An introduction to oneM2M's Access Control Mechanisms
This article presents a basic overview of the access control mechanism in oneM2M.
oneM2M Access Control
oneM2M resources can be thought of as digital representation of physical entities. Any unwanted access to these resources can make a system vulnerable by unauthorized operation on these resources. It may also lead to loss of sensitive data.
oneM2M specifies several access control mechanism to prevent unauthorized access to the resources and services hosted by CSEs and AEs. Broadly these mechanisms can be categorized into 5 categories:
- Default Access Policy
- Access Control Policies
- Role Based Access Control
- Distributed Authorization
- Dynamic Authorization
oneM2M Authentication
It is important to note that access control mechanisms comes into play only after originator of the resource access request has been idenitified and authenticated.
Default Access Policy
This access control mechanism applies when there is no other access control mechanism associated with the resource or request such as access control policies, dynamic authorization consultation policies, role, etc. It uses the concepts of creator and custodian of a resource.
- custodian: It represents the owner of the resource. If there is a custodian attribute associated with the resource then the default policy shall provide unrestricted access only to the custodian.
- creator: It represents the creator of the resource. If there is no custodian attribute associated with the resource then the default policy shall provide unrestricted access to the creator of the resource.
All other entities shall be denied access to the resource.
Custodian and creator information are associated with the resource and are used for the evaluation of access control mechanism as depicted below:
Access Control Policies
This access control mechanism applies when there is an Access Control Policy associated with the resource.
- Access Control Policy IDs (ACPI) attribute: This attribute represents a link of a resource with one or more Access Control Policies. Each Access Control Policy contains a set of *Access Control Rules defining various access conditions for a resource such as who can access the resource, what operations can be performed, under what conditions operations can be performed etc. For more details on ACPI refer to: Access Control Policy
- Parent Hierarchy: This mechanism applies when the resource does not have an Access Control Policy IDs attribute definition. For such resources, the Access Control Policy associated with the parent are referred as shown in the following figure.
Role based Access Control
This mechanism uses roles and tokens to check access permissions for an originator. In a oneM2M system, roles and tokens contain the information of, for example:
- the holder, i.e. the AE/CSE to which this role is issued,
- the issuer, i.e. the identifier of the entity which issued,
- the token to AE/CSE, start time, end time, and more.
It also has associated privileges which are checked for granting access control.
Distributed Authorization
In a large deployment, where there are multiple CSEs involved, it might not be feasible to keep all authorization policies centrally. In this mechanism, various components of authorization are distributed in different CSEs.
This oneM2M security architecture comprises four subcomponents that are described as follows:
- Policy Enforcement Point (PEP): where requests are received and decisions are enforced
- Policy Retrieval Point (PRP): where authorization policies are stored
- Policy Information Point (PIP): where additional information related to policies are stored
- Policy Decision Point (PDP): where access decisions are made
These subcomponents could be distributed across different nodes or may be co-located.
Dynamic Authorization
This access control mechanism is useful to provide temporary and restricted access to a resource. The use of this mechanism doesn't require information of all the producers and consumers and their required interaction at the time of resource creation for configuration of authorization policies.
This mechanism can be used dynamically to provide temporary access to a resource. It provides flexibility and fine-grained control, making it suitable for dynamic environments where access needs can change frequently and require context-aware decisions.
It uses an external authorization server to get temporary permissions for resource access.
by Poornima Shandilya, 2024-06-09