IAM Update for Frankfurt
Identity Lifecycle Management
...
NO CHANGE - Requirement: R-46908
The VNF MUST, if not integrated with the Operator’s Identity and Access Management system, comply with “password complexity” policy. When passwords are used, they shall be complex and shall at least meet the following password construction requirements: (1) be a minimum configurable number of characters in length, (2) include 3 of the 4 following types of characters: upper-case alphabetic, lower-case alphabetic, numeric, and special, (3) not be the same as the UserID with which they are associated or other common strings as specified by the environment, (4) not contain repeating or sequential characters or numbers, (5) not to use special characters that may have command functions, and (6) new passwords must not contain sequences of three or more characters from the previous password.
NEED TO DISCUSS CHANGE - Requirement: R-814377 (VNFRQTS-837)
The VNF MUST have the capability of allowing the Operator to create, manage, and automatically provision user accounts using an Operator approved identity lifecycle management tool using a standard protocol, e.g., NETCONF API.
- Identify protocols to support
- Identify requirement specifying protocols supported by VNFs
The VNF MUST have the capability of allowing the Operator to create, manage, and automatically provision user accounts using using one of the protocols specified in Chapter 7.
NEW - Requirement: R-xxxxxx (VNFRQTS-817)
...
CHANGE - Requirement: R-23135 (VNFRQTS-821)
The VNF MUST, if not integrated with the Operator’s identity and access management system, authenticate all access to protected resources GUIs, CLIs, and APIs.
REMOVE - Requirement: R-71787
NEED MORE DISCUSSION - (VNFRQTS-841)
Each architectural layer of the VNF (eg. operating system, network, application) MUST support access restriction independently of all other layers so that Segregation of Duties can be implemented.
The new requirement in VNFRQTS-818 will give an operator the capability of implementing segregation of duties.
NO CHANGE - Requirement: R-59391
...
The VNF MUST, if not integrated with the Operator’s Identity and Access Management system, support the ability to lock out the userID after a configurable number of consecutive unsuccessful authentication attempts using the same userID. The locking mechanism must be reversible by an administrator and should be reversible after a configurable time period.
NEED TO DISCUSS CHANGE - Requirement: R-78010 (VNFRQTS-838)
The VNF MUST integrate with standard identity and access management protocols such as LDAP, TACACS+, Windows Integrated Authentication (Kerberos), SAML federation, or OAuth 2.0.
- Identify protocols to support
- "OAuth 2.0 with an operator provided Authorization Server"
- 2/11 Need feedback from Vendors
The VNF MUST support LDAP in order to integrate with an external identity and access manage system. It MAY REMOVE BASED ON CHANGES to R-78010support other identity and access management protocols.
REMOVE - Requirement: R-85419 (VNFRQTS-839)
The VNF SHOULD support OAuth 2.0 authorization using an external Authorization Server.
...
The VNF MUST NOT identify the reason for a failed authentication, only that the authentication failed.
CHANGE - Requirement: R-479386 (VNFRQTS-840)
The VNF MUST NOT display “Welcome” notices or messages that could be misinterpreted as extending an invitation to unauthorized users.
The VNF MUST provide the capability of setting a configurable message to be displayed after successful login. It MAY provide a list of supported character sets.
- Ask Trevor Lovett if the supported character sets are specified in the VNF requirements
- Answer (23/2/2020): Not to his knowledge.
CHANGE - Requirement: R-231402 (VNFRQTS-826)
The VNF MUST provide a means for the user to explicitly logout, thus ending that session for that authenticated user.
...