1、CSA INTERNATIONAL / - National Standard of Canada CAN/CSA-ISO/XEC 101 81-3-00 (ISO/IEC 10181-3:1996) International Standard ISO/IEC 10181-3:1996 (first edition 1996-09-15) has been adopted without modification as CSA Standard CAN/CSA-ISO/IEC 10181-3-00, which has been approved as a National Standard
2、 o Canada by the Standards Council of Canada. ISBN 1-55324-086-3 March 2000 information technology - Open Systems interconnection - Security frameworks for open systems: Access control framework (Reaffirmed 2004) Technologies de Iinformation - lnterconnexion de s ystemes ouverts (OS/) - Cadres ggngr
3、aux pour la securite des s ystemes ouverts: Cadre general de contr6le d acces 1- I Reference number ISO/IEC t0181-3:1996(E) The Canadian Standards Association, which operates under the name CSA International (CSA), under whose auspices this National Standard has been produced, was chartered in 191 9
4、 and accredited by the Standards Council of Canada to the National Standards system in 1973. It is a not-for-profit, nonstatutory, voluntary membership association engaged in standards development and certification activities. and users - including manufacturers, consumers, retailers, unions and pro
5、fessional organizations, and governmental agencies. The standards are used widely by industry and commerce and often adopted by municipal, provincial, and federal governments in their regulations, particularly in the fields of health, safety, building and construction, and the environment. indicate
6、their support for CSAs standards development by volunteering their time and skills to CSA Committee work and supporting the Associations objectives through sustaining memberships. The more than 7000 committee volunteers and the 2000 sustaining memberships together form CSAs total membership from whi
7、ch its Directors are chosen. Sustaining memberships represent a major source of income for CSAs stand a rds d evelo pmen t activities. in support of and as an extension to its standards development activities. To ensure the integrity of its certification process, the Association regularly and contin
8、ually audits and inspects products that bear the CSA Mark. Toronto, CSA has regional branch offices in major centres across Canada and inspection and testing agencies in eight countries. Since 191 9, the Association has developed the necessary expertise to meet its corporate mission: CSA is an indep
9、endent service organization whose mission is to provide an open and effective forum for activities facilitating the exchange of goods and services through the use of standards, certification and related services to meet national and international needs. For futher information on CSA services, write
10、to CSA International 178 Rexdale Boulevard Toronto, Ontario, M9W 1 R3 Canada CSA standards reflect a national consensus of producers Individuals, companies, and associations across Canada The Association offers certification and testing services In addition to its head office and laboratory complex
11、in The Standards Council of Canada is the coordinating body of the National Standards system, a federation of independent, autonomous organizations working towards the further development and improvement of voluntary standardization in the national interest. The principal objects of the Council are
12、to foster and promote voluntary standardization as a means of advancing the national economy, benefiting the health, safety, and welfare of the public, assisting and protecting the consumer, facilitating domestic and international trade, and furthering international cooperation in the field of stand
13、ards. has been approved by the Standards Council of Canada and one which reflects a reasonable agreement among the views of a number of capable individuals whose collective interests provide to the greatest practicable extent a balance of representation of producers, users, consumers, and others wit
14、h relevant interests, as may be appropriate to the subject in hand. It normally is a standard which is capable of making a significant and timely contribution to the national interest. Approval of a standard as a National Standard of Canada indicates that a standard conforms to the criteria and proc
15、edures established by the Standards Council of Canada. Approval does not refer to the technical content of the standard; this remains the continuing responsibility of the accredited standards-development organization. Those who have a need to apply standards are encouraged to use National Standards
16、of Canada whenever practicable. These standards are subject to periodic review; therefore, users are cautioned to obtain the latest edition from the organization preparing the standard. The responsibility for approving National Standards of Canada rests with the Standards Council of Canada 45 OConno
17、r Street, Suite 1200 Ottawa, Ontario, K1 P 6N7 Canada A National Standard of Canada is a standard which CSA INTERNATIONAL Les normes nationales du Canada sont publiees en versions fransaise et anglaise. Although the intended primary application of this Standard is stated in its Scope, it is importan
18、t to note that it remains the responsibility of the users to judge its suitability for their particular purpose. Information technology - Open Systems hterconnection - Security frameworks for open systems: Access control framework CAN/CSA-ISO/IEC 7 0 7 8 7 -3-00 CAN/CSA-ISO/IEC 101 81 -3-00 Informat
19、ion technology - Open Systems Interconnection - Security frameworks for open systems: Access control pamework CSA Preface Standards development within the Information Technology sector is harmonized with international standards development. Through the CSA Technical Committee on Information Technolo
20、gy (TCIT), Canadians serve as the Canadian Advisory Committee (CAC) on ISO/IEC Joint Technical Committee 1 on Information Technology (ISO/IEC JTC1) for the Standards Council of Canada (SCC), the IS0 member body for Canada and sponsor of the Canadian National Committee of the IEC. Also, as a member o
21、f the International Telecommunication Union (ITU), Canada participates in the International Telegraph and Telephone Consultative Committee (ITU-T). This International Standard was reviewed by the CSA TClT under the jurisdiction of the Strategic Steering Committee on lnformation Technology and deemed
22、 acceptable for use in Canada. (A committee membership list is available on request from the CSA Project Manager.) From time to time, ISO/IEC may publish addenda, corrigenda, etc. The CSA TCIT will review these documents for approval and publication. For a listing, refer to the CSA Information Produ
23、cts catalogue or CSA Info Update or contact a CSA Sales representative. This Standard has been formally approved, without modification, by these Committees and has been approved as a National Standard of Canada by the Standards Council of Canada. Murch 2000 0 CSA lnternational- 2000 All rights reser
24、ved. No part of this publication may be reproduced in any form whatsoever without the prior permission of the publisher. /SO/IEC material is reprinted with permission. inquiries regarding this National Standard of Canada should be addressed to CSA Internotional, 7 78 Rexdale Boulevard, Toronto, Onta
25、rio, M9W 7 R3. March 2000 CSA/7 1 NT E R N AT I 0 N AL STANDARD ISO/IEC 10181-3 First edition 1996-09-1 5 Information technology - Open Systems Interconnection - Security frameworks for open systems: Access control framework Technologies de /information - lnterconnexion de systemes ouverts (US/) - C
26、adres generaux pour la sewrite des systemes ouverts: Cadre general de contrdle dacces Reference number ISO/IEC 10181-3:1996(E) XSUmEC 10181-3:1996(E) Contents Page 1 2 6 7 scope Normative references . 2.1 Identical Recommendations I International Standards 2.2 Paired Recommendations I International
27、Standards equivalent in technical content Definitions Abbreviations . General discussion of access control 5.1 5.2 5 -3 5.4 5.5 Goal of access control . Basic aspects of access control . 5.2.1 5.2.2 Other access control activities . 5.2.3 ACI forwarding . Performing access control functions . Distri
28、bution of access control components . 5.3.1 Incoming access control 5.3.2 Outgoing access control Distribution of access control components across multiple security domains 5.3.3 Interposed access control Threats to access control . Access control policies . 6.1 6.2 6.3 6.4 6.5 6.6 6.7 Access contro
29、l policy expression 6.1.1 Access control policy categories . 6.1.2 Groups and roles . 6.1.3 Security labels., . 61.4 Multiple initiator access control policies Policy management . 6.2.1 Fixed policies 6.2.2 Administratively-imposed policies . 6.2.3 User-selected policies . Granularity and containmen
30、t . Precedence among access control policy rules . Default access control policy rules . Policy mapping through cooperating security domains Inheritance rules Access control information and facilities . 7.1 ACI . 7.1.1 Initiator ACI 1 2 2 2 2 4 4 4 5 5 7 8 9 10 10 10 TO 10 11 11 11 11 11 12 12 12 12
31、 12 12 12 13 13 13 13 13 14 Q ISOAEC 1996 All rights reserved . Unless otherwise specified. no part of this publication may be reproduced or utilized in any form or by any means. electronic or mechanical . including photocopying and microfilm. without permission in writing from the publisher . ISO/I
32、E Copyright Office Case postale 56 * CH-I 21 1 Gedve 20 Switzerland 11 Q Isomc ISO/IEC 10181-3: 1996(E) 8 9 7.1.2 7.1.3 7.1.4 7.1.5 7.1.6 7.1.7 7.1.8 Target ACI Access request ACI . Operand ACI . Contextual information . Initiator-bound ACI Target-bound ACI . Access request-bound ACI . 7.2 Protectio
33、n of ACI 7.2.1 Access control certificates 7.2.2 Access control tokens . 7.3 Access control facilities 7.3.1 Management related facilities . 7.3.2 Operation related facilities Classification of access control mechanisms . 8.1 8.2 8.3 8.4 8.5 Introduction . ACL scheme 8.2.1 Basic features 8.2.2 ACI 8
34、.2.3 Supporting mechanisms 8.2.4 Variations of this scheme 8.3.1 Basic features Capability scheme . 8.3.2 8.3.3 8.3.4 ACI Supporting mechanisms Variation of this scheme - Capabilities without specific operations Label based scheme 8.4.1 Basic features 8.4.2 ACI 8.4.3 Supporting mechanisms 8.4.4 Cont
35、ext baed scheme . 8.5.1 Basic features 8.5.2 ACI 8.5.4 Variations of this scheme Labeled channels as targets . 8.5.3 Supporting mechanisms Interaction with other security services and mechanisms 9.2 Data integrity 9.3 Data confidentiality . 9.1 Authentication . 9.4 9.5 Audit . Other access-related s
36、ervices Annex A . Exchange of access control certificates among components . Forwarding access control certificates Forwarding multiple access control certificates A.3.1 Example A.3.2 Generalization . A.3.3 Simplifications Annex B - Access control in the OS1 reference model B.1 General B.2 Use of ac
37、cess control within the OS1 layers Use of access control at the network layer Use of access control at the transport layer . Use of access control at the application layer . A.1 Introduction . A.2 A.3 B.2.1 B.2.2 B.2.3 Annex C . Non-uniqueness of access control identities 14 14 14 14 15 15 15 15 15
38、16 16 16 17 i9 19 20 20 20 20 21 22 22 22 22 22 23 23 23 23 24 24 24 25 25 25 25 25 25 26 26 26 27 27 27 27 27 28 29 29 29 29 29 29 30 28 . 111 Q ISO/IEC ISO/IEC 10181-3:1996(E) Annex D . Distribution of access control components 31 D.1 Aspects considered 31 D.2 AEC and ADC locations . 31 D.3 Intera
39、ctions among access control components 32 34 35 36 Annex E - Rule-based versus identity-based policies Annex F - A mechanism to support ACI forwarding through an initiator . Annex G - Access control security service outline iv 0 ISOEC Foreword IS0 (the International Organization for Standardization)
40、 and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of IS0 or EC participate in the development of International Standards through technical committees established by the respective organization to deal
41、with particular fields of technical activity. IS0 and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with IS0 and IEC, also take part in the work. In the field of information technology, IS0 and IEC
42、have established a joint technical committee, ISO/IEC JTC 1. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Interna
43、tional Standard ISO/IEC 10181-3 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 2 1, Open Systems Interconnection, datu management and open distributed processing, in collaboration with ITU-T. The identical text is published as ITU-T Recommendation X.
44、812. ISOKEC 10181 consists of the following parts, under the general title Information technolugy - Open Systems Interconnection - Security frameworks for open systems: - Part 1: Overview - Part 2: Authentication framework - Part 3: Access control fiamework - Part 4: Non-repudiation framework - Part
45、 5: Confidentialiv framework - Part 6: Integrity framework - Purr 7: Security audit framework Annexes A to G of this part of ISO/IEC 10181 are for information only. V Q ISOAEC Introduction This Recommendation I International Standard defines a general framework for the provision of access control. T
46、he primary goal of access control is to counter the threat of unauthorized operations involving a computer or communications system; these threats are frequently subdivided into classes known as unauthorized use, disclosure, modification, destruction and denial of service. vi INTERNATIONAL STANDARD
47、ITU-T RECOMMENDATlON ISO/IEC 10181-3 : 1996 (E) INFORMATION TECHNOLOGY - OPEN SYSTEMS INTERCONNECTION - SECURITY FRAMEWORKS FOR OPEN SYSTEMS: ACCESS CONTROL FRAMEWORK 1 Scope The Security Frameworks are intended to address the application of security services in an Open Systems environment, where th
48、e term Open Systems is taken to include areas such as Database, Distributed Applications, ODP and OSI. The Security Frameworks are concerned with defining the means of providing protection for systems and objects within systems, and with the interactions between systems. The Security Frameworks are
49、not concerned with the methodology for constructing systems or mechanisms. The Security Frameworks address both data elements and sequences of operations (but not protocol elements) that are used to obtain specific security services. These security services may apply to the communicating entities of systems as well as to data exchanged between systems, and to data managed by systems. In the case of Access Control, accesses may either be to a system (Le. to an entity that is the communicating part of a system) or within a system. The information items that need to be presented to obt
