![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0012: Can Access Control Attributes Determine Users In A Role?
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2002-03-11 |
| Last Modified | 2006-08-02 |
Issue
Given a profile with an objective to permit authorised users have the capability to specify the resources that may be accessed by specified users (in particular, by changing the access control attributes), is it sufficient to use an FMT component that refers only to user roles.
Resolution
It is sufficient, because FMT_SMR.1 can be interpreted broadly enough to permit the TSF to allow policy to determine the users in a role.
Support
The initial approach would be to change the profile to refer to authorized users, instead of authorized roles. However, that doesn't resolve the problem, as the term authorized users is too vague. However, it appears that FMT_SMR.1 can be interpreted as allowing policy to specify the users that fit within a given category (such as the owner of the object).
Modification History:
- 2004-08-12
- Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)
References:
- LSPPv1.0
Related NIs:
- I-0358: Roles Whose Membership Is Defined By Object Attributes
Related CCIMB-INTERPs:
- None
Source OD: 0071