RFC 3871           Operational Security Requirements      September 2004

      parameters.  Note that privilege levels may be defined locally on

      the device or on centralized authentication servers.

   Warnings.

      None.

2.12.12.  Ability to Assign Privilege Levels to Users

   Requirement.

      The device MUST be able to assign a defined set of authorized

      functions, or "privilege level", to each user once they have

      authenticated themselves to the device.  Privilege level

      determines which functions a user is allowed to execute.  Also see

      Section 2.12.11.

   Justification.

      This requirement supports the implementation of the principal of

      "least privilege", which states that an individual should only

      have the privileges necessary to execute the operations he/she is

      required to perform.

   Examples.

      The implementation of this requirement will obviously be closely

      coupled with the authentication mechanism.  If RADIUS is used, an

      attribute could be set in the user's RADIUS profile that can be

      used to map the ID to a certain privilege level.

   Warnings.

      None.

2.12.13.  Default Privilege Level Must Be 'None'

   Requirement.

      The default privilege level SHOULD NOT allow any access to

      management or configuration functions.  It MAY allow access to

      user level functions (e.g., starting PPP or telnet).  It SHOULD be

      possible to assign a different privilege level as the default.

      This requirement MAY be relaxed to support system installation per

      Section 2.4.5 or recovery of authorized access per Section

      2.12.15.

Jones                        Informational                     [Page 62]