Presentation is loading. Please wait.

Presentation is loading. Please wait.

Service Layer Dynamic Authorization [SLDA]

Published byStuart Haynes Modified over 5 years ago

Similar presentations

Presentation on theme: "Service Layer Dynamic Authorization [SLDA]"— Presentation transcript:

1 Service Layer Dynamic Authorization [SLDA]
Group Name: SEC WG Source: InterDigital., Vinod Choyi & Dale Seed Meeting Date: SEC#20.3, Agenda Item: Dynamic Authorization

2 SLDA Consultation Upon detection of lack of ACP privileges for an incoming request, Hosting CSE may consult with Authorization Entity to perform SLDA Advantage: No impact on Originator

3 SLDA Consultation Flow
Start Receive Incoming Request from Originator Yes Does ACP / DACP exist matching Originator’s Request? ACP No DACP No Does ACP have Valid Dynamic Authorization Consultation Rule (DACR)? DACR Yes Hosting CSE Consults with Designated Authorization Entity Based on lifetime of granted privilege, Hosting CSE may maintain Dynamic ACP privilege and use it to authorize subsequent requests from Originator. Advantage: Hosting CSE does not need to consult with Authorization Entity for each and every request. No Access Privileges Granted? Yes Reject Request and Return Response Dynamic Authorization Consultation Rule (DACR): Describes rules for enabling dynamic authorization Dynamic Access Control Policy (DACP): Counterpart to the static ACP. Contains the authorization that is granted and its validity (i.e. lifetime) End Perform the Request and Return Response End

4 SLDA Consultation Messaging
Originator Hosting CSE Authorization Entity Request Request fails ACP checks Dynamic Authorization Consultation Rule Present Dynamic Authorization Consultation Request E.g. RETRIEVE Request Parameters: - ID of Request Originator - Type of Requested Operation - Type of Requested Resource - Context of Originator (IP, Location, Role) - ID of Requested Resource - Proposed Authorization Lifetime - … Dynamic Authorization Decision Making (Details out of scope for oneM2M R2) Dynamic Authorization Consultation Response Response Parameters: - Dynamic Authorization Decision (Granted | Denied) - List of Privilege(s) - Lifetime of Granted Privilege(s) - … If Access Granted Then Perform Request Otherwise Reject It Response (Optional) Maintain privileges until they expire Note – Some of the proposed message parameters can be defined as optional.

5 SLDA Consultation Messaging Parameters
SLDA Consultation Request Parameters SLDA Consultation Response Parameters Parameter Description Mandatory/ Optional to URI of targeted Authorization Entity M fr Identifier of the Hosting CSE issuing SLDA consultation request rid Uniquely identifies request message oid Identifier of the Originator of the request received by the Hosting CSE ort Type of resource targeted by originated request received by Hosting CSE oro Type of operation specified in originated request received by Hosting CSE oip IP address of Originator of request received by Hosting CSE O oloc Location of Originator of request received by Hosting CSE orol Role of Originator of request received by Hosting CSE otm Timestamp when originated request was received by Hosting CSE orid Resource ID targeted by originated request received by Hosting CSE rlt Proposed lifetime of authorization privileges requested by the Hosting CSE Parameter Description Mandatory/ Optional rsc Response Status Code M rid Request Identifier dad Dynamic Authorization Decision (e.g. GRANTED or DENIED) priv List of granted privileges O plt Lifetime of granted privileges

6 SLDA Consultation Rule Resource
Attributes of <dynAuthzConsultRule> Multiplicity RW/ RO/ WO Description dynAuthzEntityPoA L RW Represents point of access address to be targeted by the Hosting CSE when making consultation based dynamic authorization requests (e.g. dynAuthzLifetime 1 The dynamic authorization lifetime value that the Hosting CSE shall request when making consultation based dynamic authorization requests.

7 Linking SLDA Consultation Rule to ACP
Attributes of <accessControlPolicy> Multiplicity RW/ RO/ WO Description dynAuthzConsultRuleIDs L RW Contains a list of identifiers of <dynAuthzConsultRule> resource(s)

8 Dynamic Access Control Policy Privileges
Following consultation and based on lifetime of dynamically granted access, Hosting CSE may maintain Dynamic ACP privilege and use it to authorize subsequent requests from Originator. Advantage: Hosting CSE does not need to consult with Authorization Entity for each and every request. Option 1 (Recommended) – Hosting CSE creates a <dynamicAccessControlPolicy> resource. (E.g. as a child of the resource being targeted by Originator) Option 2 – Hosting CSE dynamically appends new privileges to existing <accessControlPolicy> Resource

9 Proposed Way Forward Bring in the following TP21 Contributions
TS-0003 (Section 7.1.x) Add Service Layer Dynamic Authorization (SLDA) Description General overview, description, flow of algorithm for SLDA consultation TS-0001 New / Updated SLDA Resources (Section 9.6.x) Updated <acccessControlPolicy> Resource (dynAuthzConsultRuleIDs) New <dynAuthzConsultRule> Resource New <dynamicAccessControlPolicy> Resource New/Updated SLDA Resource Procedures (Section 10.2.x) Procedures for <dynAuthzConsultRule> Resource Procedures for <dynamicAccessControlPolicy> Resource

Download ppt "Service Layer Dynamic Authorization [SLDA]"

Similar presentations

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Access Control Mechanism Discussion

Access Control Mechanism Discussion
CMDH Refinement Contribution: oneM2M-ARC-0397

CMDH Refinement Contribution: oneM2M-ARC-0397
Problem of Current Notification Group Name: ARC WG Source: Heedong Choi, LG Electronics, Meeting Date: ARC 9.0 Agenda Item: TBD.

Problem of Current Notification Group Name: ARC WG Source: Heedong Choi, LG Electronics, Meeting Date: ARC 9.0 Agenda Item: TBD.
Problem of non-Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.0 Agenda Item: TBD.

Problem of non-Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.0 Agenda Item: TBD.
OneM2M-MP-2013-0197-Data_Model_Repository Establishing Data Model Repository for oneM2M Group Name: Method and Procedure Sub-commitee Source: WG3 chair.

OneM2M-MP Data_Model_Repository Establishing Data Model Repository for oneM2M Group Name: Method and Procedure Sub-commitee Source: WG3 chair.
Resource Announcement Procedures Group Name: WG2 Source: Rajesh Bhalla, Hao Wu - ZTE Meeting Date: 2014-03-20 Agenda Item: TBD.

Resource Announcement Procedures Group Name: WG2 Source: Rajesh Bhalla, Hao Wu - ZTE Meeting Date: Agenda Item: TBD.
App-ID Use Cases, Syntax and Attributes SEC-2015-0508-App-ID_Use_Cases,_Syntax_and_Attributes Group Name: Architecture Source: Darold Hemphill, iconectiv,

App-ID Use Cases, Syntax and Attributes SEC App-ID_Use_Cases,_Syntax_and_Attributes Group Name: Architecture Source: Darold Hemphill, iconectiv,
Discussions for oneM2M Semantics Standardization Group Name: WG5 Source: InterDigital Communications Meeting Date: 2014-02-19 Agenda Item: WI-0005 ASN/MN-CSE.

Discussions for oneM2M Semantics Standardization Group Name: WG5 Source: InterDigital Communications Meeting Date: Agenda Item: WI-0005 ASN/MN-CSE.
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: 2013-11-19 Agenda Item:

In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
Announcement Resources ARC-2014-1255-Announcement_Issues Group Name: WG2 Source: Barbara Pareglio, NEC Meeting Date: 2014-04-07 Agenda Item: Input Contribution.

Announcement Resources ARC Announcement_Issues Group Name: WG2 Source: Barbara Pareglio, NEC Meeting Date: Agenda Item: Input Contribution.
Introduction of PRO WG activities Group Name: TP Source: Shingo Fujimoto, FUJITSU, Meeting Date: 2015-03-25 Agenda Item:

Introduction of PRO WG activities Group Name: TP Source: Shingo Fujimoto, FUJITSU, Meeting Date: Agenda Item:
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: 2013-11-26 Agenda Item:

In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
Answer the Questions Regarding Pending Issues on Access Control Group Name: WG4 SEC Source: LG Electronics Meeting Date: 2014-07-15 Agenda Item: SEC#11.4.

Answer the Questions Regarding Pending Issues on Access Control Group Name: WG4 SEC Source: LG Electronics Meeting Date: Agenda Item: SEC#11.4.
Management of CMDH Policies Group Name: WG5-MAS Source: Wolfgang Granzow, Qualcomm, Meeting Date: 2014-04-07 Agenda Item: Management.

Management of CMDH Policies Group Name: WG5-MAS Source: Wolfgang Granzow, Qualcomm, Meeting Date: Agenda Item: Management.
TS0001 Identifiers way forward Group Name: WG2 Source: Elloumi, Foti, Scarrone, Lu (tbc), Jeong (tbc) Meeting Date: 2014-06-07 Agenda Item: ARC11/PRO11.

TS0001 Identifiers way forward Group Name: WG2 Source: Elloumi, Foti, Scarrone, Lu (tbc), Jeong (tbc) Meeting Date: Agenda Item: ARC11/PRO11.
Discussion on the problem of non- Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.2.

Discussion on the problem of non- Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.2.
Response Status Codes Concepts for oneM2M Group Name: WG3 Source: Philip Jacobs, Cisco, Meeting Date: 2014-05-22 Agenda Item: TS-0004.

Response Status Codes Concepts for oneM2M Group Name: WG3 Source: Philip Jacobs, Cisco, Meeting Date: Agenda Item: TS-0004.
Supporting long polling Group Name: ARC WG Source: SeungMyeong, LG Electronics, Meeting Date: 2013-0x-xx Agenda Item: TBD.

Supporting long polling Group Name: ARC WG Source: SeungMyeong, LG Electronics, Meeting Date: x-xx Agenda Item: TBD.
Access Control Status Report Group Name: ARC/SEC Source: Dragan Vujcic, Oberthur Technologies, Meeting Date: 09/12/2013 Agenda Item:

Access Control Status Report Group Name: ARC/SEC Source: Dragan Vujcic, Oberthur Technologies, Meeting Date: 09/12/2013 Agenda Item:

Similar presentations

Ads by Google