I-0358: Roles Whose Membership Is Defined By Object Attributes

TYPE:                 NIAP Interpretation
NUMBER:               I-0358
STATUS:               Withdrawn
REASON:               Upon IWG review, it appears that FMT_SMR.1.2 can be
                      interpreted broadly enough to permit the TSF to allow
                      policy to determine the users in a role

TITLE:                Roles Whose Membership Is Defined By Object Attributes

SOURCE REFERENCE:     CC v2.1 Part 2 Subclause 8.2 FMT_MSA
                      CC v2.1 Part 2 Subclause 8.6 FMT_SMR
RELATED TO:           <None>

ISSUE:

The FMT_MSA.1 element refers to the term "authorised identified roles" in an assignment when referring to the users permitted to perform various management functions on security attributes of an object. In some products, the ability to management security attributes is not based on formal role assignment, but rather on other attributes of that object, such as the object's owner.

STATEMENT

The following interprets the use of the term "roles" in the FMT_SMR components in its interaction with the use of the term "authorised identified roles" in the FMT_MSA components:

The use of the term "authorised identified role" in FMT_MSA.1 does not imply a role in the sense of FMT_SMR if the membership in that role is determined based on other security attributes of the object (e.g., "object owner").

RECOMMENDED CRITERIA CHANGES

TBD

SUPPORT:

If an object's owner was to be interpreted as a formal "role", then FMT_SMR would come into play. It would then require that the TSF be able to associate users with roles. But this doesn't work for an object-based role assignment, for how can one assign someone to the "object owner" role when the individuals assigned to that role differ for each object? Thus, it is necessary to make it clear that the use of the term "role" does not imply FMT_SMR when it is used for roles based on other security attributes of the object.