authorization for high-impact NMS actions
Standard: EN 304 621 Network Management Systems
Clause: 5.2.6 Role based authorisation
Comment type: Technical
Concern: Role membership and authentication alone are not sufficient for high-impact network management actions. A user or machine identity may be authenticated and assigned a role, while the specific requested action is stale, replayed, outside the current policy context, or no longer authorized at the time of execution.
Objective: Add explicit point-of-execution authorization requirements for high-impact NMS actions.
Suggested contribution: Add after \[REQ-AUTH-2\]:
\[REQ-AUTH-3\]: For any management action that can modify managed-element configuration, control-plane behaviour, routing or forwarding state, security policy, identity or authorization configuration, cryptographic trust material, software state, availability, or network reachability, the product shall verify an explicit authorization decision immediately before execution. The authorization decision shall be bound to the acting identity, whether natural user or machine user, role or permission set, target managed element or elements, requested operation, material request parameters, policy version or rule identifier, and validity interval.
\[REQ-AUTH-4\]: The product shall prevent execution of such management action when the authorization decision is absent, expired, inconsistent with current policy or context, or cannot be recorded as an auditable event.
Assessment suggestion: Attempt a high-impact management action using an authenticated subject that has general access to the NMS but lacks explicit authorization for the requested operation. Verify fail-closed denial and audit event generation. Modify policy between request/admission and execution and verify re-evaluation before execution.
Rationale: Authentication and role membership do not prove that a specific high-impact NMS action is authorized at the time it is executed. A point-of-execution authorization decision reduces stale approvals, replay, privilege drift, automation errors and accidental blast radius, while creating a deterministic authorization-execution-audit chain.
issue