Status Report on Access Control @ TP8 Group Name: WG2 Decision Meeting Date: 2014-01-09 Discussion ...
-
Upload
nathaniel-singleton -
Category
Documents
-
view
212 -
download
0
Transcript of Status Report on Access Control @ TP8 Group Name: WG2 Decision Meeting Date: 2014-01-09 Discussion ...
Status Report on Access Control@ TP8
Group Name: WG2 Decision Meeting Date: 2014-01-09 Discussion Source: OBERTHUR Technologies Information Contact: [email protected] Other <specify> Agenda Item: Report on Action items
Status
• This status, reports the agreed Access Control Terminology and Way Forwards at TP#8 on AC/ACL/RBAC
– Agreed Access Control Terminology in oneM2M-REQ-2013-0429R2
– Agreed Way Forwards in oneM2M-SEC-2013-0083R01
© 2012 oneM2M Partners<Document number>
2
Status• This status reports the agreed Access Control Terminology and Way Forwards at TP#8 on AC/ACL/RBAC
– Agreed Access Control Terminology in oneM2M-REQ-2013-0429R2• The word “Permission” has multiple meanings and often used interchangeably with the “Privilege” which cause confusion• To make clear distinction between an entity’s privileges and its permissions, definitions of “Access Decision” , “Privilege” and Access control Attributes were agreed
– Agreed Way Forwards in oneM2M-SEC-2013-0083R01• Alignment of the RBAC model Terminology with the existion oneM2M Terminology
– (RBAC) User => (oneM2M) Originator– (RBAC) operations, objects => oneM2M (Hosting CSE resources)– Support for ACL and ABAC (Role as an attribute of ABAC)
© 2012 oneM2M Partners<Document number>
3
Agreed Access Control Definitions– Access Decision: Authorization reached when an entity’s Privileges, as well as
other Access Control Attributes, are evaluated.
– Privilege: Qualification given to an entity that allows a specific operation (e.g. Read/Update) on a specific resource (e.g.: an entry in ACL specifies a privilege, not an Access Decision).• Note: In addition to being granted a Privilege, the entity must also satisfy any
conditions of the Access Control Attributes.
– Access Control Attributes: Set of parameters of the originator, target resource, and environment against which there could be rules evaluated to control access.• Note: An example of Access Control Attributes of Originator is a role. Examples of
Access Control Attributes of Environment are time, day and IP address. An example of Access Control Attributes of targeted resource is creation time.
© 2012 oneM2M Partners<Document number>
4
=> “Permission” to be replaced by “Privilege”.
Agreed Way Forwards (1/2)
• Attribute-Based Access Control Decisions– The set of attributes to be considered to an authorization decision
• Access control attributes of Originator (e.g.: role, subscription…)• Access control attributes of Environment (e.g.: Time , Day, IP address,…)• Access control attributes of requested Resource (e.g. : create, …)
• Internal /External Access Control Policy Management– Design first Internal Access Control Policy Management – Access control Management component based on Enforcer and
Decision. – FFS whether they are on same or separate CSE
Agreed Way Forwards (2/2)
• Delegation using Tokens Concept– Delegation is desirable feature – Action Item established
• Aiming for some support in Rel.1
• (Human) User Concept – (Human) User is not known at CSE– User authorization will be provided through tokens and transparent to
the CSE.
RBAC model aligned with the oneM2M Terminology
Approval of specific operation on a specific resource
ARC work is ongoing on Resources (through ACLs)Resource (or Data) is within an ObjectOperation (e.g.: CRUD) is ability to do something on Objects
Lead ARC + support ALL
OriginatorAttributes(Role, etc..)
OPERATIONS OBJECTSPrivileges
Originator Attributes Assignment (e.g. Role) Privileges
Assignment for Access Decision
Sess-ions
originator_sessionssession_attributes
Authorization Evaluation
FFS: Data Structure for decisionf (ID, rôle, Access Rights subscription, service, etc…)
Lead SEC + supp.ALL
Controlled Access to Permissions• Security features before access to
resources is granted – Identification, – Authentication– Management of assignments and
activation• Sessions• Attributes• Privileges..
Lead SEC
Hosting CSE