![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0025: Is an Access Control Decision made at the beginning of a session acceptable?
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2002-03-11 |
| Last Modified | 2006-08-02 |
Issue
This PD asks two questions:
-
Is there enough flexibility in the FDP class to accommodate non traditional access control policies and implementation?
-
In applying the FDP class requirements, is there a minimally accepted level (for some definition of level) of access control that must be implemented in order claim compliance to these requirements? Specifically, must an implementation perform access control on every reference to an object or is it accessible to perform access control upon initial allocation only (not checking access on subsequent references to the object).
Resolution
Concerning question (a):
CC Part 2, Annex F (paragraph 724) implies that the intent of the FDP requirements is to be flexible in the policies that can be defined when it states:
"The class does not contain explicit requirements for traditional Mandatory Access Control (MAC) or traditional Discretionary Access Control (DAC); however, such requirements may be contructed using the components of this class".
This statement is further supported by the nature of the requirements themselves which require a PP/ST author to carefully define the subjects, objects and operations (e.g, FDP_ACC.1.1) and the security attributes and access rules (e.g., FDP_ACF.1.1-2) via CC Requirement Assignments.
Therefore, it is acceptable that the PP/ST defines "non traditional access control policies" in the context of devices (instead of files). The definition of these objects (as well as the subjects and operations) must be clearly identified in the requirement assignments.
Concerning question (b):
The requirements (e.g., FDP_ACF) offer the same flexibility in the context of defining operations on which access control is enforced. It is possible to create a policy which enforces access control "only upon initial allocation" as well as on "initial allocation and subsequent references (e.g., read/writes)". This too, must be clear in the assignments defined PP/ST.
The fact that objects and access control mechanisms are hardware abstractions (and mechanisms) is irrelevant with respect to security policy enforcing statements that can be made about the TOE.
Modification History:
- 2004-08-12
- Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)
References:
- CC v2.1
Related NIs:
- None
Related CCIMB-INTERPs:
- None
Source OD: 0190