ISO/IEC 10164-9:1997 – Systems Management: Objects and Attributes for Access Control

Standardizing Access Control in OSI Systems Management through Managed Objects

Scope of ISO/IEC 10164-9:1997

ISO/IEC 10164-9:1997 is part of the Open Systems Interconnection (OSI) Systems Management series. It defines the managed objects and attributes that represent access control policies, rules, and capabilities within a management information model. This standard supports the specification of who (subject) can perform which operations (actions) on which managed objects (targets) in a distributed OSI environment.

The standard addresses the need for a uniform, interoperable way to model and manage access control information (ACI) across heterogeneous management domains. It applies to both peer-level and hierarchical manager-agent relationships, and is designed to work with the OSI management framework (ISO/IEC 7498-4) and the systems management overview (ISO/IEC 10040).

Key Benefit: By standardising the representation of access control rules as managed objects, ISO/IEC 10164-9 enables centralised policy administration and automated enforcement across CMIP-based management networks.

Technical Requirements and Managed Object Classes

The core of ISO/IEC 10164-9 is a set of managed object classes and their associated attributes, operations, and notifications. These classes model the entities involved in making access control decisions.

Managed Object Classes

The standard defines four primary classes:

Managed Object Class Purpose Key Attributes
accessControlPolicy Represents a set of access control rules governing a security domain. policyId, policyRules, enforcementModel
accessControlRule Defines a single rule: subject, target, operation, and decision. ruleId, subjectList, objectList, operationList, decision
capability Represents the set of permissions granted to a specific subject. subjectId, grantedRights, validity
accessControlDecision Encapsulates the result of an access control evaluation (allow/deny). decisionId, result, evaluationTime

Each class supports the standard CMIP operations (Create, Delete, Get, Set, Action) and may emit notifications such as accessControlViolation and policyChange.

Attributes and Information Model

The standard defines both mandatory and conditional packages. For example, the accessControlPolicy object must include the attribute policyId and the policyRules attribute (which references one or more accessControlRule objects). The enforcementModel attribute determines whether rules are evaluated using closed (default deny) or open (default permit) policies.

Implementation Complexity: The layered relationships between policy objects can lead to circular rule dependencies. Careful design of containment and name binding is essential to avoid inconsistencies during runtime policy updates.

Implementation Highlights

ISO/IEC 10164-9 is designed to be implemented on top of a CMIP (Common Management Information Protocol) stack using a full OSI management infrastructure. Key implementation considerations include:

  • Conformance to GDMO: The managed object classes must be specified using the Guidelines for the Definition of Managed Objects (GDMO) as defined in X.722.
  • Name Binding: Each object class must be assigned a name binding relative to its containing object (e.g., accessControlPolicy under system).
  • Protocol Machines: The access control decision logic is not mandated; the standard only defines the information model. Implementers are free to embed any local policy engine.
  • Interoperability: For multi-vendor environments, all shared objects must be accessible via a conforming CMIP service interface, and attribute types must be encoded as per ASN.1 definitions in the standard.
Tip: Use the accessControlViolation notification to trigger audit records. The event report includes the attempted operation, target object, and the rule that was violated.

Compliance Notes

Conformance to ISO/IEC 10164-9 is claimed in the Protocol Implementation Conformance Statement (PICS). A conforming implementation must support at least one of the mandatory managed object classes (accessControlPolicy and accessControlRule) and their mandatory packages. Optional features such as the capability class and the notification policyChange may be implemented conditionally.

For a system to be fully compliant, it must also adhere to the requirements of the base OSI management standards (ISO/IEC 10040, ISO/IEC 10164-1). This includes proper support for the system managed object and the allomorphic behaviour if dynamic class instantiation is required.

Security Warning: The standard does not define authentication mechanisms. Access control decisions rely on trust in the subject identification. Always combine with appropriate authentication and integrity services (e.g., ISO/IEC 10181-3).

Frequently Asked Questions

Q: What is the difference between accessControlPolicy and capability objects?
A: The accessControlPolicy object holds global rules that apply to multiple subjects, whereas a capability object stores the specific permissions granted to a single subject (similar to an X.509 attribute certificate).
Q: Can ISO/IEC 10164-9 be used with SNMP instead of CMIP?
A: The standard is defined in the context of OSI Systems Management using CMIP. While the information model could be mapped to SMI, the formal conformance requirements assume a CMIP-based infrastructure. Interoperability with SNMP would require an explicit mapping specification.
Q: Does the standard define how to store access control rules persistently?
A: No. The standard only defines the managed object classes and their behaviour at the interface level. The internal storage (e.g., LDAP directory, local file, database) is implementation-specific.
Q: Are there any backward compatibility issues with the 1995 edition?
A: ISO/IEC 10164-9:1997 is technically aligned with the 1995 edition but includes clarifications on name binding and the inclusion of the accessControlDecision class. Implementations of the earlier version may need minor attribute adjustments to be fully conformant.

Technical article prepared for reference purposes. Always consult the official ISO/IEC document for complete and authoritative requirements.

© 2026 – This article is prepared based on the publicly available summary of the standard.

© 2026 tnlab.org — This article is for educational and technical reference purposes.

📥 Standard Documents Download

🔒
Please wait 10 seconds, the download links will appear after the ad loads

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

API Publ 4695-1999: Evaluation of Composting for the Bioremediation of Petroleum-Contaminated Soils – Technical Guidance and Implementation
API Publ 4697:2000 – A Risk-Based Framework for Contaminated Sediment Management
API Publ 4698-1999: Emission Test Methods for Volatile Organic Compounds and Benzene – A Technical Overview
API Publ 4700-2001: Pollution Prevention and Waste Minimization in the Oil and Gas Industry