Attribute-level access control Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei...
-
Upload
berenice-doyle -
Category
Documents
-
view
213 -
download
0
description
Transcript of Attribute-level access control Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei...
Attribute-level access control
Group Name: ARC WGSource: Yuan Tao, Mitch Tseng, Huawei TechnologiesMeeting Date: ARC 16Agenda Item: TBD
Introduction• In R1 specification, access control only manipulates
at resource level. All the attributes in a resource are restricted to the same access control policy. - The privileges and selfPrivileges attributes of <accessControlPolicy> resource includes a set of access control rules, which is comprised of 3-tuples.
• In some cases, attributes in a resource may require different access rights.
© 2015 oneM2M Partners2
[firmware]
1mgmtDefinition
0..1description
1version
1name
1URL
<subscription>0..n
1update
1updateStatus
0..1 (L)objectIDs
0..1(L)objectPaths
Case 1: firmware/software management
© 2015 oneM2M Partners3
1. The version attribute can only be updated byadministrator device, other non-administrator device can only retrieve the value of thisattribute. However, when a non-administratordevice executes firmware/software upgrade,the UPDATE method is applied to the wholeresource.
2. Only the administrator device can retrievethe URL Attribute, other non-administrator device can retrieve all attributes except for the URL Attribute. However, the RETRIEVE method is applied to the whole resource.
[software]
1URL
<subscription>0..n
1mgmtDefinition
0..1description
1version
1name
1install
1uninstall
1installStatus
0..1activate
0..1deavtivate
0..1activeStatus
0..1 (L)objectIDs
0..1 (L)objectPaths
Case 2: anonymous data sharing
© 2015 oneM2M Partners4
Some anonymous data stored in a <container>resource can be shared with some entities. All attributes in this resource can be retrieved except for the creator attribute .However, the RETRIEVE method is applied to
thewhole resource.
<contentInstance>0..n
<subscription>0..n
<container>0..n
<container>
1creator
0..1maxNrOfInstances
0..1maxByteSize
0..1maxInstanceAge
1currentNrOfInstances
1currentByteSize
0..1locationID
0..1ontologyRef
<latest>1
<oldest>1
Suggestion
© 2015 oneM2M Partners5
A new accessControlAttributes parameter - Represents the attributes in the <resource> that is
permitted to use this access control rule. - Contained by the privileges and selfPrivileges
attributes, these two attributes are comprised of 4-tuples.
Example: a CSE can use UPDATE method to AE-ID attribute of the <AE> resource between 9.00am to 12.00am.