Access Control Status Report

Group Name: ARC/SECSource: Dragan Vujcic, Oberthur Technologies, v.dragan@oberthur.comMeeting Date: 09/12/2013Agenda Item:

Status• This status reflects the discussions of the Ad-Hoc

AC/ACL/RBAC calls between TP#7 and TP#8

• Contribution submitted

© 2012 oneM2M Partners<Document number>

2

SEC-2013-0056 Terminologies and Procedures for RBAC FUJITSU DiscussedRevision expected

SEC-2013-0060R01 In-Band Access Control Framework Qualcomm DiscussedRevision expected

SEC-2013-0063 ALU Comments on SEC-2013-0056 Alcatel-Lucent

DiscussedRequirements for approval

SEC-2013-0061 Draft way Forward on Access control Model and associated Terminology

Oberthur Postponed

USER concept• USER of Application (Application Domain)– Is seen to be out of scope of the oneM2M Access Control

Management (User Authentication at AE)– Access Control decision and Security impacts at CSE is to

be considered- FFS

• USER of Service Layer (Service Layer Domain)– Using/Consuming the CSE Service/Resources.– USER as OWNER of the application – USER is Role based (RBAC principle)– Roles Authentication and Authorization at CSE

© 2012 oneM2M Partners<Document number>

3

In/Out Band Access Control• In Band Access control– Authentication and Authorization at Service Layer ( CSE )– FFS for Authorization Enforcement and Decision CSE

• Out Band Access control– External Authentication and Authorization – E.g.: OAuth, OpenID

Both to be supported by oneM2MTBD if both or prioritize one at Rel.1 timeframe

© 2012 oneM2M Partners<Document number>

4

Attribute-Based Access Control• RBAC+ABAC– Access Control Decision based on Roles and additional

attributes. – Attributes may be characteristics of a role requesting

access, as well as attributes of the resources being requested, against a policy that defines who is allowed to receive access and under what conditions

Support for ABAC in Rel.2 TBD if needed at Rel.1 timeframe

© 2012 oneM2M Partners<Document number>

5

Delegation Concept• Delegated operation– Authorization access to resources are delegated with

delegating identity of the Resource Owner– External Authentication and Authorization( outBand access

control) done by the Application Server (OAuth, OpenID, etC..). Token based Permission

– The Security issues and threats have been raised– Some Security Requirements identified

FFS on the use cases. Concept to be in Rel.1 TBD what should be specified at Rel.1 timeframe ?

© 2012 oneM2M Partners<Document number>

6

Where we’re going

Approval of specific operation on a specific resource

ARC work is ongoing on Resources (through ACLs)Resource (or Data) is within an ObjectOperation (e.g.: CRUD) is ability to do something on Objects

Lead ARC + support ALL

Active Entity

AttributesOPERATIONS OBJECTSPrivileges

(ActE) Active Entity Assignment

(PA)

Permission Assignment

Sess-ions

activeEntity_sessionssession_attributes

Authorization Evaluation

FFS: Data Structure for decisionf (ID, rôle, Access Rights subscription, service, etc…)

Lead SEC + supp.ALL

Controlled Access to Permissions• Security features before access to

resources is granted – Identification, – Authentication– Managemnt of assignments and

activation• Sessions• Attributes• Permissions..

Lead SEC

Resources of Entity being accessed

(DRAFT) Way Forwards

@TP#8

Way Forward

• Internal /External Access Control Policy Management– Design first Internal Access Control Policy Management – Access control Management component based on Enforcer and

Decision. – FFS whether they are on same or separate CSE

• Attribute-Based Access Control Decisions– The set of attributes that are relevant to an authorization decision

• Access control attributes of Active Entity/Subject (e.g.: role, …)• Access control attributes of Environment (e.g.: Time , Day, IP address,…)• Access control attributes of requested Resource (e.g. : create, …)

Way Forward

• Delegation Concept– Delegation is desirable feature but seems unlikely to be ready for Rel.1– The security model should allow the delegation concept to be

integrated in the later release.

• User Concept– The value of the User concept is still controversial– Application User concept is out of scope of Rel.1