Status Report on Access Control@ TP8

Group Name: WG2 Decision Meeting Date: 2014-01-09 Discussion Source: OBERTHUR Technologies Information Contact: v.dragan@oberthur.com Other <specify> Agenda Item: Report on Action items

Status

• This status, reports the agreed Access Control Terminology and Way Forwards at TP#8 on AC/ACL/RBAC

– Agreed Access Control Terminology in oneM2M-REQ-2013-0429R2

– Agreed Way Forwards in oneM2M-SEC-2013-0083R01

© 2012 oneM2M Partners<Document number>

2

Status• This status reports the agreed Access Control Terminology and Way Forwards at TP#8 on AC/ACL/RBAC

– Agreed Access Control Terminology in oneM2M-REQ-2013-0429R2• The word “Permission” has multiple meanings and often used interchangeably with the “Privilege” which cause confusion• To make clear distinction between an entity’s privileges and its permissions, definitions of “Access Decision” , “Privilege” and Access control Attributes were agreed

– Agreed Way Forwards in oneM2M-SEC-2013-0083R01• Alignment of the RBAC model Terminology with the existion oneM2M Terminology

– (RBAC) User => (oneM2M) Originator– (RBAC) operations, objects => oneM2M (Hosting CSE resources)– Support for ACL and ABAC (Role as an attribute of ABAC)

© 2012 oneM2M Partners<Document number>

3

Agreed Access Control Definitions– Access Decision: Authorization reached when an entity’s Privileges, as well as

other Access Control Attributes, are evaluated.

– Privilege: Qualification given to an entity that allows a specific operation (e.g. Read/Update) on a specific resource (e.g.: an entry in ACL specifies a privilege, not an Access Decision).• Note: In addition to being granted a Privilege, the entity must also satisfy any

conditions of the Access Control Attributes.

– Access Control Attributes: Set of parameters of the originator, target resource, and environment against which there could be rules evaluated to control access.• Note: An example of Access Control Attributes of Originator is a role. Examples of

Access Control Attributes of Environment are time, day and IP address. An example of Access Control Attributes of targeted resource is creation time.

© 2012 oneM2M Partners<Document number>

4

=> “Permission” to be replaced by “Privilege”.

Agreed Way Forwards (1/2)

• Attribute-Based Access Control Decisions– The set of attributes to be considered to an authorization decision

• Access control attributes of Originator (e.g.: role, subscription…)• Access control attributes of Environment (e.g.: Time , Day, IP address,…)• Access control attributes of requested Resource (e.g. : create, …)

• Internal /External Access Control Policy Management– Design first Internal Access Control Policy Management – Access control Management component based on Enforcer and

Decision. – FFS whether they are on same or separate CSE

Agreed Way Forwards (2/2)

• Delegation using Tokens Concept– Delegation is desirable feature – Action Item established

• Aiming for some support in Rel.1

• (Human) User Concept – (Human) User is not known at CSE– User authorization will be provided through tokens and transparent to

the CSE.

RBAC model aligned with the oneM2M Terminology

Approval of specific operation on a specific resource

ARC work is ongoing on Resources (through ACLs)Resource (or Data) is within an ObjectOperation (e.g.: CRUD) is ability to do something on Objects

Lead ARC + support ALL

OriginatorAttributes(Role, etc..)

OPERATIONS OBJECTSPrivileges

Originator Attributes Assignment (e.g. Role) Privileges

Assignment for Access Decision

Sess-ions

originator_sessionssession_attributes

Authorization Evaluation

FFS: Data Structure for decisionf (ID, rôle, Access Rights subscription, service, etc…)

Lead SEC + supp.ALL

Controlled Access to Permissions• Security features before access to

resources is granted – Identification, – Authentication– Management of assignments and

activation• Sessions• Attributes• Privileges..

Lead SEC

Hosting CSE