We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byBradley Pauling
Modified about 1 year ago
Access Control Mechanism Discussion Group Name: SEC WG Source: Seongyoon Kim, LG Electronics, Meeting Date: 7 April, 2014 Agenda Item: TBD
Introduction This contribution introduces overall access control mechanism using M2M Service Subscription and Access Control Policy(ACP) © 2013 oneM2M Partners 2
M2M Service Subscription (background) © 2013 oneM2M Partners 3 M2M Service consists of M2M Service role(s) and M2M Subscriber(Typically Application Provider) subscribes one or multiple M2M Service role In each M2M Service, one or multiple M2M Service role(s) shall be defined by the M2M Service Provider. The M2M Subscriber subscribes one or multiple roles within the M2M Services, which M2M Subscribers are interested in. (section in draft TS 0001 v.0.4.3) M2M Service Role specifies set of privileges pertaining to resource types M2M Service role is defined as a set of privileges pertaining to a resource types which are associated with M2M Service. (section in draft TS 0001 v.0.4.3) Example of M2M Service Role is “Firmware Provider”: CRUD for resource type “Trouble Shooting”: R for resource type, RW for resource type “Data Exchange”: CRUD for resource type
Access Control Policy (background) © 2013 oneM2M Partners 4 Access control policy describes who can perform which operation for a resource. Access control policy is defined as "white lists" or privileges, i.e. each privilege defines "allowed" entities (defined as originatorPrivileges) for certain access modes (defined as privilegesFlags) in (section in draft TS 0001 v.0.4.3) Resource may not have accessControlPolicyID, then accessControlPolicyID of parent resource shall be used. (FFS in case parent resource doesn’t have accessControlPolicyID)
Relationship (M2M Service Subscription and ACP) © 2013 oneM2M Partners 5 M2M Service Subscription describes who is authorized to perform on which resource types Access Control Policy describes who is authorized to perform on real resources Even though AE1 has M2M Service Subscription which make AE1 able to perform RUD on resource type, it doesn’t mean AE1 has privileges to RUD perform on container1. AE1 needs to have RUD privileges in access control policy for container1 Based on M2M Service Subscription, AE1 shall not be able to Create container resource M2M Service Subscription describes maximum allowed permissions(e.g., RUD) for a certain resource type(e.g., container) to a certain entity (e.g., AE1)
Why M2M Service Subscription(1) © 2013 oneM2M Partners 6 If we don’t use M2M Service Subscription in access control mechanism, there is no way to differentiate create permission for each child resource type. If we don’t use M2M Service Subscription, if AE1 has Create permission for CSEBase of CSE1, AE1 is authorized to create all the child resources(e.g., node, remoteCSE, group, accessRight, subscription, mgmtObj, etc.) at CSEBase of CSE1 To be able to give proper privileges, M2M Service Subscription shall be used – Even though AE1 has Create permission for CSEBase of CSE1, AE1 needs to be authorized by M2M Service Subscription – If AE1 has M2M Service Role for Creating resource type, AE1 is authorized to create container resource at CSEBase – If AE1 doesn’t have M2M Service Role for create resource type, AE1 is not authorized to create group resource at CSEBase
Why M2M Service Subscription(2) © 2013 oneM2M Partners 7 If we don’t use M2M Service Subscription in access control mechanism, a certain Application Provider may have more than he subscribes to M2M Service Provider For example, AE1 would like to give AE2 permissions for mgmtObj resource but AE2 doesn’t subscribes device management service role AE2 may have permissions more than AE2 allows to have
Access Control Approach 1 © 2013 oneM2M Partners 8 M2M Service Subscription information is applied to associated Access control policy. For example AE1 has App1 App-ID and M2M Service Subscription information for App1 is applied to associated ACP1 and ACP2 Advantages: – In access control mechanism, ACP is only considered Problems: – Applying M2M Service Subscription information to ACP is not easy task since ACP contains lots Originator attributes (FQDN, Role, ID, Token, All) burden to align this (when M2M Service Subscription is changed, when ACP is changed) – If Token or FQDN is used in ACP, there is no way to apply M2M Service Subscription for that Token or FQDN which M2M Service Subscription is used when Token or FQDN is used? There is no way to find associated M2M Service Subscription – It doesn’t provide solution for page 6
Access Control Approach 2 (proposal) © 2013 oneM2M Partners 9 Makes two separation steps: 1.Check M2M Service Subscription: whether Originator has enough permission on resource type of the resource that Originator accesses 2.Check Access Control Policy: whether Originator has enough permission on the resource that Originator accesses Advantages: – Easy to extend (considering future release, deployment scenario) – Doesn’t need to have complex procedure simple – Provide solution for page 6, 7 Disadvantages: – Two steps are needed
PEP and PDP © 2013 oneM2M Partners 10 Since we are making access control solution for M2M, it’s better to have PEP and PDP at the same entity (resource hosting CSE) If we separate PEP and PDP, all the requests to the device/gateway need to go PDP, which brings severe network communication flows Considering PEP and PDP as Resource hosting CSE
Conclusion © 2013 oneM2M Partners 11 Please consider Access Control Approach 2 as oneM2M access control mechanism for release 1 detail procedures are described in XXXXX Please consider PEP and PDP resource hosting CSE for release 1
NSI wg Architecture Elements John Vollbrecht Internet2.
Ch-10 Configuration Management. Introduction A software project produces a number of items during its execution including various documents, manuals,
Femtocell discovery and access Document Number: IEEE C80216m-08/1432r1 Date Submitted: Source: Jin Lee, Inuk Jung, Ronny Yongho Kim, Voice:
Bob Sultan ( Which protocol for VSI-to-Profile Binding?
File Concept A file is a named collection of related information that is recorded on secondary storage. A file has a define structure, which we must know.
Access distribution for M2M devices Document Number: IEEE C802.16p-10_0028 Date Submitted: December 31, 2010 Source: Jin Lee, Youngsoo Yuk, Jeongki Kim,
Procurement Communications Reporting System PCRS.
University of Sheffield NLP Module 4: Machine Learning.
Chapter - 5 Understanding Requirements Unit II. Introduction Definition : “The broad spectrum of tasks and techniques that lead to an understanding of.
The following 10 questions test your knowledge of client site assignment in Configuration Manager Configuration Manager 2007 Client Site Assignment.
Unit-V -SOFTWARE QUALITY. To develop and deliver robust system, we need a high level of confidence that Each component will behave correctly Collective.
7- Sicurezza delle basi di dati. 2 Sommario 1 Database Security and Authorization 1.1 Introduction to Database Security Issues 1.2 Types of Security 1.3.
Help Desk Procedures Topic: Tasks of the Help Desk Operator Written by Greg Webb while at Information Technology, Sydney Institute of Technology. Current.
DL/UL data transmission for M2M devices IEEE Presentation Submission Template (Rev. 9) Document Number: IEEE C802.16p-10/0020 Date Submitted:
Windows 2008 Active Directory Configuration – Week 4 of 6 Microsoft Test: Mark McCoy MCSE, CNE, CISSP.
Chapter 20 Power Management for 4G Mobile Broadband Wireless Access Networks Maruti Gupta, Ali T. Koc, Rath Vannithamby Intel Labs, Intel Corporation.
Business Objects Web Intelligence Business Objects Web Intelligence.
Chapter 7 Requirement Modeling : Flow, Behaviour, Patterns And WebApps Unit - II.
Presence and IM as SIP Services Jonathan Rosenberg Chief Scientist.
1 Review Notes concerning Review Notes concerning Forward Frame Service & Process Data Operation/Procedure
XCON Framework Overview & Issues Editors: Mary Barnes Chris Boulton
SharePoint Governance Questions January 2014 ©2014 SUSAN HANLEY LLC.
U.S. Department of the Interior U.S. Geological Survey Data Services Task Team Proposal Discussion at WGISS #25 February, 2008 Lyndon R. Oleson U.S. Geological.
IETF 71 SIPPING WG meeting draft-ietf-sipping-pai-update-00.
XCAP Tutorial Jonathan Rosenberg. Ground Rules This is a session for level setting –People are at different points –We will start from the beginning NO.
1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: Security Group TR Date Submitted: 20 th January, 2009 Presented at IEEE
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 7 Slide 1 Chapter 7 System Models.
COS Web Application Architectures Lecture 10 Access Control.
Introduction to Java 2 Programming Lecture 1 Java, Principles of OO, UML.
Testing Relational Database. Overview Once the design of a database system has been completed, the developers are ready to move into the implementation.
© 2016 SlidePlayer.com Inc. All rights reserved.