...
Identity Lifecycle Management
Requirement: R-99174
no change required - The VNF MUST, if not integrated with the Operator’s Identity and Access Management system, support the creation of multiple IDs so that individual accountability can be supported.
Requirement: R-75041
The VNF MUST, if not integrated with the Operator’s Identity and Access Management system, support configurable password expiration.
...
Requirement: R-86835
The VNF MUST set the default settings for user access to deny authorization, except for a super user type of account. When a VNF is added to the network, nothing should be able to use it until the super user configures the VNF to allow other users (human and application) have access.
Requirement: NEW
...
The VNF MUST, if not integrated with the operator's IAM system, provide a mechanism for assign roles and/or permissions to an identity.
Access Control
Requirement: R-42874
CHANGE - The VNF MUST allow the Operator to restrict access to protected resources based on the assigned permissions associated with an ID in order to support Least Privilege (no more privilege than required to perform job functions).
REMOVE - Requirement: R-15671
The VNF MUST provide access controls that allow the Operator to restrict access to VNF functions and data to authorized entities.
Requirement: R-23135
CHANGE - The VNF MUST, if not integrated with the Operator’s identity and access management system, authenticate all access to protected resources GUIs, CLIs, and APIs.
Requirement: R-71787
NEED MORE DISCUSSION - Each architectural layer of the VNF (eg. operating system, network, application) MUST support access restriction independently of all other layers so that Segregation of Duties can be implemented.
...