Access Control Framework Thoughts Group Name Access Control

• This slide includes animations – I recommend viewing as a slideshow one.

User Request to Smart Meter (ASN) M 2 M/Home Gateway (MN) M 2 M

Functional Entity “Roles” w/ respect to a resource (not access control roles ) •

Key Functional entity associated w/ Resource Stakeholder associated w/ Functional entity Possible agreement between

Relation to access. Rights Information Functional Entities Roles (For this example) Stakeholder Roles (For

Relation to Agreements Information Functional Entities Roles (For this example) Stakeholder Roles (For this

Relation to Authentication of Functional Entities Information Functional Entities Roles (For this example) Stakeholder

Relation to Authentication of Tokens Information Functional Entities Roles (For this example) Stakeholder Roles

Tokens Example Information Functional Entities Roles (For this example) Stakeholder Roles (For this example)

Information Functional Entities Roles (For this example) Stakeholder Roles (For this example) Resource Creator

Key Functional entity associated w/ Resource Stakeholder associated w/ Functional entity Agreement between stakeholders

Slides: 18

Download presentation

Access Control Framework Thoughts Group Name: Access Control Ad Hoc (WG 2, WG 4, WG 5) Source: Qualcomm Meeting Date: 2013 -12 -09 Agenda Item:

• This slide includes animations – I recommend viewing as a slideshow one. M 2 M-SEC-2013 -0060

User Request to Smart Meter (ASN) M 2 M/Home Gateway (MN) M 2 M SP (IN-CSE) OSS (IN-AE) User on web client OSS may permit/deny (out of scope) M 2 M SP permit/deny M 2 M/Home Gateway permit/deny Smart Meter permit/deny Multiple entities permit/deny Currently not clear how MN or IN-CSE would apply access control. Do they have a copy of the resources and access rights? Maybe leave for a later release

User Request to Smart Meter (ASN) M 2 M/Home Gateway (MN) M 2 M SP (IN-CSE) OSS (IN-AE) User on web client OSS may permit/deny (out of scope) Smart Meter permit/deny For Release 1, Support only this case

Functional Entity “Roles” w/ respect to a resource (not access control roles ) • Resource Host – CSE on which resource is located – (Release 1) access control enforced applied here. • Resource Creator – CSE or AE to whom resource is “leased” – (May be same entity as Resource Host) • Active [Functional] Entity – AE or CSE requesting operation on resource one. M 2 M-SEC-2013 -0060

Relation to access. Rights Information Functional Entities Roles (For this example) Stakeholder Roles (For this example) Resource access. Rights Resource Host RH Owner Resource Creator RC Owner Active Functional Entity AFE Owner RC User AFE User Access control policies reflect the human decisions/organizational policies of relevant stakeholders. Access control policies end up as access. Rights on RH • We will discuss mechanisms for manipulating access. Rights in later slides 7

Relation to Agreements Information Functional Entities Roles (For this example) Stakeholder Roles (For this example) Resource access. Rights Resource Host RH Owner To access toto. AFE there needs to be RC allow is authorized create resource only aif chain there of is aagreements chain of agreements • from AFE Owneror or. RC User RC Owner User • via RC Owner or RC User to RH • Theto RH Ownereffect of agreements cumulative The effectinofaccess agreements endscumulative up represented Rights ends up represented in access Rights Resource Creator RC Owner Active Functional Entity AFE Owner RC User AFE User 8

Relation to Authentication of Functional Entities Information Functional Entities Roles (For this example) Stakeholder Roles (For this example) Key Functional Entity Credentials Resource access. Rights Resource Host RH Owner Resource Creator RC Owner Active Functional Entity AFE Owner RC User AFE User Functional Entity Authentication Credentials used by RH to authenticate RC/AFE. Once the RC/AFE is authenticated, then access. Rights can be applied which identify RC/AFE. 9 The access. Rights may be further updated by Tokens presented by the RC/AFE

Relation to Authentication of Tokens Information Functional Entities Roles (For this example) Stakeholder Roles (For this example) Key Functional Entity Credentials Token Authentication Credentials Resource access. Rights Resource Host RH Owner Resource Creator RC Owner Many options for stakeholders & Fn Entities have credentials for issuing tokens Active Functional Entity AFE Owner RC User AFE User Token Authentication Credentials used by RH to authenticate Tokens (or chains of tokens) issued by • Stakeholders and/ or • Functional Entities on behalf of the Stakeholders. 10 with aim of updating the access. Rights (typically update is temporary only)

Tokens Example Information Functional Entities Roles (For this example) Stakeholder Roles (For this example) Key Functional Entity Credentials Token Authentication Credentials Resource access. Rights Active Functional Entity Resource Host RH Owner RC User AFE User 11

Relation to Authentication of Tokens Information Functional Entities Roles (For this example) Stakeholder Roles (For this example) Key Functional Entity Credentials Token Authentication Credentials Resource access. Rights Resource Host RH Owner Resource Creator RC Owner Many options for stakeholders & Fn Entities have credentials for issuing tokens Active Functional Entity AFE Owner RC User AFE User • Once the Tokens are authenticated, and if the Token issuer is authorized to request the update to access. Rights indicated in Token, then the access. Rights are updated accordingly. • Token may specify RC/AFE identity (if RC/AFE is to be authenticated) or may be a “Bearer 12 Token” to be applied to any Functional entity bearing the token.

Key Functional entity associated w/ Resource Stakeholder associated w/ Functional entity Possible agreement between stakeholders Information Functional Entities Roles (For this example) Resource Access Rights Resource Host Expected agreement between stakeholders Resource Creator Active Functional Entity Authn Creds Stakeholder Roles (For this example) RH Owner RC Owner AFE Owner RC AFE Potential Policy Authors User Authentication Credentials used by RH to authenticate either • For authenticating communication with RC/AFE. AFE Userisisrelevant inin some casesonly One of these agreements RT User One of these agreements • For authenticating tokensmust issued and/or holdby (or on behalf of) RH Ownermust hold RC Owner and/or RC User. Tokens must be authenticated before applying rights. 13 Once the RC/AFE and/or token is authenticated, then access. Rights can be applied

Information Functional Entities Roles (For this example) Stakeholder Roles (For this example) Resource Creator Resource Host Access Rights RH Owner RC must be authorized to create Resource. Options: 1. Fn Entity Authorization • RH provided with credentials to authenticate RC (Bootstrap) • RH Owner updates access. Rights to authorize RC explicitly 2. Stakeholder Authorization • RH provided with credentials to authenticate RC Owner (? ? ) • RH Owner updates access. Rights to authorize RC Owner • RC issued with token verifying that it is owned by RC Owner. 14

Key Functional entity associated w/ Resource Stakeholder associated w/ Functional entity Agreement between stakeholders Information Functional Entities Roles (For this example) Stakeholder Roles (For this example) Resource Host Access Resource Creator Active Functional Entity Rights RH Owner RC Owner AFE Owner To allow authorize AFE 1. Fn Entity Authorization • RH provided with credentials to authenticate RC (Bootstrap) • RH Owner updates access. Rights to authorize RC explicitly 2. Stakeholder Authorization • RH provided with credentials to authenticate RC Owner (? ? ) • RH Owner updates access. Rights to authorize RC Owner RC issued token verifying thatmore it is than owned RC Owner. A • Functional Entitywith or Stakeholder may play oneby role 15