Authorization is the process of granting or denying access to a network resource or function. Authorization (user accounts) must be granted based on specific roles, which are defined as sets of permissions and responsibilities assigned to a user or a group of users. Roles should be based on the principle of least privilege, which means that users should only have the minimum level of access required to perform their tasks. Roles should also be based on the principle of separation of duties, which means that users should not have conflicting or overlapping responsibilities that could compromise the security or integrity of the system. Authorization based on individual preferences or common needs for large groups is not recommended, as it could lead to excessive or unnecessary access rights, or to inconsistent or conflicting policies. Authorization based on system complexity is also not a good criterion, as it could result in overcomplicated or unclear roles that are difficult to manage or audit. References:
ISA/IEC 62443-3-3:2013 - Security for industrial automation and control systems - Part 3-3: System security requirements and security levels1
ISA/IEC 62443-2-1:2010 - Security for industrial automation and control systems - Part 2-1: Establishing an industrial automation and control systems security program2
ISA/IEC 62443-4-1:2018 - Security for industrial automation and control systems - Part 4-1: Product security development life-cycle requirements3
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit