Previous Next Functional Tool Requirements Homepage  
3.5 Service Complex: Security  
SSEC03 - Access Control  

  LSIC03 - Zugriffskontrolle

Contents  
  • 1 Allocation to V-Model and Methods Allocation
  • 2 Brief Characteristics
  • 3 Requirements
  •       3.1 Requirements for Interfaces
  •       3.2 Requirements for the Methods Support
  •       3.3 Requirements for Functions
  •       3.4 Other Requirements
  • 1 Allocation to V-Model and Methods Allocation

    V-Model:
    CM1.2 - Setting up CM
    CM2.5 - Administration of Access Rights

    Method:
    none

    2 Brief Characteristics

    In this service unit requirements are defined that guarantee that no subjects, i. e. users or processes on user's instruction, have access to information or resources to which they do not possess an access right or to which there is no necessity for access (need-to-know). Furthermore requirements are defined that prevent an unauthorized generation or modification (also deletion) of information.

    This comprises all functions for the control

    This includes the administration (e. g. appointment and reversal) of access rights and their checks.

    This service unit includes all functions

    3 Requirements

    3.1 Requirements for Interfaces

    SSEC03.I.1 Interface to SOM01 - Creating, Storing, Administration of Data Structures and Data of the SDE All access trials to objects that are subject to the object management are first subjected to the access control.
    SSEC03.I.2 Interface to SOM02 - Analysis and Query of Data Structures and Data of the SDE All access trials to objects that are subject to the object management are first subjected to the access control.
    SSEC03.I.3 Interface to SOM03 - Export, Import of Data Structures and Data of the SDE The access authorizations are considered when importing or exporting objects.
    SSEC03.I.4 Interface to SSEC02 - Identification and Authentication
    SSEC03.I.4.1 Protection of the identification and authentication data The service unit "Access Control" guarantees that only the system manager can access the identification and authentication data.
    SSEC03.I.4.2 Making the identification and authentication data available The service unit "Access Control" requires a correctly functioning mechanism for the identification and authentication which it is not possible to bypass. The service unit "Identification and Authentication" puts all of the identification and authentication data necessary for the administration and control of access rights at the disposal of the service unit "Access Control".
    Besides other things, this contains the information about the clearance and authorization of individual users.
    SSEC03.I.5 Interface to SSEC04 - Auditing
    SSEC03.I.5.1 Transfer of logging information All information necessary for the logging of access trials are transferred from the service unit "Access Control" to the service unit SSEC04 - Auditing".
    SSEC03.I.5.2 Protection of audit mechanisms, data and parameters The service unit "Access Control" guarantees that beside the person in charge of the audit no user can access the audit mechanisms, parameters and logging data.
    SSEC03.I.5.3 Protection of user profiles The service unit "Access Control" guarantees that beside the person in charge of the audit no user can access the user profiles for intrusion detection.

    3.2 Requirements for the Methods Support

    none

    3.3 Requirements for Functions

    SSEC03.F.1 Granularity of the access control
    SSEC03.F.1.1 Subjects It is possible to distinguish the access rights of individual users or defined user groups, of roles and of processes. User groups and roles can only be defined by specially authorized users.
    SSEC03.F.1.2 Objects It is possible to distinguish the access rights to individual objects or defined types of objects. New types of objects can be only be defined by specially authorized users.
    SSEC03.F.1.3 Capsulation It is possible to allow access to definite objects only via specified processes.
    SSEC03.F.1.4 Access modes At least the following access modes are distinguished within the "Access Control":
    • reading of objects,
    • writing of objects,
    • creating of objects,
    • deleting of objects,
    • renaming of objects,
    • executing of executable objects.
    SSEC03.F.2 Administration of Rights
    SSEC03.F.2.1 Appointment of Rights According to the granularity mentioned above, it is possible to appoint access rights to subjects in form of any combination of possible access modes to objects.
    Particularly, it is also possible to deny a subject every access to an object.
    SSEC03.F.2.2 Modification and reversal of rights According to the granularity mentioned above, it is possible to modify or reverse existing access rights.
    SSEC03.F.3 Protection of rights administration data It is guaranteed that only the system manager is given writing access to all data of the rights administration.
    SSEC03.F.4 Conditions It is possible to combine additional conditions to the access rights.
    The access is allowed only on set days or at set times.
    SSEC03.F.5 Roles In order to support roles the access rights may be combined. Beside others, the roles operator, system manager and security representative are possible.
    It is also possible to define a role Data Administrator. This is the only role able to realize schema changes. On top of that it is possible to organize users into user groups and to define rights and default settings for a user or a user group in a corresponding profile.
    SSEC03.F.6 Positive list For any object, it is possible to generate a list of access-authorized users and user groups together with their corresponding access rights for this object.
    SSEC03.F.7 Negative list For any object, it is possible to generate a list of users and user groups that do not possess a definite access right to this object.
    This list may contain all users that do not possess the writing right or that do not have any right at all to this object.
    SSEC03.F.8 Mandatory access control
    SSEC03.F.8.1 Existence of a mandatory access control The mandatory access control is done by fixed, unchangeable, unique rules. Special attributes (e. g. classifications) serve as decision basis for the check of the rules. Such attributes are allocated to all subjects and all objects under the object management. By means of these rules it is determined which combination of attribute values of subject and object are necessary for a subject in order to attain access to this object. The appointment of access rights is done by means of value assignment to the attributes. When exporting an object its attributes are also exported so that the receiver is able to reconstruct them uniquely.
    SSEC03.F.8.2 Attribute appointment A specially authorized user is in the position of allocating attributes (e. g. classifications) to imported, non-attributed data.
    SSEC03.F.8.3 Structuring The mandatory access rights are structured in a way that the following special case may be realized:
    The attribute consists of two parts. the first part contains hierarchically ordered values, the second part represents a set. A subject is only allowed
    1. to read objects the attribute of which is dominated by the attribute of the subject,
    2. to write objects the attribute of which dominates the attribute of the subject.
    An example: the first part contains classifications like public, confidential, secret. The second part contains categories. An attribute A dominates an attribute B exactly when Part 1 of A is hierarchically greater or equal to Part 1 of B and when Part 2 of B is a subset of Part 2 of A.
    SSEC03.F.8.4 Display of attribute values For every user it is possible to get the attribute values displayed of all processes being active for him within the current interactive session.
    SSEC03.F.8.5 Transmission
    SSEC03.F.8.5.1 Classification of communication channels Every communication channel may be identified as one-level or multi-level. Thereby it is possible to define the classification required for a message so that this message is allowed to be transmitted via this communication channel.
    Only messages with a definite classification are allowed to be transmitted via one-level channels. All other messages are not transmitted by this channel.
    SSEC03.F.8.5.2 One-level channels Channels marked as one-level have an attribute representing the corresponding classification. Data are only allowed to be sent or received via them if they have the corresponding attribute and if the value is equal to the predefined attribute value of the channel.
    SSEC03.F.8.5.3 Multi-level channels It is possible to appoint a minimum and maximum classification for the channel. Data are only transported via the channel if their classification is between the minimum and maximum classification. When outputting the object to a multi-level I/O device the classification allocated to the object is also output.
    SSEC03.F.8.5.4 Administration of channel classifications It is possible to appoint, to change and to reverse channel classifications. It is possible to log each of these actions.
    SSEC03.F.8.5.5 Changing the channel classification It is only possible for authorized users to change the channel classification.
    SSEC03.F.8.5.6 Transmission of data and their attributes The transmission protocol guarantees that all data and attributes are completely and uniquely reconstructable on the receiver side and that it is possible to allocate uniquely the attributes to the data.
    SSEC03.F.8.5.7 Man-readable output An attribute marking the classification is always put on man-readable output.
    Man-readable output is a printer or screen output.
    SSEC03.F.9 Discretionary access control
    SSEC03.F.9.1 Existence of a discretionary access control It is possible for every user or every process on the user's instruction to determine which access rights other users or their processes shall obtain with regard to objects under his control.
    Generally the control over an object is in the hand of the object owner as well as of the system manager.
    SSEC03.F.9.2 Changing the access rights It is possible for the object owner to change the access rights at any time.
    These rights should be allocated according to the Need-to-Know principle.
    SSEC03.F.9.3 Appointing controls It is possible for specially authorized users (e. g. system manager) to determine a definite user or group of users in order to take over the control over the object.
    SSEC03.F.10 Checking the access rights The authorization is checked for every access of a local or remote subject to an object under the object management. Especially the actions passing on access rights, entering new users, deleting users, and temporarily deleting all rights of a user are subject to the rights administration. If there is the discretionary as well as the mandatory access control implemented in the system then access is authorized after both control mechanisms have been successfully passed. Unauthorized access trials are rejected.
    SSEC03.F.11 Received objects Received objects are immediately handed over to access control.
    SSEC03.F.12 Default rights It is possible to configure an allocation of predefined access profiles being assigned when entering new users or generating new objects.
    SSEC03.F.13 Protection against bugging the connection setup The access to the lower network services is disabled for unprivileged users.
    SSEC03.F.14 Selective filer This service unit filters the individual transmitted packages on the transport level depending on the addresses of the involved communication partners and the chosen services. By means of control lists it is checked on the target computer which computer obtains admission to which services of the target computer.
    Thereby it is possible to deny the admission to services (like the UNIX services telnet, remote login, ftp).
    SSEC03.F.15 Secure relaying Beside the addresses also the port numbers are evaluated. They determine the service to which the messages/message packages belong. If the admission of messages/message packages of this source address to this target address is allowed in the access control list then, if the "intelligent computer" only is an intermediate station, the package is transmitted or, otherwise, it is passed on to the next protocol level and is further processed there. If there is no entry in the access control list or even a negative entry then the package generally is not passed on to the higher protocol levels.

    3.4 Other Requirements

    none

    Previous Next GDPA Online Last Updated 01.Jan.2002 Updated by Webmaster Last Revised 01.Jan.2002 Revised by Webmaster