Presentation is loading. Please wait.

Presentation is loading. Please wait.

Summary of Access Control Rules Processing

Published byAdela Norris Modified over 6 years ago

Similar presentations

Presentation on theme: "Summary of Access Control Rules Processing"— Presentation transcript:

1 Summary of Access Control Rules Processing
Group Name: SEC Source: Phil Hawkes, Wolfgang Granzow, Josef Blanz Meeting Date: Agenda Item: #10.6

2 Objective This slide deck describes how the Access Control Rules given in privileges or selfPrivileges attributes can be processed to derive the access decision This presentation is complementary to the proposed text for TS-0003 in contribution SEC R04 We hope this slide deck eases understanding of the proposed terminology, introduced definitions and the access control decision logic, in order to simplify the discussion

3 Representation of access control rules (1)
Each privileges attribute is a set of „access control rules“ (curly brackets are used to denote a set = { ... }) acrs = { acr(1), acr(2), ..., acr(k), ..., acr(K) } Each access control rule acr(k) is represented as an „access-control-rule-tuple“ of three elements: acr(k) = { acr(k)_accessControlOriginators, acr(k)_accessControlOperations, acr(k)_accessControlContexts } accessControlOriginators : set of parameters of any type defined in Table Examples: {CSE-ID1, AE-ID1, AE-ID2, entityGroup1, entityGroup2}, {all} AccessControlOperations: set of operations that can be authorized Examples: {Create, Retrieve, Update, Delete, Discover, Notify}, {Retrieve, Discover, Notify}

4 Representation of access control rules (2)
accessControlContexts: a set of M accessControlContext parameters accessControlContexts = { accessControlContext(1), …, accessControlContext(m), …, accessControlContext(M) } accessControlContext: set of context constraints where each context constraint consists of 3 parts: accessControlContext= { accessControlTimeWindows, accessControlLocationRegions, accessControlIpAddresses }

5 Representation of access control rules (3)
accessControlTimeWindows represents a set of time windows in which access is permitted Example: {04:30 – 06:00, 11:30 – 12:30, 22:15 – 00:30} e.g. hours UTC time accessControlLocationRegions represents a set of locations from where access is permitted Example: {geoRegion1, geoRegion2, geoRegion3} accessControlIpAddresses represents a set of permitted IPv4/IPv6 addresses or address blocks Example (IPv4): { , /16, /24} NOTE: the exact formats of the above parameter representations are TBD

6 Processing of Access Control Rules (1)
The parameters associated with a request, which are evaluated against the parameters contained in the access control rules (acrs) , are denoted as follows: rq_orig: originator of the request (i.e. URI of the originating entity) rq_op: operation requested (i.e. Create, Retrieve, Update, etc.) rq_time: time when the request was received (e.g. time in hh:mm:ss UTC, exact format TBD) rq_ip: IP address of the originator (i.e. set of IPv4/IPv6 addresses, address blocks or address prefixes) rq_loc: location information about the originating entity (format TBD)

7 Processing of Access Control Rules (2)
Notation: „res_origs(k)“ means: the binary result (TRUE/FALSE or 1/0) of evaluating the originator of a request („rq_orig“) against the accessControlOriginators included in the kth access control rule („acr(k)_accessControlOriginators“). Definition: 1 (TRUE) if rq_orig matches acr(k)_originators res_origs(k) = 0 (FALSE) else

8 Processing of Access Control Rules (3)
1 (TRUE) if request matches any of the access control rules res_acrs(k) = 0 (FALSE) else Can be derived recursively as follows: res_acrs = res_acr(1) OR res_acr(2) OR res_acr(k) … OR res_acr(K) res_acr(k) = res_origs(k) AND res_ops(k) AND res_ctxts(k), k = 1…K Definition set operator „ismember“: 1 (TRUE) if x ∈ SetX ismember(x, SetX) =

9 Processing of Access Control Rules (4)
Then res_origs(k), res_ops(k) and res_ctxts(k) can be derived as: res_origs(k) = ismember(rq_orig, acr(k)_accessControlOriginators) res_ops(k) = ismember(rq_op, acr(k)_ accessControlOperations) res_ctxts(k) = res_context(k, 1) ... OR res_context(k, m) ... OR res_context (k, M_k) where, res_context(k, m) = res_time(k, m) AND res_ip(k, m) AND res_loc (k, m) and (for k = 1…K and m = 1…M_k) res_time(k, m) = ismember(rq_time, acr(k)_accessControlTimeWindows(m)) res_ip(k, m) = ismember(rq_ip, acr(k)_accessControlIpAddresses(m)) res_loc (k, m) = ismember(rq_loc, acr(k)_accessControlLocationRegions(m))

Download ppt "Summary of Access Control Rules Processing"

Similar presentations

CMDH Refinement Contribution: oneM2M-ARC-0397

CMDH Refinement Contribution: oneM2M-ARC-0397
Summary on the M2M CMDH Policies Management Object (MCMDHMO)

Summary on the M2M CMDH Policies Management Object (MCMDHMO)
Access Control Mechanism for User Group Name: SEC WG Source: Seongyoon Kim, LG Electronics, Meeting Date: 2013-12-9 Agenda Item:

Access Control Mechanism for User Group Name: SEC WG Source: Seongyoon Kim, LG Electronics, Meeting Date: Agenda Item:
Problem of non-Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.0 Agenda Item: TBD.

Problem of non-Blocking Synchronous mode Group Name: ARC WG Source: Yuan Tao, Mitch Tseng, Huawei Technologies Meeting Date: ARC 15.0 Agenda Item: TBD.
Methodology Logical Database Design for the Relational Model

Methodology Logical Database Design for the Relational Model
Chapter 4 The Relational Model.

Chapter 4 The Relational Model.
Resource Announcement Procedures Group Name: WG2 Source: Rajesh Bhalla, Hao Wu - ZTE Meeting Date: 2014-03-20 Agenda Item: TBD.

Resource Announcement Procedures Group Name: WG2 Source: Rajesh Bhalla, Hao Wu - ZTE Meeting Date: Agenda Item: TBD.
Systems Architecture I1 Propositional Calculus Objective: To provide students with the concepts and techniques from propositional calculus so that they.

Systems Architecture I1 Propositional Calculus Objective: To provide students with the concepts and techniques from propositional calculus so that they.
IETF DMM WG Mobility Exposure and Selection WT Call#4 Feb 24, 2015.

IETF DMM WG Mobility Exposure and Selection WT Call#4 Feb 24, 2015.
Module 3: The Relational Model.  Overview Terminology Relational Data Structure Mathematical Relations Database Relations Relational Keys Relational.

Module 3: The Relational Model.  Overview Terminology Relational Data Structure Mathematical Relations Database Relations Relational Keys Relational.
Chapter 3 The Relational Model. 2 Chapter 3 - Objectives u Terminology of relational model. u How tables are used to represent data. u Connection between.

Chapter 3 The Relational Model. 2 Chapter 3 - Objectives u Terminology of relational model. u How tables are used to represent data. u Connection between.
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: 2013-11-19 Agenda Item:

In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
Announcement Resources ARC-2014-1255-Announcement_Issues Group Name: WG2 Source: Barbara Pareglio, NEC Meeting Date: 2014-04-07 Agenda Item: Input Contribution.

Announcement Resources ARC Announcement_Issues Group Name: WG2 Source: Barbara Pareglio, NEC Meeting Date: Agenda Item: Input Contribution.
WG-2 - ARC TP #16 Status Report Group Name: oneM2M TP #16 Source: WG2 Chair (Nicolas Damour – Meeting Date: 2015-03-27 Agenda.

WG-2 - ARC TP #16 Status Report Group Name: oneM2M TP #16 Source: WG2 Chair (Nicolas Damour – Meeting Date: Agenda.
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: 2013-11-26 Agenda Item:

In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
Answer the Questions Regarding Pending Issues on Access Control Group Name: WG4 SEC Source: LG Electronics Meeting Date: 2014-07-15 Agenda Item: SEC#11.4.

Answer the Questions Regarding Pending Issues on Access Control Group Name: WG4 SEC Source: LG Electronics Meeting Date: Agenda Item: SEC#11.4.
Management of CMDH Policies Group Name: WG5-MAS Source: Wolfgang Granzow, Qualcomm, Meeting Date: 2014-04-07 Agenda Item: Management.

Management of CMDH Policies Group Name: WG5-MAS Source: Wolfgang Granzow, Qualcomm, Meeting Date: Agenda Item: Management.
TS0001 Identifiers way forward Group Name: WG2 Source: Elloumi, Foti, Scarrone, Lu (tbc), Jeong (tbc) Meeting Date: 2014-06-07 Agenda Item: ARC11/PRO11.

TS0001 Identifiers way forward Group Name: WG2 Source: Elloumi, Foti, Scarrone, Lu (tbc), Jeong (tbc) Meeting Date: Agenda Item: ARC11/PRO11.
1 Chapter 17 Methodology - Local Logical Database Design.

1 Chapter 17 Methodology - Local Logical Database Design.
Customized Resource Types MAS-2015-0626 Group Name: MAS + ARC + PRO WGs Source: Wolfgang Granzow, Qualcomm Inc., Meeting Date:

Customized Resource Types MAS Group Name: MAS + ARC + PRO WGs Source: Wolfgang Granzow, Qualcomm Inc., Meeting Date:

Similar presentations

Ads by Google