Access Control Status Report Group Name: ARC/SEC Source: Dragan Vujcic, Oberthur Technologies, Meeting Date: 09/12/2013 Agenda Item:
Status This status reflects the discussions of the Ad-Hoc AC/ACL/RBAC calls between TP#7 and TP#8 Contribution submitted © 2012 oneM2M Partners 2 SEC Terminologies and Procedures for RBACFUJITSUDiscussed Revision expected SEC R01 In-Band Access Control FrameworkQualcommDiscussed Revision expected SEC ALU Comments on SEC Alcatel- Lucent Discussed Requirements for approval SEC Draft way Forward on Access control Model and associated Terminology OberthurPostponed
USER concept USER of Application (Application Domain) – Is seen to be out of scope of the oneM2M Access Control Management (User Authentication at AE) – Access Control decision and Security impacts at CSE is to be considered- FFS USER of Service Layer (Service Layer Domain) – Using/Consuming the CSE Service/Resources. – USER as OWNER of the application – USER is Role based (RBAC principle) – Roles Authentication and Authorization at CSE © 2012 oneM2M Partners 3
In/Out Band Access Control In Band Access control – Authentication and Authorization at Service Layer ( CSE ) – FFS for Authorization Enforcement and Decision CSE Out Band Access control – External Authentication and Authorization – E.g.: OAuth, OpenID Both to be supported by oneM2M TBD if both or prioritize one at Rel.1 timeframe © 2012 oneM2M Partners 4
Attribute-Based Access Control RBAC+ABAC – Access Control Decision based on Roles and additional attributes. – Attributes may be characteristics of a role requesting access, as well as attributes of the resources being requested, against a policy that defines who is allowed to receive access and under what conditions Support for ABAC in Rel.2 TBD if needed at Rel.1 timeframe © 2012 oneM2M Partners 5
Delegation Concept Delegated operation – Authorization access to resources are delegated with delegating identity of the Resource Owner – External Authentication and Authorization( outBand access control) done by the Application Server (OAuth, OpenID, etC..). Token based Permission – The Security issues and threats have been raised – Some Security Requirements identified FFS on the use cases. Concept to be in Rel.1 TBD what should be specified at Rel.1 timeframe ? © 2012 oneM2M Partners 6
Where we’re going Approval of specific operation on a specific resource ARC work is ongoing on Resources (through ACLs) Resource (or Data) is within an Object Operation (e.g.: CRUD) is ability to do something on Objects Lead ARC + support ALL Active Entity Attributes OPERA TIONS OBJECTS Privileges (ActE) Active Entity Assignment (PA) Permission Assignment Sess- ions activeEntity_sessions session_attributes Authorization Evaluation FFS: Data Structure for decision f (ID, rôle, Access Rights subscription, service, etc…) Lead SEC + supp.ALL Controlled Access to Permissions Security features before access to resources is granted – Identification, – Authentication – Managemnt of assignments and activation Sessions Attributes Permissions.. Lead SEC Resources of Entity being accessed
(DRAFT) Way
Way Forward Internal /External Access Control Policy Management – Design first Internal Access Control Policy Management – Access control Management component based on Enforcer and Decision. – FFS whether they are on same or separate CSE Attribute-Based Access Control Decisions – The set of attributes that are relevant to an authorization decision Access control attributes of Active Entity/Subject (e.g.: role, …) Access control attributes of Environment (e.g.: Time, Day, IP address,…) Access control attributes of requested Resource (e.g. : create, …)
Way Forward Delegation Concept – Delegation is desirable feature but seems unlikely to be ready for Rel.1 – The security model should allow the delegation concept to be integrated in the later release. User Concept – The value of the User concept is still controversial – Application User concept is out of scope of Rel.1