M2M Service Subscription Profile Discussion Group Name: oneM2M TP #19.2 Source: LG Electronics Meeting Date: Agenda Item:
Introduction To disccuss M2M Service Subscription Profile – Purpose – Mechanism – Question – Discussion Point © 2015 oneM2M Partners 2
Purpose of SSP App Provider A would like to provide App1 to M2M Service Provider A App Provider A contracts with M2M Service Provider A Based on the critieria (e.g., Payment, Service of App1), M2M Service Provider allows App1 to use Location, Data Management Service Only among various services able to be provided by M2M Service Provider A M2M Service Provider need to allow access when App1 wants to access Location / Data Management Service M2M Service Provider need to reject access when App1 wants to access the other Services M2M Service Provider Allow/Deny Access By Using M2M Service Subscription Profile © 2015 oneM2M Partners 3 App Provider A M2M Service Provider A Contract
Mechanism of SSP After the Contract, M2M Service Provider A configure M2M Service Subscription Profile in IN-CSE. – App1 is allowed to create locationPolicy, Container, and ContentInstace Registrar CSE checks whether AE is allowed to create a certain resource type based on M2M Service Subscription Profile Registrar CSE is the entry point to access M2M System in AE point of view FYI, Currently only Create operation is considered (rel.1) can be extend to other operations (rel.2?) © 2015 oneM2M Partners 4
Mechanism of SSP © 2015 oneM2M Partners 5 AE Registrar CSE Hosting CSE Create on Hosting CSE Check M2M Service Subscription Profile Check Access Control Policy Forward Perform Operation Response oneM2M System Entry Point of oneM2M System
Mechanism of SSP © 2015 oneM2M Partners 6 AE Registrar CSE Hosting CSE Create on Hosting CSE Check M2M Service Subscription Profile Response (Not Authorized) oneM2M System
Mechanism of SSP © 2015 oneM2M Partners 7 List of S-Role IDs What is S-Role(Service-Role) ID? – An M2M Service Role is defined as a create permission pertaining to resource types which are associated with M2M Service. See Annex G for examples of M2M Service Provider defined Service Roles. (in ARC TS) – In release 1, Only Create request shall be verified.
Mechanism of SSP © 2015 oneM2M Partners 8 Information of Node where AE resides AE or App Info Associated to Service Roles
Difference bet. SSP and ACP © 2015 oneM2M Partners 9 M2M Service Subscription Profile vs Access Control Policy – M2M Service Subscription Profile defines who is allowed to access which resource type per operation – Access Control Policy defines who is allowed to access which resource per operation AE1 Allowed to create / retrieve / update / delete container resource type It doesn’t mean AE1 has permission to access all containers container1 container2 container3 AE1 Allowed to retrieve / update / delete AE2 Allowed to retrieve AE1/2 Allowed to retrieve
Question Why Both M2M Service Subscription Profile and Access Control Policy are used for access control in release 1? – Example: – Based on the contract, M2M Service Provider would like to allow App A to use Location and Data Management Service, so he gives AE1(App A) access right by configuring Access Control Policy – M2M Service Provider would like to allow App B to use Device Management and Data Management Service, so he gives AE2(App B) access right by configuring Access Control Policy – If AE2 gives access right to AE1 for Data Management, AE1 can also do Device Management (see below example) © 2015 oneM2M Partners 10 CSE1 node 1. AE1 Create resource for Device Management 2. AE1 gives access right to AE for this resource Create Update ACP 3. AE2 can do Device Management
Discussion Point Differenciation of S-Role and Role based Access Control – We need to differenciate Role based Access Control from S-Role Ambiguity in M2M Service Subscription Profile – How to handle? Make it clear? Completely remove the concept? © 2015 oneM2M Partners 11