Presentation is loading. Please wait.

Presentation is loading. Please wait.

Draft way Forward on Access Control Model and associated Terminology Group Name: SEC Source: Dragan Vujcic, Oberthur Technologies,

Published byBlaze Heath Modified over 8 years ago

Similar presentations

Presentation on theme: "Draft way Forward on Access Control Model and associated Terminology Group Name: SEC Source: Dragan Vujcic, Oberthur Technologies,"— Presentation transcript:

1 Draft way Forward on Access Control Model and associated Terminology Group Name: SEC Source: Dragan Vujcic, Oberthur Technologies, v.dragan@oberthur.com Meeting Date: 26/11/2013 Agenda Item:

2 Where we are ACTION1: – FFS relationship between AR/ACL and other security mechanisms such as authentication and authorization (lead WG4) ACTION2: – FFS relationship between RBAC and AR/ACL. Can RBAC be implemented by means of AR/ACL? (lead WG2, WG5 – Support WG4) Current Way forward – Step by step approach, starts with simple access control scheme that captures the features of the group based access control and access control settings. – Simple RBAC, FFS whether it applies for all nodes or not © 2012 oneM2M Partners 2

3 Simple (Core/FLAT) RBAC Many-to-many relationship among users, roles and privileges Session is a mapping between a user and an activated subset of assigned roles User/role relations can be defined independent of role/privilege relations Privileges are service/application dependent Accommodates traditional but robust group-based access control Operations : Read /Write, Execute, View, Update, Create,etc… Objects: Data base, File, Directory, Table, etc… USERS ROLES OPERA TIONS OBJECTS Permissions Privileges (UA) User Assignment (PA) Permission Assignment Sess- ions user_sessionssession_roles Reference: [ANSI/INCITS 359, Role Based Access Control] Permissions

4 Privileges & Permissions USERS ROLES OPERA TIONS OBJECTS Permissions Privileges (UA) User Assignment (PA) Permission Assignment Sess- ions user_sessionssession_roles Permissions The terms Privilege and Permission are often used interchangeably. Foundation of the Trust Management is to make clear distinction between an entity’s privileges and its permissions – Privilege is an authority given to an entity that approves a specific operation on a specific resource (e.g.: an entry in ACL specifies a privilege, not a permission). – Permission, is a value reached when an Entity’s privileges, as well as other of its attributes, are evaluated. If an entity has been granted a privilege does not necessarily mean that it is able at a given time to perform the associated operation on the associated objects (or resources)

5 Proposed RBAC Terminology USERS ROLES OPERA TIONS OBJECTS Privileges (UA) User Assignment (PA) Permission Assignment Sess- ions user_sessions session_roles Active Entity ( or The Subject is the Actor or automated agent ) AE CSE (IN, MN, ASN) AND (?) Accessed Entity ( or Controlled Activity or Passive Entity ) AE (?) CSE (IN, MN, ASN) AND (?) Role of Active Entity Attribute based FFS = f (ID, subscription, service, etc…)

6 (Draft) way forward oneM2M RBAC Model & Terminology Active Entity Attributes OPERA TIONS OBJECTS Privileges (ActE) Active Entity Assignment (PA) Permission Assignment Sess- ions activeEntity_sessions session_attributes Terminology: – Active entity: Entity (e.g.: AE, CSE (IN, MN, ASN), AND ) that requests access the resources. The Active entity is the subject/actor. – Accessed entity: Entity (e.g.: AE, CSE (IN, MN, ASN), AND ) being accessed for its objects or data within an object and its operations – Privilege is an authority given to an entity that approves a specific operation on a specific resource (e.g.: an entry in ACL specifies a privilege, not a permission). – Permission, is a value reached when an Entity’s privileges, as well as other of its attributes, are evaluated. – Attributes: Set of parameters to control access to resources by evaluating rules against the attributes of the entities (active and and accessed) for allowed actions Accessed Entity

7 Where we’re going Approval of specific operation on a specific resource ARC work is ongoing on Resources (through ACLs) Resource (or Data) is within an Object Operation such as CRUD is ability to do something on Objects Lead ARC + support ALL Active Entity Attributes OPERA TIONS OBJECTS Privileges (ActE) Active Entity Assignment (PA) Permission Assignment Sess- ions activeEntity_sessions session_attributes Authorization Evaluation FFS: Data Structure of Attributes f (ID, subscription, service, etc…) Lead SEC + ALL Controlled Access to Permissions Security features before access to resources is granted – Identification, – Authentication – Managemnt of assignments and activation Sessions Attributes Permissions.. Lead SEC Accessed Entity

Download ppt "Draft way Forward on Access Control Model and associated Terminology Group Name: SEC Source: Dragan Vujcic, Oberthur Technologies,"

Similar presentations

Access Control Mechanism Discussion

Access Control Mechanism Discussion
SEC Clarification Group Name: WG4 (SEC-2014-xxxx) Decision  Meeting Date: 2014-05-07 Discussion  Source: OBERTHUR Technologies Information  Contact:

SEC Clarification Group Name: WG4 (SEC-2014-xxxx) Decision  Meeting Date: Discussion  Source: OBERTHUR Technologies Information  Contact:
Access Control Mechanism for User Group Name: SEC WG Source: Seongyoon Kim, LG Electronics, Meeting Date: 2013-12-9 Agenda Item:

Access Control Mechanism for User Group Name: SEC WG Source: Seongyoon Kim, LG Electronics, Meeting Date: Agenda Item:
Problem of Current Notification Group Name: ARC WG Source: Heedong Choi, LG Electronics, Meeting Date: ARC 9.0 Agenda Item: TBD.

Problem of Current Notification Group Name: ARC WG Source: Heedong Choi, LG Electronics, Meeting Date: ARC 9.0 Agenda Item: TBD.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Problem of non-Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.0 Agenda Item: TBD.

Problem of non-Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.0 Agenda Item: TBD.
Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.

Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.
Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.

Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.
Service Layer Session Management Group Name: WG2-ARC Source: IDCC, LGE, ZTE Meeting Date: TP16 Agenda Item:

Service Layer Session Management Group Name: WG2-ARC Source: IDCC, LGE, ZTE Meeting Date: TP16 Agenda Item:
Secure Information Sharing. Role-Based Access Control USERSROLES SESSIONS OPSOBS PRMS session_rolesuser_session User Assignment (UA) Permission Assignment.

Secure Information Sharing. Role-Based Access Control USERSROLES SESSIONS OPSOBS PRMS session_rolesuser_session User Assignment (UA) Permission Assignment.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
Lecture 7 Access Control

Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.

Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.
Li Xiong CS573 Data Privacy and Security Access Control.

Li Xiong CS573 Data Privacy and Security Access Control.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Method of Converting Resource definitions into XSD Group Name: WG3 (PRO) Source: Shingo Fujimoto, FUJITSU, Meeting Date:

Method of Converting Resource definitions into XSD Group Name: WG3 (PRO) Source: Shingo Fujimoto, FUJITSU, Meeting Date:
On Persistent AE Identifiers Group Name: SEC#12.2 Source: Phil Hawkes, Qualcomm Inc (TIA), Francois Ennesser,

On Persistent AE Identifiers Group Name: SEC#12.2 Source: Phil Hawkes, Qualcomm Inc (TIA), Francois Ennesser,
2-levels Access control for HTTP binding Group Name: WG4 (& WG2/WG3 for information) Source: Shingo Fujimoto, FUJITSU, Meeting.

2-levels Access control for HTTP binding Group Name: WG4 (& WG2/WG3 for information) Source: Shingo Fujimoto, FUJITSU, Meeting.

Similar presentations

Ads by Google