Access Control Status Report Group Name: ARC/SEC Source: Dragan Vujcic, Oberthur Technologies, Meeting Date: 09/12/2013 Agenda Item:

Status This status reflects the discussions of the Ad-Hoc AC/ACL/RBAC calls between TP#7 and TP#8 Contribution submitted © 2012 oneM2M Partners 2 SEC Terminologies and Procedures for RBACFUJITSUDiscussed Revision expected SEC R01 In-Band Access Control FrameworkQualcommDiscussed Revision expected SEC ALU Comments on SEC Alcatel- Lucent Discussed Requirements for approval SEC Draft way Forward on Access control Model and associated Terminology OberthurPostponed

USER concept USER of Application (Application Domain) – Is seen to be out of scope of the oneM2M Access Control Management (User Authentication at AE) – Access Control decision and Security impacts at CSE is to be considered- FFS USER of Service Layer (Service Layer Domain) – Using/Consuming the CSE Service/Resources. – USER as OWNER of the application – USER is Role based (RBAC principle) – Roles Authentication and Authorization at CSE © 2012 oneM2M Partners 3

In/Out Band Access Control In Band Access control – Authentication and Authorization at Service Layer ( CSE ) – FFS for Authorization Enforcement and Decision CSE Out Band Access control – External Authentication and Authorization – E.g.: OAuth, OpenID Both to be supported by oneM2M TBD if both or prioritize one at Rel.1 timeframe © 2012 oneM2M Partners 4

Attribute-Based Access Control RBAC+ABAC – Access Control Decision based on Roles and additional attributes. – Attributes may be characteristics of a role requesting access, as well as attributes of the resources being requested, against a policy that defines who is allowed to receive access and under what conditions Support for ABAC in Rel.2 TBD if needed at Rel.1 timeframe © 2012 oneM2M Partners 5

Delegation Concept Delegated operation – Authorization access to resources are delegated with delegating identity of the Resource Owner – External Authentication and Authorization( outBand access control) done by the Application Server (OAuth, OpenID, etC..). Token based Permission – The Security issues and threats have been raised – Some Security Requirements identified FFS on the use cases. Concept to be in Rel.1 TBD what should be specified at Rel.1 timeframe ? © 2012 oneM2M Partners 6

Where we’re going Approval of specific operation on a specific resource ARC work is ongoing on Resources (through ACLs) Resource (or Data) is within an Object Operation (e.g.: CRUD) is ability to do something on Objects Lead ARC + support ALL User Active Entity Attributes OPERA TIONS OBJECTS Privileges (ActE) Active Entity Assignment (PA) Permission Assignment Sess- ions activeEntity_sessions session_attributes Authorization Evaluation FFS: Data Structure for decision f (ID, rôle, Access Rights subscription, service, etc…) Lead SEC + supp.ALL Controlled Access to Permissions Security features before access to resources is granted – Identification, – Authentication – Managemnt of assignments and activation Sessions Attributes Permissions.. Lead SEC Resources of Entity being accessed