Summary of Access Control Rules Processing

Slides:



Advertisements
Similar presentations
CMDH Refinement Contribution: oneM2M-ARC-0397
Advertisements

Summary on the M2M CMDH Policies Management Object (MCMDHMO)
Access Control Mechanism for User Group Name: SEC WG Source: Seongyoon Kim, LG Electronics, Meeting Date: Agenda Item:
Problem of non-Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.0 Agenda Item: TBD.
Methodology Logical Database Design for the Relational Model
Chapter 4 The Relational Model.
Resource Announcement Procedures Group Name: WG2 Source: Rajesh Bhalla, Hao Wu - ZTE Meeting Date: Agenda Item: TBD.
Systems Architecture I1 Propositional Calculus Objective: To provide students with the concepts and techniques from propositional calculus so that they.
IETF DMM WG Mobility Exposure and Selection WT Call#4 Feb 24, 2015.
Module 3: The Relational Model.  Overview Terminology Relational Data Structure Mathematical Relations Database Relations Relational Keys Relational.
Chapter 3 The Relational Model. 2 Chapter 3 - Objectives u Terminology of relational model. u How tables are used to represent data. u Connection between.
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
Announcement Resources ARC Announcement_Issues Group Name: WG2 Source: Barbara Pareglio, NEC Meeting Date: Agenda Item: Input Contribution.
WG-2 - ARC TP #16 Status Report Group Name: oneM2M TP #16 Source: WG2 Chair (Nicolas Damour – Meeting Date: Agenda.
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
Answer the Questions Regarding Pending Issues on Access Control Group Name: WG4 SEC Source: LG Electronics Meeting Date: Agenda Item: SEC#11.4.
Management of CMDH Policies Group Name: WG5-MAS Source: Wolfgang Granzow, Qualcomm, Meeting Date: Agenda Item: Management.
TS0001 Identifiers way forward Group Name: WG2 Source: Elloumi, Foti, Scarrone, Lu (tbc), Jeong (tbc) Meeting Date: Agenda Item: ARC11/PRO11.
1 Chapter 17 Methodology - Local Logical Database Design.
Customized Resource Types MAS Group Name: MAS + ARC + PRO WGs Source: Wolfgang Granzow, Qualcomm Inc., Meeting Date:
XML Access Control Koukis Dimitris Padeleris Pashalis.
Access Control Status Report Group Name: ARC/SEC Source: Dragan Vujcic, Oberthur Technologies, Meeting Date: 09/12/2013 Agenda Item:
SIP working group IETF#70 Essential corrections Keith Drage.
Status Report on Access TP8 Group Name: WG2 Decision  Meeting Date: Discussion  Source: OBERTHUR Technologies Information  Contact:
Node-Specific Resource Group Name: ARC&MAS Source: LGE, Meeting Date: Agenda Item: Contribution.
Ontology Resource Discussion
Discussion on XSD implementation conventions (document number PRO R01) Group Name: PRO Source: Wolfgang Granzow, Meeting.
Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.2,
Access Control Status Report Group Name: ARC/SEC Source: Dragan Vujcic, Oberthur Technologies, Meeting Date: 09/12/2013 Agenda Item:
OIC INTERWORKING OPERATIONAL PROCEDURE (ADDRESSING AND DISCOVERY) Group Name: Architecture WG Source: Kiran Vedula, Samsung Electronics,
E2EKey Resource Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.3, Agenda Item: End-to-End Security.
WG-2 - ARC TP #18 Status Report Group Name: oneM2M TP #18 Source: WG2 Chair (Nicolas Damour – Meeting Date: Agenda.
PRO/ARC and TST/PRO joint sessions at TP20 Group Name: oneM2M TP20 Source: Peter Niblett, IBM Meeting Date:
Database Systems Logical Data Modelling Tutor:Ian Perry Tel: Web:
Protocol Issues related to Plugtest Group Name: TST Source: Wolfgang Granzow, Qualcomm Inc., Meeting Date: Agenda.
M2M Service Layer – DM Server Security Group Name: OMA-BBF-oneM2M Adhoc Source: Timothy Carey, Meeting Date:
End-to-End Primitive Security: Challenges and Suggestions Group Name: SEC WG Source: Qualcomm Inc., Phil Hawkes, Wolfgang Granzow, Josef Blanz Meeting.
ARC / PRO questions Source: Peter Niblett, IBM Date:
M2M Service Session Management (SSM) CSF Group Name: WG2-ARC Source: IDCC, LGE, ZTE Meeting Date: TP8 Agenda Item:
Attribute-level access control Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 16 Agenda Item: TBD.
Clarification of Access Control Mechanism on Rel-1 & Rel-2 Group Name: SEC ( ARC & PRO for information) Source: FUJITSU Meeting Date: Agenda.
Issues of Current Access Control Rule and New Proposal Introduction Group Name: ARC 21 Source: Wei Zhou, Datang, Meeting Date:
Adding Non-blocking Requests Contribution: oneM2M-ARC-0441R01R01 Source: Josef Blanz, Qualcomm UK, Meeting Date: ARC 7.0,
Authorization Architecture Discussion Group Name: SEC WG Source: Seongyoon Kim, LG Electronics, Meeting Date: 28 MAY, 2014 Agenda.
Protocol Issues related to Plugtest Group Name: TST Source: Wolfgang Granzow, Qualcomm Inc., Meeting Date: Agenda.
Draft way Forward on Access Control Model and associated Terminology Group Name: SEC Source: Dragan Vujcic, Oberthur Technologies,
CMDH and Policies Contribution: oneM2M-ARC-0603
DM Execute Group Name: WG2/WG5 Source: Jiaxin Yin, Huawei Technologies Co., Ltd., Meeting Date: Agenda Item: TBD.
1 The Relational Data Model David J. Stucki. Relational Model Concepts 2 Fundamental concept: the relation  The Relational Model represents an entire.
Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.1,
[authenticationProfile] <mgmtObj> specialization
oneM2M interop 3 issues and optimizations
CSE Retargeting to AE, IPE, and NoDN Hosted Resources
CSE Retargeting to AE, IPE, and NoDN Hosted Resources
Service Enabled AE (SAE)
End-to-End Security for Primitives
Group multicast fanOut Procedure
2nd Interoperability testing issues
Proposed design principles for modelling interworked devices
Discussions on Heterogeneous Identification Service
oneM2M Service Layer Protocol Version Handling
MAF&MEF Interface Specification discussion of the next steps
ARC Proposed design principles for modelling services, datapoints and operations Group Name: ARC Source: Joerg Swetina, NEC
Considering issues regarding handling token
Overview of E2E Security CRs
CMDH Refinement Contribution: oneM2M-ARC-0397R01
Discussion on XSD open issues
Service Layer Dynamic Authorization [SLDA]
Summary of the MAF and MEF Interface Specification TS-0032
Solution Sets for Equations and Inequalities
Presentation transcript:

Summary of Access Control Rules Processing Group Name: SEC Source: Phil Hawkes, Wolfgang Granzow, Josef Blanz Meeting Date: 2014-05-28 Agenda Item: #10.6

Objective This slide deck describes how the Access Control Rules given in privileges or selfPrivileges attributes can be processed to derive the access decision This presentation is complementary to the proposed text for TS-0003 in contribution SEC-2014-0285R04 We hope this slide deck eases understanding of the proposed terminology, introduced definitions and the access control decision logic, in order to simplify the discussion

Representation of access control rules (1) Each privileges attribute is a set of „access control rules“ (curly brackets are used to denote a set = { ... }) acrs = { acr(1), acr(2), ..., acr(k), ..., acr(K) } Each access control rule acr(k) is represented as an „access-control-rule-tuple“ of three elements: acr(k) = { acr(k)_accessControlOriginators, acr(k)_accessControlOperations, acr(k)_accessControlContexts } accessControlOriginators : set of parameters of any type defined in Table 9.6.2.1-1 Examples: {CSE-ID1, AE-ID1, AE-ID2, entityGroup1, entityGroup2}, {all} AccessControlOperations: set of operations that can be authorized Examples: {Create, Retrieve, Update, Delete, Discover, Notify}, {Retrieve, Discover, Notify}

Representation of access control rules (2) accessControlContexts: a set of M accessControlContext parameters accessControlContexts = { accessControlContext(1), …, accessControlContext(m), …, accessControlContext(M) } accessControlContext: set of context constraints where each context constraint consists of 3 parts: accessControlContext= { accessControlTimeWindows, accessControlLocationRegions, accessControlIpAddresses }

Representation of access control rules (3) accessControlTimeWindows represents a set of time windows in which access is permitted Example: {04:30 – 06:00, 11:30 – 12:30, 22:15 – 00:30} e.g. hours UTC time accessControlLocationRegions represents a set of locations from where access is permitted Example: {geoRegion1, geoRegion2, geoRegion3} accessControlIpAddresses represents a set of permitted IPv4/IPv6 addresses or address blocks Example (IPv4): {212.75.201.105, 88.77.0.0/16, 116.27.123.0/24} NOTE: the exact formats of the above parameter representations are TBD

Processing of Access Control Rules (1) The parameters associated with a request, which are evaluated against the parameters contained in the access control rules (acrs) , are denoted as follows: rq_orig: originator of the request (i.e. URI of the originating entity) rq_op: operation requested (i.e. Create, Retrieve, Update, etc.) rq_time: time when the request was received (e.g. time in hh:mm:ss UTC, exact format TBD) rq_ip: IP address of the originator (i.e. set of IPv4/IPv6 addresses, address blocks or address prefixes) rq_loc: location information about the originating entity (format TBD)

Processing of Access Control Rules (2) Notation: „res_origs(k)“ means: the binary result (TRUE/FALSE or 1/0) of evaluating the originator of a request („rq_orig“) against the accessControlOriginators included in the kth access control rule („acr(k)_accessControlOriginators“). Definition: 1 (TRUE) if rq_orig matches acr(k)_originators res_origs(k) = 0 (FALSE) else

Processing of Access Control Rules (3) 1 (TRUE) if request matches any of the access control rules res_acrs(k) = 0 (FALSE) else Can be derived recursively as follows: res_acrs = res_acr(1) OR res_acr(2) ... OR res_acr(k) … OR res_acr(K) res_acr(k) = res_origs(k) AND res_ops(k) AND res_ctxts(k), k = 1…K Definition set operator „ismember“: 1 (TRUE) if x ∈ SetX ismember(x, SetX) =

Processing of Access Control Rules (4) Then res_origs(k), res_ops(k) and res_ctxts(k) can be derived as: res_origs(k) = ismember(rq_orig, acr(k)_accessControlOriginators) res_ops(k) = ismember(rq_op, acr(k)_ accessControlOperations) res_ctxts(k) = res_context(k, 1) ... OR res_context(k, m) ... OR res_context (k, M_k) where, res_context(k, m) = res_time(k, m) AND res_ip(k, m) AND res_loc (k, m) and (for k = 1…K and m = 1…M_k) res_time(k, m) = ismember(rq_time, acr(k)_accessControlTimeWindows(m)) res_ip(k, m) = ismember(rq_ip, acr(k)_accessControlIpAddresses(m)) res_loc (k, m) = ismember(rq_loc, acr(k)_accessControlLocationRegions(m))

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.