Correction to PD 143
- Subject: Correction to PD 143
- From: "Observation Decisions Review Board" <faigin@aero.org>
- Date: Thu, 29 Jan 2009 10:48:44 -0800
- Content-description: Mail message body
- Content-transfer-encoding: 7BIT
- Content-type: text/plain; charset=US-ASCII
- Priority: normal
The ODRB made a cut and paste error when entering the text for PD
0143. The corrected PD 0143 is as follows:
TITLE
Meeting FDP_ACF.1 in the DBMS PP
ISSUE
FDP_ACF.1 requires rules for Discretionary Access Control addressing
both user IDs and group IDs. The combination of selection options and
Application Notes introduces confusion about when user and/or group IDs
must be included in the rule set. It was unclear whether a product
using only group IDs and not user IDs for DAC required inclusion of user
IDs in the rule set.
RESOLUTION
The second Application Note is FDP_ACF.1 in the DBMS PP v1.1 is modified
from:
Application Note: Rules need to include user IDs if the DBMS
implements user IDs. Likewise, rules need to include group IDs
if the DBMS implements group IDs.
to:
Application Note: Rules need to include user IDs if the DBMS
implements user IDs to enforce access control. Likewise, rules
need to include group IDs if the DBMS implements group IDs to
enforce access control. If the DBMS implements both user and
group IDs to enforce access control, then both must be included.
The DBMS must use at least one of user IDs or group IDs to
enforce access control. Rules referring to an object (user or
group) that does not enforce access control do not apply.
RATIONALE
FDP_ACF.1.2-NIAP-0407 includes both users and groups in the rules for
enforcing access control. As written, the requirement may appear to
force a TOE to implement access control through both. Not all TOEs use
both users and groups to enforce access control. The resolution
clarifies the intent of the PP to allow for one or the other or both for
enforcing access control.
Date Index |
Thread Index |
Problems or questions? Contact list-master@nist.gov