ДСТУ IEC/TS 62351-8:2016 Управление энергетическими системами и связанный с ним информационный обмен. Безопасность данных и коммуникаций. Часть 8. Управление доступом с использованием ролей (IEC/TS 62351-8:20...
НАЦІОНАЛЬНИЙ СТАНДАРТ УКРАЇНИ
IEC/TS 62351-8:2011
POWER SYSTEMS MANAGEMENT AND ASSOCIATED INFORMATION EXCHANGE — DATA AND COMMUNICATIONS SECURITY
Part 8: Role-based access control
ДСТУ IEC/TS 62351-8:2016
КЕРУВАННЯ ЕНЕРГЕТИЧНИМИ СИСТЕМАМИ ТА ПОВ’ЯЗАНИЙ ІЗ НИМ ІНФОРМАЦІЙНИЙ ОБМІН.
БЕЗПЕКА ДАНИХ ТА КОМУНІКАЦІЙ
Частина 8. Керування доступом із використанням ролей
(IEC/TS 62351-8:2011, IDT)
Відповідає офіційному тексту
Київ
З питань придбання офіційного видання звертайтесь до національного органу стандартизації
(ДП «УкрНДНЦ»)
2016
CONTENTS
Foreword
Introduction
1 Scope
2 Normative references
3 Terms, definitions and abbreviations
3.1 Terms and definitions
3.2 Abbreviations
4 RBAC process model
4.1 General
4.2 Separation of subjects, roles, and rights
4.2.1 General
4.2.2 Subject assignment
4.2.3 Role assignment
4.2.4 Right assignment
4.3 Criteria for defining roles
4.3.1 Policies
4.3.2 User, roles, and rights
4.3.3 Introducing roles reduces complexity
5 Definition of roles
5.1 Role-to-right assignment inside the object in general
5.1.1 General
5.1.2 Number of supported rights
5.1.3 Number of supported roles
5.1.4 Flexibility of role-to-right mapping
5.2 Role-to-right assignment with respect to power systems
5.2.1 Mandatory roles and rights for logical-device access control
5.2.2 Power utility automation - IEC 61850
5.2.3 СІМ-IEC 61968
5.2.4 AMI
5.2.5 DER
5.2.6 Markets
5.3 Role-to-right assignment with respect to other non-power system domains (e.g. industrial process control)
6 General architecture for the PUSH model
6.1 General
6.2 Secure access to the LDAP-enabled service
7 General architecture for the PULL model
7.1 General
7.2 Secure access to the LDAP-enabled service
7.3 LDAP directory organization
8 General application of RBAC access token
8.1 General
8.2 Session based approach
8.3 Message based approach
9 Definition of access tokens
9.1 General
9.2 Supported profiles
9.3 Identification of access token
9.4 General structure of the access tokens
9.4.1 Mandatory fields in the access tokens
9.4.2 Mandatory profile-specific fields
9.4.3 Optional fields in the access tokens
9.4.4 Definition of specific fields
9.5 Specific structure of the access tokens
9.5.1 Profile A: X.509 ID certificate
9.5.2 Profile В: X.509 attribute certificate
9.5.3 Profile C: Software token
9.6 Distribution of the access tokens
10 Transport profiles
10.1 Usage in TCP-based protocols
10.2 Usage in non-Ethernet based protocols
11 Verification of access tokens
11.1 Normative part
11.1.1 General
11.1.2 Access token authenticity
11.1.3 Time period
11.1.4 Access token integrity
11.2 Optional part
11.3 Revocation methods
11.3.1 General
11.3.2 Supported methods
12 Interoperability
12.1 General
12.2 Supported access tokens
12.3 How to ensure backward compatibility
12.4 How to extend the list of roles and rights
12.5 How to map this specification to specific authorization mechanisms
Bibliography
Figure 1 - Generic framework for access control
Figure 2 - Diagram of RBAC with static and dynamic separation of duty according to (ANSI INCITS 359-2004)
Figure 3 - User, roles, rights and operations
Figure 4 - Schematic view of authorization mechanism based on RBAC
Figure 5 - Schematic view of authorization mechanism based on RBAC PULL model
Figure 6 - Session based RBAC approach
Table 1 - List of pre-defined role-to-right assignment
Table 2 - List of mandatory pre-defined rights
Table 3 - Pre-defined roles
Table 4 - Mandatory role-to-right mapping for service access control
Table 5 - The ALLOW right
Table 6 - The DENY right
Table 7 - VIEW right and associated ASCI services
Table 8 - Mapping between ID and attribute sertificate
Полная версия документа доступна в тарифе «ВСЕ ВКЛЮЧЕНО».