Access Control Mechanism Discussion

Slides:



Advertisements
Similar presentations
A global Service layer platform for M2M communications
Advertisements

SEC Clarification Group Name: WG4 (SEC-2014-xxxx) Decision  Meeting Date: Discussion  Source: OBERTHUR Technologies Information  Contact:
Is a Node or not Node? ARC Node_resolution Group Name: ARC Source: Barbara Pareglio, NEC, Meeting Date: ARC#9.1 Agenda.
Access Control Mechanism for User Group Name: SEC WG Source: Seongyoon Kim, LG Electronics, Meeting Date: Agenda Item:
Problem of Current Notification Group Name: ARC WG Source: Heedong Choi, LG Electronics, Meeting Date: ARC 9.0 Agenda Item: TBD.
Problem of non-Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.0 Agenda Item: TBD.
3GPP Presence Requirements Requirements for Presence Service based on 3GPP specifications and wireless environment characteristics draft-kiss-simple-presence-wireless-
Method of Converting Resource definitions into XSD Group Name: WG3 (PRO) Source: Shingo Fujimoto, FUJITSU, Meeting Date:
Group:WG3 (PRO) Source:Peter Niblett, IBM, Date: Agenda:PRO#14 TS-0004 Data Representation Proposal Discussion.
Multi-Link Devices Group Name: WG1 Source: Kaonmedia, KETI Contact: Hwang Kwang Tae Yong-Suk Park
Mechanism to support establishment of charging policies Group Name: WG2-ARC Source: InterDigital Meeting Date: TP8 Agenda Item:
2-levels Access control for HTTP binding Group Name: WG4 (& WG2/WG3 for information) Source: Shingo Fujimoto, FUJITSU, Meeting.
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
Announcement Resources ARC Announcement_Issues Group Name: WG2 Source: Barbara Pareglio, NEC Meeting Date: Agenda Item: Input Contribution.
Introduction of PRO WG activities Group Name: TP Source: Shingo Fujimoto, FUJITSU, Meeting Date: Agenda Item:
Group based paging operation for p system IEEE Presentation Submission Template (Rev. 9.2) Document Number: IEEE C80216p-10_0018 Date Submitted:
PRO R01-URI_mapping_discussion Discussion on URI mapping in protocol context Group Name: PRO and ARC Source: Shingo Fujimoto, FUJITSU,
Authorization for IoT Group Name: oneM2M SEC WG Source: Francois Ennesser, Gemalto NV Meeting Date: Agenda Item:
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
Answer the Questions Regarding Pending Issues on Access Control Group Name: WG4 SEC Source: LG Electronics Meeting Date: Agenda Item: SEC#11.4.
Usage Scenarios for CSE Group Name: WG2(ARC-WG) Source: Shingo Meeting Date: Agenda Item: Message.
Discussion on the problem of non- Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.2.
App-ID Discussion Group Name: ARC WG Source: Seongyoon Kim, LG Electronics, Meeting Date: 31 July 2014 Agenda Item: TBD.
WG 2 Progress Report at TP #8 Group Name: oneM2M TP #8 Source: WG2 leadership Meeting Date: /13 Agenda Item: WG Reports.
Supporting long polling Group Name: ARC WG Source: SeungMyeong, LG Electronics, Meeting Date: x-xx Agenda Item: TBD.
Customized Resource Types MAS Group Name: MAS + ARC + PRO WGs Source: Wolfgang Granzow, Qualcomm Inc., Meeting Date:
Discussion on the problem of non- Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.2.
Access Control Status Report Group Name: ARC/SEC Source: Dragan Vujcic, Oberthur Technologies, Meeting Date: 09/12/2013 Agenda Item:
Step by step approach Group Name: WG2 Source: Michael hs. Yang, LG uplus, Jaeseung Song, NEC Europe, Meeting.
Status Report on Access TP8 Group Name: WG2 Decision  Meeting Date: Discussion  Source: OBERTHUR Technologies Information  Contact:
Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:
Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:
Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.2,
Access Control Status Report Group Name: ARC/SEC Source: Dragan Vujcic, Oberthur Technologies, Meeting Date: 09/12/2013 Agenda Item:
OIC INTERWORKING OPERATIONAL PROCEDURE (ADDRESSING AND DISCOVERY) Group Name: Architecture WG Source: Kiran Vedula, Samsung Electronics,
M2M Service Session Management (SSM) CSF
E2EKey Resource Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.3, Agenda Item: End-to-End Security.
Routing Problem of the Current Architecture Group Name: ARC Source: Hongbeom Ahn, LG Electronics, Meeting Date: Agenda.
Different planes for the resource structure Group Name: WG5 – MAS and WG2 – ARC Source: Nicolas Damour, Sierra Wireless
M2M Service Subscription Profile Discussion Group Name: oneM2M TP #19.2 Source: LG Electronics Meeting Date: Agenda Item:
Realizing Ms Interface with OMA DM Group Name: MAS WG Source: Seungkyu Park, LG Meeting Date:
M2M Service Layer – DM Server Security Group Name: OMA-BBF-oneM2M Adhoc Source: Timothy Carey, Meeting Date:
SEC #11 WG4 Status & Release 1 Outlook Group Name: Source:,, Meeting Date: Agenda Item:
Way Forward of Abstract Information Model (Mapping Model with Resource Structure) Group Name: WG2 Source: Heedong LG Electronics.
Clarification of Access Control Mechanism on Rel-1 & Rel-2 Group Name: SEC ( ARC & PRO for information) Source: FUJITSU Meeting Date: Agenda.
Issues of Current Access Control Rule and New Proposal Introduction Group Name: ARC 21 Source: Wei Zhou, Datang, Meeting Date:
Adding Non-blocking Requests Contribution: oneM2M-ARC-0441R01R01 Source: Josef Blanz, Qualcomm UK, Meeting Date: ARC 7.0,
Authorization Architecture Discussion Group Name: SEC WG Source: Seongyoon Kim, LG Electronics, Meeting Date: 28 MAY, 2014 Agenda.
Draft way Forward on Access Control Model and associated Terminology Group Name: SEC Source: Dragan Vujcic, Oberthur Technologies,
Issues about management Group Name: MAS9.2 Source: Jiaxin Yin, Huawei Technologies Co., Ltd., Meeting Date: Agenda Item:
Subscription and Notification Issue Group Name: WG2 Source: Qi Yu, Mitch Tseng- Huawei Technologies, Co. LTD. Meeting Date: ~23 Agenda Item:
Consideration Security Issues on Registration Group Name: WG4 (SEC) Source: Shingo Fujimoto, FUJITSU, Meeting Date:
Specifying the Address of Management Client of Managed Entity Group Name: ARC Source: Hongbeom Ahn, SK Telecom, Meeting Date: TP#21 Agenda.
Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.1,
Resource subscription using DDS in oneM2M
[authenticationProfile] <mgmtObj> specialization
CSE Retargeting to AE, IPE, and NoDN Hosted Resources
Service Enabled AE (SAE)
End-to-End Security for Primitives
Group multicast fanOut Procedure
2nd Interoperability testing issues
Possible options of using DDS in oneM2M
Proposed design principles for modelling interworked devices
TS-0004 Data Representation Proposal Discussion
Aggregation of notification
Considering issues regarding handling token
MinitorEvent(UE_Reachability)
Service Layer Dynamic Authorization [SLDA]
Summary of the MAF and MEF Interface Specification TS-0032
Notification Target Discussion
Presentation transcript:

Access Control Mechanism Discussion Group Name: SEC WG Source: Seongyoon Kim, LG Electronics, seongyoon.kim@lge.com Meeting Date: 7 April, 2014 Agenda Item: TBD

Introduction This contribution introduces overall access control mechanism using M2M Service Subscription and Access Control Policy(ACP)

M2M Service Subscription(background) M2M Service consists of M2M Service role(s) and M2M Subscriber(Typically Application Provider) subscribes one or multiple M2M Service role In each M2M Service, one or multiple M2M Service role(s) shall be defined by the M2M Service Provider. The M2M Subscriber subscribes one or multiple roles within the M2M Services, which M2M Subscribers are interested in. (section 6.5.1.2 in draft TS 0001 v.0.4.3) M2M Service Role specifies set of privileges pertaining to resource types M2M Service role is defined as a set of privileges pertaining to a resource types which are associated with M2M Service. (section 6.5.1.2 in draft TS 0001 v.0.4.3) Example of M2M Service Role is “Firmware Provider”: CRUD for <firmware> resource type “Trouble Shooting”: R for <deviceInfo> resource type, RW for <reboot> resource type “Data Exchange”: CRUD for <container> resource type

Access Control Policy(background) Access control policy describes who can perform which operation for a resource. Access control policy is defined as "white lists" or privileges, i.e. each privilege defines "allowed" entities (defined as originatorPrivileges) for certain access modes (defined as privilegesFlags) in (section 9.6.2 in draft TS 0001 v.0.4.3) Resource may not have accessControlPolicyID, then accessControlPolicyID of parent resource shall be used. (FFS in case parent resource doesn’t have accessControlPolicyID)

Relationship(M2M Service Subscription and ACP) M2M Service Subscription describes who is authorized to perform on which resource types Access Control Policy describes who is authorized to perform on real resources Even though AE1 has M2M Service Subscription which make AE1 able to perform RUD on <container> resource type, it doesn’t mean AE1 has privileges to RUD perform on container1. AE1 needs to have RUD privileges in access control policy for container1 Based on M2M Service Subscription, AE1 shall not be able to Create container resource  M2M Service Subscription describes maximum allowed permissions(e.g., RUD) for a certain resource type(e.g., container) to a certain entity (e.g., AE1)

Why M2M Service Subscription(1) If we don’t use M2M Service Subscription in access control mechanism, there is no way to differentiate create permission for each child resource type. If we don’t use M2M Service Subscription, if AE1 has Create permission for CSEBase of CSE1, AE1 is authorized to create all the child resources(e.g., node, remoteCSE, group, accessRight, subscription, mgmtObj, etc.) at CSEBase of CSE1 To be able to give proper privileges, M2M Service Subscription shall be used Even though AE1 has Create permission for CSEBase of CSE1, AE1 needs to be authorized by M2M Service Subscription If AE1 has M2M Service Role for Creating <container> resource type, AE1 is authorized to create container resource at CSEBase If AE1 doesn’t have M2M Service Role for create <group> resource type, AE1 is not authorized to create group resource at CSEBase

Why M2M Service Subscription(2) If we don’t use M2M Service Subscription in access control mechanism, a certain Application Provider may have more than he subscribes to M2M Service Provider For example, AE1 would like to give AE2 permissions for mgmtObj resource but AE2 doesn’t subscribes device management service role  AE2 may have permissions more than AE2 allows to have

Access Control Approach 1 M2M Service Subscription information is applied to associated Access control policy. For example AE1 has App1 App-ID and M2M Service Subscription information for App1 is applied to associated ACP1 and ACP2 Advantages: In access control mechanism, ACP is only considered Problems: Applying M2M Service Subscription information to ACP is not easy task since ACP contains lots Originator attributes (FQDN, Role, ID, Token, All)  burden to align this (when M2M Service Subscription is changed, when ACP is changed) If Token or FQDN is used in ACP, there is no way to apply M2M Service Subscription for that Token or FQDN  which M2M Service Subscription is used when Token or FQDN is used? There is no way to find associated M2M Service Subscription It doesn’t provide solution for page 6

Access Control Approach 2(proposal) Makes two separation steps: Check M2M Service Subscription: whether Originator has enough permission on resource type of the resource that Originator accesses Check Access Control Policy: whether Originator has enough permission on the resource that Originator accesses Advantages: Easy to extend (considering future release, deployment scenario) Doesn’t need to have complex procedure  simple Provide solution for page 6, 7 Disadvantages: Two steps are needed

PEP and PDP  Considering PEP and PDP as Resource hosting CSE Since we are making access control solution for M2M, it’s better to have PEP and PDP at the same entity (resource hosting CSE) If we separate PEP and PDP, all the requests to the device/gateway need to go PDP, which brings severe network communication flows  Considering PEP and PDP as Resource hosting CSE

Conclusion Please consider Access Control Approach 2 as oneM2M access control mechanism for release 1 detail procedures are described in XXXXX Please consider PEP and PDP resource hosting CSE for release 1

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.