![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0011: Attribute Inheritance/Modification Rules Need To Be Included In Policy
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2002-03-11 |
| Last Modified | 2006-08-02 |
Issue
FMT_MSA.1.1 only allows the specification of the roles permitted to make selected security attribute modifications. However, the FMT_MSA component provides no ability to specify policies related to security attribute modification, such as how new objects inherit security attributes from creating subjects, or ancillary rules that control security attribute modification. For example, one cannot use FMT_MSA to specify a rule that a Mandatory Access Control SFP must be satisfied in order to set security attributes controlled under a Discretionary Access Control policy. So how can this be done?
Resolution
This issue is addressed by I-0363, soon to be superseded by I-0420.
Modification History:
- 2004-08-12
- Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)
References:
- CAPPv1.a
Related NIs:
- I-0363: Attribute Inheritance/Modification Rules Need To Be Included In Policy
- I-0420: Attribute Inheritance/Modification Rules Need To Be Included In Policy
Related CCIMB-INTERPs:
- None
Source OD: 0057