Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control Mechanism Discussion

Published byBradley Pauling Modified over 9 years ago

Similar presentations

Presentation on theme: "Access Control Mechanism Discussion"— Presentation transcript:

1 Access Control Mechanism Discussion
Group Name: SEC WG Source: Seongyoon Kim, LG Electronics, Meeting Date: 7 April, 2014 Agenda Item: TBD

2 Introduction This contribution introduces overall access control mechanism using M2M Service Subscription and Access Control Policy(ACP)

3 M2M Service Subscription(background)
M2M Service consists of M2M Service role(s) and M2M Subscriber(Typically Application Provider) subscribes one or multiple M2M Service role In each M2M Service, one or multiple M2M Service role(s) shall be defined by the M2M Service Provider. The M2M Subscriber subscribes one or multiple roles within the M2M Services, which M2M Subscribers are interested in. (section in draft TS 0001 v.0.4.3) M2M Service Role specifies set of privileges pertaining to resource types M2M Service role is defined as a set of privileges pertaining to a resource types which are associated with M2M Service. (section in draft TS 0001 v.0.4.3) Example of M2M Service Role is “Firmware Provider”: CRUD for <firmware> resource type “Trouble Shooting”: R for <deviceInfo> resource type, RW for <reboot> resource type “Data Exchange”: CRUD for <container> resource type

4 Access Control Policy(background)
Access control policy describes who can perform which operation for a resource. Access control policy is defined as "white lists" or privileges, i.e. each privilege defines "allowed" entities (defined as originatorPrivileges) for certain access modes (defined as privilegesFlags) in (section in draft TS 0001 v.0.4.3) Resource may not have accessControlPolicyID, then accessControlPolicyID of parent resource shall be used. (FFS in case parent resource doesn’t have accessControlPolicyID)

5 Relationship(M2M Service Subscription and ACP)
M2M Service Subscription describes who is authorized to perform on which resource types Access Control Policy describes who is authorized to perform on real resources Even though AE1 has M2M Service Subscription which make AE1 able to perform RUD on <container> resource type, it doesn’t mean AE1 has privileges to RUD perform on container1. AE1 needs to have RUD privileges in access control policy for container1 Based on M2M Service Subscription, AE1 shall not be able to Create container resource  M2M Service Subscription describes maximum allowed permissions(e.g., RUD) for a certain resource type(e.g., container) to a certain entity (e.g., AE1)

6 Why M2M Service Subscription(1)
If we don’t use M2M Service Subscription in access control mechanism, there is no way to differentiate create permission for each child resource type. If we don’t use M2M Service Subscription, if AE1 has Create permission for CSEBase of CSE1, AE1 is authorized to create all the child resources(e.g., node, remoteCSE, group, accessRight, subscription, mgmtObj, etc.) at CSEBase of CSE1 To be able to give proper privileges, M2M Service Subscription shall be used Even though AE1 has Create permission for CSEBase of CSE1, AE1 needs to be authorized by M2M Service Subscription If AE1 has M2M Service Role for Creating <container> resource type, AE1 is authorized to create container resource at CSEBase If AE1 doesn’t have M2M Service Role for create <group> resource type, AE1 is not authorized to create group resource at CSEBase

7 Why M2M Service Subscription(2)
If we don’t use M2M Service Subscription in access control mechanism, a certain Application Provider may have more than he subscribes to M2M Service Provider For example, AE1 would like to give AE2 permissions for mgmtObj resource but AE2 doesn’t subscribes device management service role  AE2 may have permissions more than AE2 allows to have

8 Access Control Approach 1
M2M Service Subscription information is applied to associated Access control policy. For example AE1 has App1 App-ID and M2M Service Subscription information for App1 is applied to associated ACP1 and ACP2 Advantages: In access control mechanism, ACP is only considered Problems: Applying M2M Service Subscription information to ACP is not easy task since ACP contains lots Originator attributes (FQDN, Role, ID, Token, All)  burden to align this (when M2M Service Subscription is changed, when ACP is changed) If Token or FQDN is used in ACP, there is no way to apply M2M Service Subscription for that Token or FQDN  which M2M Service Subscription is used when Token or FQDN is used? There is no way to find associated M2M Service Subscription It doesn’t provide solution for page 6

9 Access Control Approach 2(proposal)
Makes two separation steps: Check M2M Service Subscription: whether Originator has enough permission on resource type of the resource that Originator accesses Check Access Control Policy: whether Originator has enough permission on the resource that Originator accesses Advantages: Easy to extend (considering future release, deployment scenario) Doesn’t need to have complex procedure  simple Provide solution for page 6, 7 Disadvantages: Two steps are needed

10 PEP and PDP  Considering PEP and PDP as Resource hosting CSE
Since we are making access control solution for M2M, it’s better to have PEP and PDP at the same entity (resource hosting CSE) If we separate PEP and PDP, all the requests to the device/gateway need to go PDP, which brings severe network communication flows  Considering PEP and PDP as Resource hosting CSE

11 Conclusion Please consider Access Control Approach 2 as oneM2M access control mechanism for release 1 detail procedures are described in XXXXX Please consider PEP and PDP resource hosting CSE for release 1

Download ppt "Access Control Mechanism Discussion"

Similar presentations

A global Service layer platform for M2M communications

A global Service layer platform for M2M communications
SEC Clarification Group Name: WG4 (SEC-2014-xxxx) Decision  Meeting Date: 2014-05-07 Discussion  Source: OBERTHUR Technologies Information  Contact:

SEC Clarification Group Name: WG4 (SEC-2014-xxxx) Decision  Meeting Date: Discussion  Source: OBERTHUR Technologies Information  Contact:
Is a Node or not Node? ARC-2014-1194-Node_resolution Group Name: ARC Source: Barbara Pareglio, NEC, Meeting Date: ARC#9.1 Agenda.

Is a Node or not Node? ARC Node_resolution Group Name: ARC Source: Barbara Pareglio, NEC, Meeting Date: ARC#9.1 Agenda.
Access Control Mechanism for User Group Name: SEC WG Source: Seongyoon Kim, LG Electronics, Meeting Date: 2013-12-9 Agenda Item:

Access Control Mechanism for User Group Name: SEC WG Source: Seongyoon Kim, LG Electronics, Meeting Date: Agenda Item:
Problem of Current Notification Group Name: ARC WG Source: Heedong Choi, LG Electronics, Meeting Date: ARC 9.0 Agenda Item: TBD.

Problem of Current Notification Group Name: ARC WG Source: Heedong Choi, LG Electronics, Meeting Date: ARC 9.0 Agenda Item: TBD.
Problem of non-Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.0 Agenda Item: TBD.

Problem of non-Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.0 Agenda Item: TBD.
3GPP Presence Requirements Requirements for Presence Service based on 3GPP specifications and wireless environment characteristics draft-kiss-simple-presence-wireless-

3GPP Presence Requirements Requirements for Presence Service based on 3GPP specifications and wireless environment characteristics draft-kiss-simple-presence-wireless-
Method of Converting Resource definitions into XSD Group Name: WG3 (PRO) Source: Shingo Fujimoto, FUJITSU, Meeting Date:

Method of Converting Resource definitions into XSD Group Name: WG3 (PRO) Source: Shingo Fujimoto, FUJITSU, Meeting Date:
Group:WG3 (PRO) Source:Peter Niblett, IBM, Date:2014-11-09 Agenda:PRO#14 TS-0004 Data Representation Proposal Discussion.

Group:WG3 (PRO) Source:Peter Niblett, IBM, Date: Agenda:PRO#14 TS-0004 Data Representation Proposal Discussion.
Multi-Link Devices Group Name: WG1 Source: Kaonmedia, KETI Contact: Hwang Kwang Tae Yong-Suk Park

Multi-Link Devices Group Name: WG1 Source: Kaonmedia, KETI Contact: Hwang Kwang Tae Yong-Suk Park
Mechanism to support establishment of charging policies Group Name: WG2-ARC Source: InterDigital Meeting Date: TP8 Agenda Item:

Mechanism to support establishment of charging policies Group Name: WG2-ARC Source: InterDigital Meeting Date: TP8 Agenda Item:
2-levels Access control for HTTP binding Group Name: WG4 (& WG2/WG3 for information) Source: Shingo Fujimoto, FUJITSU, Meeting.

2-levels Access control for HTTP binding Group Name: WG4 (& WG2/WG3 for information) Source: Shingo Fujimoto, FUJITSU, Meeting.
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: 2013-11-19 Agenda Item:

In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
Announcement Resources ARC-2014-1255-Announcement_Issues Group Name: WG2 Source: Barbara Pareglio, NEC Meeting Date: 2014-04-07 Agenda Item: Input Contribution.

Announcement Resources ARC Announcement_Issues Group Name: WG2 Source: Barbara Pareglio, NEC Meeting Date: Agenda Item: Input Contribution.
Introduction of PRO WG activities Group Name: TP Source: Shingo Fujimoto, FUJITSU, Meeting Date: 2015-03-25 Agenda Item:

Introduction of PRO WG activities Group Name: TP Source: Shingo Fujimoto, FUJITSU, Meeting Date: Agenda Item:
Group based paging operation for 802.16p system IEEE 802.16 Presentation Submission Template (Rev. 9.2) Document Number: IEEE C80216p-10_0018 Date Submitted:

Group based paging operation for p system IEEE Presentation Submission Template (Rev. 9.2) Document Number: IEEE C80216p-10_0018 Date Submitted:
PRO-2014-0516R01-URI_mapping_discussion Discussion on URI mapping in protocol context Group Name: PRO and ARC Source: Shingo Fujimoto, FUJITSU,

PRO R01-URI_mapping_discussion Discussion on URI mapping in protocol context Group Name: PRO and ARC Source: Shingo Fujimoto, FUJITSU,
Authorization for IoT Group Name: oneM2M SEC WG Source: Francois Ennesser, Gemalto NV Meeting Date: 2014-09-03 Agenda Item:

Authorization for IoT Group Name: oneM2M SEC WG Source: Francois Ennesser, Gemalto NV Meeting Date: Agenda Item:
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: 2013-11-26 Agenda Item:

In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
Answer the Questions Regarding Pending Issues on Access Control Group Name: WG4 SEC Source: LG Electronics Meeting Date: 2014-07-15 Agenda Item: SEC#11.4.

Answer the Questions Regarding Pending Issues on Access Control Group Name: WG4 SEC Source: LG Electronics Meeting Date: Agenda Item: SEC#11.4.

Similar presentations

Ads by Google