ECMA 412-2015 Access Systems (1st Edition).pdf

1、 Reference numberECMA-123:2009Ecma International 2009ECMA-412 1stEdition June 2015 Access Systems COPYRIGHT PROTECTED DOCUMENT Ecma International 2015 Ecma International 2015 iContents Page 1 Scope 1 2 Conformance . 1 3 Normative references 1 4 Terms, definitions and acronyms 1 5 Model 1 6 Transacti

2、on 2 7 Time stamping function 3 8 Module 4 8.1 Common requirements . 4 8.2 Policy module 4 8.3 Access-point module 4 8.4 RED module . 4 8.5 Processing module . 5 8.6 Storage module . 5 9 Message definition and Interface . 5 9.1 General . 5 9.2 Policy interface 6 9.3 Access request 6 9.4 Access inter

3、face 6 9.5 Processing interface . 6 9.6 Storage interface . 8 9.7 Final result Notification . 9 9.8 Time stamp Notification 9 Annex A (informative) Service access control system . 11 Annex B (informative) Share information between different Access Systems . 13 Annex C (informative) Usage of Time_sta

4、mping . 15 ii Ecma International 2015Introduction Technology for real-time access control is widely used for many situations such as entrance gate of facilities and service access control systems. Membership and settlement services also benefit from real-time access control systems connected via net

5、works and using database information. Sophisticated cloud, virtualisation, database, networking technology and services and the evolution of authentication technology such as biometrics, NFC, QR codes used in distributed and modular access control systems enable previously underserved users and oper

6、ators to innovate around new use cases. Taking into account the many technologies, this standard specifies the reference model and common control functions. It gives direction for ongoing innovation and development of technology and system integration of distributed real-time access control system.

7、This Ecma Standard has been adopted by the General Assembly of June 2015. Ecma International 2015 iii“COPYRIGHT NOTICE 2015 Ecma International This document may be copied, published and distributed to others, and certain derivative works of it may be prepared, copied, published, and distributed, in

8、whole or in part, provided that the above copyright notice and this Copyright License and Disclaimer are included on all such copies and derivative works. The only derivative works that are permissible under this Copyright License and Disclaimer are: (i) works which incorporate all or portion of thi

9、s document for the purpose of providing commentary or explanation (such as an annotated version of the document), (ii) works which incorporate all or portion of this document for the purpose of incorporating features that provide accessibility, (iii) translations of this document into languages othe

10、r than English and into different formats and (iv) works by making use of this specification in standard conformant products by implementing (e.g. by copy and paste wholly or partly) the functionality therein. However, the content of this document itself may not be modified in any way, including by

11、removing the copyright notice or references to Ecma International, except as required to translate it into languages other than English or into a different format. The official version of an Ecma International document is the English language version on the Ecma International website. In the event o

12、f discrepancies between a translated version and the official version, the official version shall govern. The limited permissions granted above are perpetual and will not be revoked by Ecma International or its successors or assigns. This document and the information contained herein is provided on

13、an “AS IS“ basis and ECMA INTERNATIONAL DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.“ iv Ecma Int

14、ernational 2015Access Systems 1 Scope This standard specifies: 1) an ID triggered modular access system, the functions of the modules and the messages they exchange, and the sequence of messages, i.e. transitions of the transaction; 2) the system responsibility from receiving an access request until

15、 sending the result. i.e. a complete transaction; 3) the responsibilities of the modules, including time stamping and responding to the requests they received; and 4) the sequence and semantics of the messages and their elements. 2 Conformance Conformant Access Systems progress transactions by evalu

16、ating the applicable rules. Conformant modules implement the requests on their interfaces, the corresponding responses and time stamping as specified herein. 3 Normative references None. 4 Terms, definitions and acronyms For the purposes of this document, the following terms, definitions and acronym

17、s apply. 4.1 ID Identifier 4.2 RED Rule Evaluation and Dispatching 4.3 transaction request for access 5 Model Figure 1 illustrates the Access System structure. Ecma International 2014 1The Access System has 5 modules “Access-point, Policy, Processing, RED and Storage“ and 4 interfaces “Access-interf

18、ace, Policy-interface, Processing-interface and Storage-interface“. PolicyAccess-point RED ProcessingStorageAccess-interfacePolicy-interfaceStorage-interface Processing-interfaceFigure 1 Access System The Access System progresses a transaction by exchanging messages between modules and decides the f

19、inal result (grant or deny). A transaction starts when an Access-point module obtains Access_request and completes when the RED module sends Final_Result_Notification. Each module shall have a time stamping function. The message exchanging and the time stamping function are managed by the RED module

20、 according to rules which are set by the Policy module. 6 Transaction Transaction ID identifies a transaction. Transaction ID shall consist of Access ID, Access-point ID and time at which the Access_request is obtained. Access ID is included in Access_request. Figure 2 specifies the state machine of

21、 a transaction. A transaction is generated at the time of Access_request acceptance by an Access-point module. After that the transaction changes to on-going state by sending a Transaction_start_request including Transaction ID from the Access-point module to the RED module. At the on-going state, t

22、he RED module evaluates rules until final result is obtained. According to the result of the evaluation, the RED module sends a request message to Processing or Storage module and receives a response message. When the RED module obtains the final result, it sends Final_Result_Notification and the tr

23、ansaction is completed. 2 Ecma International 2015generatedon-going Transaction_start_request completedFinal_Result_NotificationAccess_request Figure 2 Transaction State Machine 7 Time stamping function The purpose of Time stamping function is to measure the duration of transaction and request proces

24、sing. The Access-point modules shall set the Access_ID_obtained_time in the Transaction_start_request message. For the other modules, time stamping shall be activated and deactivated through time stamping rules. Upon evaluating of the time stamping rules, the RED module shall set the TimeStampingFla

25、g value in the requests to TRUE or FALSE according to the evaluation. Depending on the TimeStampingFlag value in the requests, modules shall either time stamp the ReceivedTime and SendingTime or exclude those elements in the corresponding response. The RED module shall send the time stamping measure

26、ments by responding to the Time_stamp_Notification. The RED module is able to measure following time. 1) transaction processing time 2) request processing time. When the Time stamping function of each module is activated, the RED module shall measure the following time. 3) module processing time. Th

27、e RED module shall measure the transaction processing time by calculating the difference between the time that the RED module received Transaction_start_request and the time that Final_Result_Notification is sent. The RED module shall measure the request processing time by recording the sending time

28、 of the request and the received time of the response, and calculating the difference between them. Processing_response, Store_response and Retrieve_response have the information about the received time of the corresponding request and the sending time of the response itself as long as the Time stam

29、ping function is activated. By using them, the RED module is able to measure the module processing time. For example, the module processing time of the Processing module for one request from the RED module is measured by the difference between RecievedTime and SendingTime in the corresponding Proces

30、sing_response. Annex C illustrates the usage of time stamping. Ecma International 2015 38 Module 8.1 Common requirements Modules shall have a time stamping function. 8.2 Policy module The Policy module shall have the source of rules, and shall set the rules to the RED module. Each rule shall be iden

31、tified by its Rule ID. The rules shall define the progress of transactions and the edition of this standard that the Access System modules conform with. And the rules shall identify the receiver(s) of the Final_Result_Notification and the receiver(s) of the Time_stamp_Notification. 8.3 Access-point

32、module When an Access-point module obtains an Access_request, It shall generate a Transaction_start_request and send it to the RED module. The Access-point module shall have its own identifier as Access-point ID. 8.4 RED module The RED module shall accept and hold rules that are set by the Policy mo

33、dule. Rules are composed of procedure rules and branch rules, Figure 3 illustrates a procedure rule and Figure 4 illustrates a branch rule. A procedure rule determines the next execution. A branch rule selects the next rule depending on the branch condition. At least one rule is linked to Access ID.

34、 Procedure Result is XXX Figure 3 procedure rule if XXXelse ZZZthen YYYruleFigure 4 branch rule During a transaction, the RED module is driven by messages. When the RED module receives messages, It shall evaluate the rules. The RED module shall dispatch the request and response from one module to 4

35、Ecma International 2015another according to the rules. When the result of the transaction is settled as grant or deny, the RED module shall send the Final_Result_Notification to the receiver(s) specified in the rules. The RED module makes a Processing_request according to the rules and sends it to t

36、he Processing module. The RED module shall receive a Processing_response corresponding to the Processing_request. When the RED module receives a Store_request from the Processing module, it shall transfer it to the Storage module. When the RED module receives a Retrieve_request from Processing modul

37、e, the RED module shall transfer it to the Storage module. When the RED module receives Store_response from the Storage module, the RED module shall transfer it to the Processing module. When the RED module receives a Retrieve_response from Storage module, it shall transfer it to the Processing modu

38、le. To manage time stamping information, the RED module shall log time when it sends and receives messages as long as the Time stamping function is activated. The RED module shall send Time_stamp_Notification to the receiver(s) specified in the rules. 8.5 Processing module The Processing module shal

39、l have at least one function. Each function shall be identified by its Function ID. When the Processing module receives a Processing_request from the RED module, it shall execute the function identified by the Function ID in the request, make Processing_response including execution result and send i

40、t to the RED module. The Processing module may request the RED module to store and retrieve data. 8.6 Storage module When the Storage module receives Store_request, it shall store data, make Store_response and send it to the RED module. When the Storage module receives Retrieve_request, it shall ret

41、rieve data, make Retrieve_response including retrieved data and send it to the RED module. Data is specified by Data_type. The Storage module may be used for sharing information between different transactions in the same Access System or different Access System as illustrated in Annex B; Annex A is

42、an example use case that does not use Storage module. 9 Message definition and Interface 9.1 General This clause specifies the messages exchanged via interfaces. Each message shall include the elements defined in clause 9 and may include other elements. In this document, the messages are specified b

43、y ASN.1 expression. Encoding rules are not specified. Requests and responses include a Transaction ID. The type of Transaction ID is: TransactionID_TYPE := SEQUENCE Access_ID OCTET_STRING, Access-point_ID OCTET_STRING, Access_ID_obtained_time GeneralizedTime Ecma International 2015 59.2 Policy inter

44、face The Policy module shall use the Policy_setter to set the rules to the RED module and may use it at any time. The RED module may use the Policy_getter to request the rules at any time. The Policy_getter depends on implementations. Policy_setter := SEQUENCE RULE_ID OCTET STRING, RULE OCTET STRING

45、 Policy_getter := SET RULE_ID OCTET STRING 9.3 Access request The Access-point module obtains the following message from an accessor. Access_request := SET Access_ID OCTET STRING 9.4 Access interface The Access-point module shall use the following request to generate a new transaction. Transaction_s

46、tart_request := SET Transaction_ID TransactionID_TYPE 9.5 Processing interface The RED module shall use the following request to execute the function according to the rule. Processing_request := SEQUENCE Transaction_ID TransactionID_TYPE, Function_ID OCTET STRING, TimeStampingFlag BOOLEAN, SetOfPara

47、meter SET Parameter OCTET STRING TimeStampingFlag shall indicate the information whether the Time stamping function is activated or deactivated. The Processing module shall use the following corresponding response. Processing_response := SEQUENCE Transaction_ID TransactionID_TYPE, Function_ID OCTET

48、STRING, ReceivedTime GeneralizedTime, SendingTime GeneralizedTime, Result OCTET STRING 6 Ecma International 2015Function_ID shall be the same data as Function_ID in the corresponding Processing_request. Processing_response shall include ReceivedTime if TimeStampingFlag in the corresponding Processin

49、g_request is TRUE. ReceivedTime shall indicate the time at which Processing module received the corresponding Processing_request from RED module. Processing_response shall include SendingTime if TimeStampingFlag in the corresponding Processing_request is TRUE. SendingTime shall indicate the time at which this response is sent. Result shall include result of executing the function. The Processing module may use the following requests to store and retrieve data. Store_request := SEQUENCE Transaction_ID TransactionID_TYPE,