Service Layer Dynamic Authorization [SLDA]

Slides:



Advertisements
Similar presentations
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Advertisements

Access Control Mechanism Discussion
CMDH Refinement Contribution: oneM2M-ARC-0397
Problem of Current Notification Group Name: ARC WG Source: Heedong Choi, LG Electronics, Meeting Date: ARC 9.0 Agenda Item: TBD.
Problem of non-Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.0 Agenda Item: TBD.
OneM2M-MP Data_Model_Repository Establishing Data Model Repository for oneM2M Group Name: Method and Procedure Sub-commitee Source: WG3 chair.
Resource Announcement Procedures Group Name: WG2 Source: Rajesh Bhalla, Hao Wu - ZTE Meeting Date: Agenda Item: TBD.
App-ID Use Cases, Syntax and Attributes SEC App-ID_Use_Cases,_Syntax_and_Attributes Group Name: Architecture Source: Darold Hemphill, iconectiv,
Discussions for oneM2M Semantics Standardization Group Name: WG5 Source: InterDigital Communications Meeting Date: Agenda Item: WI-0005 ASN/MN-CSE.
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
Announcement Resources ARC Announcement_Issues Group Name: WG2 Source: Barbara Pareglio, NEC Meeting Date: Agenda Item: Input Contribution.
Introduction of PRO WG activities Group Name: TP Source: Shingo Fujimoto, FUJITSU, Meeting Date: Agenda Item:
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
Answer the Questions Regarding Pending Issues on Access Control Group Name: WG4 SEC Source: LG Electronics Meeting Date: Agenda Item: SEC#11.4.
Management of CMDH Policies Group Name: WG5-MAS Source: Wolfgang Granzow, Qualcomm, Meeting Date: Agenda Item: Management.
TS0001 Identifiers way forward Group Name: WG2 Source: Elloumi, Foti, Scarrone, Lu (tbc), Jeong (tbc) Meeting Date: Agenda Item: ARC11/PRO11.
Discussion on the problem of non- Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.2.
Response Status Codes Concepts for oneM2M Group Name: WG3 Source: Philip Jacobs, Cisco, Meeting Date: Agenda Item: TS-0004.
Supporting long polling Group Name: ARC WG Source: SeungMyeong, LG Electronics, Meeting Date: x-xx Agenda Item: TBD.
Access Control Status Report Group Name: ARC/SEC Source: Dragan Vujcic, Oberthur Technologies, Meeting Date: 09/12/2013 Agenda Item:
Status Report on Access TP8 Group Name: WG2 Decision  Meeting Date: Discussion  Source: OBERTHUR Technologies Information  Contact:
Node-Specific Resource Group Name: ARC&MAS Source: LGE, Meeting Date: Agenda Item: Contribution.
Primitive End-to-End Security Requirements Group Name: SEC WG4 Source: Phil Hawkes, Qualcomm, Meeting.
Ontology Resource Discussion
Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:
Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:
Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.2,
Access Control Status Report Group Name: ARC/SEC Source: Dragan Vujcic, Oberthur Technologies, Meeting Date: 09/12/2013 Agenda Item:
M2M Service Subscription Profile Discussion Group Name: oneM2M TP #19.2 Source: LG Electronics Meeting Date: Agenda Item:
PRO/ARC and TST/PRO joint sessions at TP20 Group Name: oneM2M TP20 Source: Peter Niblett, IBM Meeting Date:
App and Management End- to-End Security Requirements Group Name: SEC WG4 Source: Phil Hawkes, Qualcomm,
Security API discussion Group Name: SEC Source: Shingo Fujimoto, FUJITSU Meeting Date: Agenda Item: Security API.
Protocol Issues related to Plugtest Group Name: TST Source: Wolfgang Granzow, Qualcomm Inc., Meeting Date: Agenda.
M2M Service Layer – DM Server Security Group Name: OMA-BBF-oneM2M Adhoc Source: Timothy Carey, Meeting Date:
M2M Service Session Management (SSM) CSF Group Name: WG2-ARC Source: IDCC, LGE, ZTE Meeting Date: TP8 Agenda Item:
Template proposal Group Name: PRO Source: Barbara PAreglio, NEC, Meeting Date: Agenda Item: input contribution.
Clarification of Access Control Mechanism on Rel-1 & Rel-2 Group Name: SEC ( ARC & PRO for information) Source: FUJITSU Meeting Date: Agenda.
Issues of Current Access Control Rule and New Proposal Introduction Group Name: ARC 21 Source: Wei Zhou, Datang, Meeting Date:
Adding Non-blocking Requests Contribution: oneM2M-ARC-0441R01R01 Source: Josef Blanz, Qualcomm UK, Meeting Date: ARC 7.0,
Authorization Architecture Discussion Group Name: SEC WG Source: Seongyoon Kim, LG Electronics, Meeting Date: 28 MAY, 2014 Agenda.
Subscription and Notification Issue Group Name: WG2 Source: Qi Yu, Mitch Tseng- Huawei Technologies, Co. LTD. Meeting Date: ~23 Agenda Item:
Consideration Security Issues on Registration Group Name: WG4 (SEC) Source: Shingo Fujimoto, FUJITSU, Meeting Date:
Specifying the Address of Management Client of Managed Entity Group Name: ARC Source: Hongbeom Ahn, SK Telecom, Meeting Date: TP#21 Agenda.
Interworking with an External Dynamic Authorization System Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.1,
Joint PRO/ARC session at TP20 Group Name: oneM2M TP20 Source: Peter Niblett, IBM Meeting Date:
Adding Role to ACPs Group Name: SEC Source: OBERTHUR Technologies, Dragan Vujcic Meeting Date: Agenda Item: RBAC.
David Hatten Developer, UrbanCode 17 October 2013
Resource subscription using DDS in oneM2M
3GPP MBMS protocol stack
Service Framework Proposal
CSE Retargeting to AE, IPE, and NoDN Hosted Resources
CSE Retargeting to AE, IPE, and NoDN Hosted Resources
Service Enabled AE (SAE)
End-to-End Security for Primitives
CLUE WG Interim Meeting San Jose, CA Sept , 2012
Group multicast fanOut Procedure
2nd Interoperability testing issues
Issues of <locationPolicy> Discussion
Discussion about Use Case and Architecture in Developer Guide
Cryptography and Network Security
Proposed design principles for modelling interworked devices
MAF&MEF Interface Specification discussion of the next steps
Discussion to clarify online/offline behavior
oneM2M Versioning Next Steps
Considering issues regarding handling token
Summary of Access Control Rules Processing
CMDH Refinement Contribution: oneM2M-ARC-0397R01
draft-ietf-geopriv-lbyr-requirements-02 status update
Summary of the MAF and MEF Interface Specification TS-0032
oneM2M interop 6 action point
Presentation transcript:

Service Layer Dynamic Authorization [SLDA] Group Name: SEC WG Source: InterDigital., Vinod Choyi & Dale Seed Meeting Date: SEC#20.3, 2015-12-16 Agenda Item: Dynamic Authorization

SLDA Consultation Upon detection of lack of ACP privileges for an incoming request, Hosting CSE may consult with Authorization Entity to perform SLDA Advantage: No impact on Originator

SLDA Consultation Flow Start Receive Incoming Request from Originator Yes Does ACP / DACP exist matching Originator’s Request? ACP No DACP No Does ACP have Valid Dynamic Authorization Consultation Rule (DACR)? DACR Yes Hosting CSE Consults with Designated Authorization Entity Based on lifetime of granted privilege, Hosting CSE may maintain Dynamic ACP privilege and use it to authorize subsequent requests from Originator. Advantage: Hosting CSE does not need to consult with Authorization Entity for each and every request. No Access Privileges Granted? Yes Reject Request and Return Response Dynamic Authorization Consultation Rule (DACR): Describes rules for enabling dynamic authorization Dynamic Access Control Policy (DACP): Counterpart to the static ACP. Contains the authorization that is granted and its validity (i.e. lifetime) End Perform the Request and Return Response End

SLDA Consultation Messaging Originator Hosting CSE Authorization Entity Request Request fails ACP checks Dynamic Authorization Consultation Rule Present Dynamic Authorization Consultation Request E.g. RETRIEVE http://authorizationEntity.com/consult Request Parameters: - ID of Request Originator - Type of Requested Operation - Type of Requested Resource - Context of Originator (IP, Location, Role) - ID of Requested Resource - Proposed Authorization Lifetime - … Dynamic Authorization Decision Making (Details out of scope for oneM2M R2) Dynamic Authorization Consultation Response Response Parameters: - Dynamic Authorization Decision (Granted | Denied) - List of Privilege(s) - Lifetime of Granted Privilege(s) - … If Access Granted Then Perform Request Otherwise Reject It Response (Optional) Maintain privileges until they expire Note – Some of the proposed message parameters can be defined as optional.

SLDA Consultation Messaging Parameters SLDA Consultation Request Parameters SLDA Consultation Response Parameters Parameter Description Mandatory/ Optional to URI of targeted Authorization Entity M fr Identifier of the Hosting CSE issuing SLDA consultation request rid Uniquely identifies request message oid Identifier of the Originator of the request received by the Hosting CSE ort Type of resource targeted by originated request received by Hosting CSE oro Type of operation specified in originated request received by Hosting CSE oip IP address of Originator of request received by Hosting CSE O oloc Location of Originator of request received by Hosting CSE orol Role of Originator of request received by Hosting CSE otm Timestamp when originated request was received by Hosting CSE orid Resource ID targeted by originated request received by Hosting CSE rlt Proposed lifetime of authorization privileges requested by the Hosting CSE Parameter Description Mandatory/ Optional rsc Response Status Code M rid Request Identifier dad Dynamic Authorization Decision (e.g. GRANTED or DENIED) priv List of granted privileges O plt Lifetime of granted privileges

SLDA Consultation Rule Resource Attributes of <dynAuthzConsultRule> Multiplicity RW/ RO/ WO Description dynAuthzEntityPoA L RW Represents point of access address to be targeted by the Hosting CSE when making consultation based dynamic authorization requests (e.g. http://authorizationEntity.com/consult). dynAuthzLifetime 1 The dynamic authorization lifetime value that the Hosting CSE shall request when making consultation based dynamic authorization requests.

Linking SLDA Consultation Rule to ACP Attributes of <accessControlPolicy> Multiplicity RW/ RO/ WO Description dynAuthzConsultRuleIDs L RW Contains a list of identifiers of <dynAuthzConsultRule> resource(s)

Dynamic Access Control Policy Privileges Following consultation and based on lifetime of dynamically granted access, Hosting CSE may maintain Dynamic ACP privilege and use it to authorize subsequent requests from Originator. Advantage: Hosting CSE does not need to consult with Authorization Entity for each and every request. Option 1 (Recommended) – Hosting CSE creates a <dynamicAccessControlPolicy> resource. (E.g. as a child of the resource being targeted by Originator) Option 2 – Hosting CSE dynamically appends new privileges to existing <accessControlPolicy> Resource

Proposed Way Forward Bring in the following TP21 Contributions TS-0003 (Section 7.1.x) Add Service Layer Dynamic Authorization (SLDA) Description General overview, description, flow of algorithm for SLDA consultation TS-0001 New / Updated SLDA Resources (Section 9.6.x) Updated <acccessControlPolicy> Resource (dynAuthzConsultRuleIDs) New <dynAuthzConsultRule> Resource New <dynamicAccessControlPolicy> Resource New/Updated SLDA Resource Procedures (Section 10.2.x) Procedures for <dynAuthzConsultRule> Resource Procedures for <dynamicAccessControlPolicy> Resource

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.