Download presentation
Presentation is loading. Please wait.
1
Service Layer Dynamic Authorization [SLDA]
Group Name: SEC WG Source: InterDigital., Vinod Choyi & Dale Seed Meeting Date: SEC#20.3, Agenda Item: Dynamic Authorization
2
SLDA Consultation Upon detection of lack of ACP privileges for an incoming request, Hosting CSE may consult with Authorization Entity to perform SLDA Advantage: No impact on Originator
3
SLDA Consultation Flow
Start Receive Incoming Request from Originator Yes Does ACP / DACP exist matching Originator’s Request? ACP No DACP No Does ACP have Valid Dynamic Authorization Consultation Rule (DACR)? DACR Yes Hosting CSE Consults with Designated Authorization Entity Based on lifetime of granted privilege, Hosting CSE may maintain Dynamic ACP privilege and use it to authorize subsequent requests from Originator. Advantage: Hosting CSE does not need to consult with Authorization Entity for each and every request. No Access Privileges Granted? Yes Reject Request and Return Response Dynamic Authorization Consultation Rule (DACR): Describes rules for enabling dynamic authorization Dynamic Access Control Policy (DACP): Counterpart to the static ACP. Contains the authorization that is granted and its validity (i.e. lifetime) End Perform the Request and Return Response End
4
SLDA Consultation Messaging
Originator Hosting CSE Authorization Entity Request Request fails ACP checks Dynamic Authorization Consultation Rule Present Dynamic Authorization Consultation Request E.g. RETRIEVE Request Parameters: - ID of Request Originator - Type of Requested Operation - Type of Requested Resource - Context of Originator (IP, Location, Role) - ID of Requested Resource - Proposed Authorization Lifetime - … Dynamic Authorization Decision Making (Details out of scope for oneM2M R2) Dynamic Authorization Consultation Response Response Parameters: - Dynamic Authorization Decision (Granted | Denied) - List of Privilege(s) - Lifetime of Granted Privilege(s) - … If Access Granted Then Perform Request Otherwise Reject It Response (Optional) Maintain privileges until they expire Note – Some of the proposed message parameters can be defined as optional.
5
SLDA Consultation Messaging Parameters
SLDA Consultation Request Parameters SLDA Consultation Response Parameters Parameter Description Mandatory/ Optional to URI of targeted Authorization Entity M fr Identifier of the Hosting CSE issuing SLDA consultation request rid Uniquely identifies request message oid Identifier of the Originator of the request received by the Hosting CSE ort Type of resource targeted by originated request received by Hosting CSE oro Type of operation specified in originated request received by Hosting CSE oip IP address of Originator of request received by Hosting CSE O oloc Location of Originator of request received by Hosting CSE orol Role of Originator of request received by Hosting CSE otm Timestamp when originated request was received by Hosting CSE orid Resource ID targeted by originated request received by Hosting CSE rlt Proposed lifetime of authorization privileges requested by the Hosting CSE Parameter Description Mandatory/ Optional rsc Response Status Code M rid Request Identifier dad Dynamic Authorization Decision (e.g. GRANTED or DENIED) priv List of granted privileges O plt Lifetime of granted privileges
6
SLDA Consultation Rule Resource
Attributes of <dynAuthzConsultRule> Multiplicity RW/ RO/ WO Description dynAuthzEntityPoA L RW Represents point of access address to be targeted by the Hosting CSE when making consultation based dynamic authorization requests (e.g. dynAuthzLifetime 1 The dynamic authorization lifetime value that the Hosting CSE shall request when making consultation based dynamic authorization requests.
7
Linking SLDA Consultation Rule to ACP
Attributes of <accessControlPolicy> Multiplicity RW/ RO/ WO Description dynAuthzConsultRuleIDs L RW Contains a list of identifiers of <dynAuthzConsultRule> resource(s)
8
Dynamic Access Control Policy Privileges
Following consultation and based on lifetime of dynamically granted access, Hosting CSE may maintain Dynamic ACP privilege and use it to authorize subsequent requests from Originator. Advantage: Hosting CSE does not need to consult with Authorization Entity for each and every request. Option 1 (Recommended) – Hosting CSE creates a <dynamicAccessControlPolicy> resource. (E.g. as a child of the resource being targeted by Originator) Option 2 – Hosting CSE dynamically appends new privileges to existing <accessControlPolicy> Resource
9
Proposed Way Forward Bring in the following TP21 Contributions
TS-0003 (Section 7.1.x) Add Service Layer Dynamic Authorization (SLDA) Description General overview, description, flow of algorithm for SLDA consultation TS-0001 New / Updated SLDA Resources (Section 9.6.x) Updated <acccessControlPolicy> Resource (dynAuthzConsultRuleIDs) New <dynAuthzConsultRule> Resource New <dynamicAccessControlPolicy> Resource New/Updated SLDA Resource Procedures (Section 10.2.x) Procedures for <dynAuthzConsultRule> Resource Procedures for <dynamicAccessControlPolicy> Resource
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.