1、 ETSI GS INS 002 V1.1.1 (2010-09)Group Specification Identity and Access Management for Networks and ServicesDistributed Access Control for TelecommunicationsUse Cases and RequirementsETSI ETSI GS INS 002 V1.1.1 (2010-09) 2Reference DGS/INS-002 Keywords access, control, ID, management, network, serv
2、ice ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document c
3、an be downloaded from: http:/www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, th
4、e reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI doc
5、uments is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written pe
6、rmission. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2010. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTM, TIPHONTM, the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Mem
7、bers. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. LTE is a Trade Mark of ETSI currently being registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and o
8、wned by the GSM Association. ETSI ETSI GS INS 002 V1.1.1 (2010-09) 3Contents Intellectual Property Rights 5g3Foreword . 5g3Introduction 5g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 6g33 Abbreviations . 7g34 Current Landscape 8g34.1 General Access Control Fra
9、meworks . 8g34.1.1 IETF Geopriv Working Group Policies Frameworks . 8g34.1.2 eXtensible Access Control Markup Language 9g34.1.3 Enterprise Privacy Authorization Language (EPAL) 10g34.2 Access Control in Telecommunications . 11g34.2.1 3GPP Policy Control and Charging (PCC) . 11g34.2.1.1 Application F
10、unction (AF) 12g34.2.1.2 Subscription Profile Repository (SPR) 12g34.2.1.3 Policy Control and Charging Rule Function (PCRF) 12g34.2.1.4 Policy and Charging Enforcement Function (PCEF) 12g34.2.2 ETSI TISPAN Resource and Admission Control Sub-systems (RACS) 13g34.2.2.1 Application Function (AF) 14g34.
11、2.2.2 Service Policy Decision Function (SPDF) 14g34.2.2.3 Generic Resource and Admission Control Function (x-RACF) 14g34.2.2.4 Border Gateway Function (BGF) 14g34.2.2.5 Resource Control Enforcement Function (RCEF) 14g34.2.3 ITU-T Resource and Admission Control Functions (RACF) . 15g34.2.3.1 Service
12、Control Function (SCF) 15g34.2.3.2 Policy Decision Function Entity (PD-FE) . 15g34.2.3.3 Network Attachment Control Functions (NACF) . 15g34.2.3.4 Transport Resource Control Functional Entity (TRC-FE) 15g34.2.3.5 Policy Enforcement Functional Entity (PE-FE) 16g35 Use Cases . 16g35.1 UC1: Software as
13、 a Service 16g35.1.1 Description 16g35.1.2 Actors 16g35.1.2.1 Actors specific Issues 17g35.1.2.2 Actors specific benefits . 17g35.1.3 Pre-Conditions 17g35.1.4 Post-Condition 18g35.1.5 Normal Flow . 18g35.2 UC2: Enterprise Environment 19g35.2.1 Description 19g35.2.2 Actors 19g35.2.2.1 Actors specific
14、 Issues 19g35.2.2.2 Actors specific Benefits 19g35.2.3 Pre-Conditions 20g35.2.4 Post-Conditions. 20g35.2.5 Normal Flow . 20g35.3 UC3: Roaming Network Access 21g35.3.1 Description 21g35.3.2 Actors 21g35.3.2.1 Actors Specific Issues . 21g35.3.2.2 Actor Specific Benefits . 22g3ETSI ETSI GS INS 002 V1.1
15、.1 (2010-09) 45.3.3 Pre-conditions . 22g35.3.4 Post-conditions . 22g35.3.5 Example Flow . 23g35.4 Summary Table of Use Cases. 23g36 Requirements 24g36.1 General Access Control Framework Requirements . 24g36.1.1 Policy Management 24g36.1.2 Decision 25g36.1.3 Enforcement 26g36.2 Distributed Access Con
16、trol Requirements . 26g36.2.1 Policy Management 27g36.2.2 Decision 27g36.2.3 Enforcement 27g36.3 Telecommunications Requirements . 28g36.4 Access Control and Identity Management Requirements. 29g36.5 Summary Table of Requirements and Map to Use Cases 30g37 Conclusion 32g3Annex A (informative): Bibli
17、ography . 33g3History 34g3ETSI ETSI GS INS 002 V1.1.1 (2010-09) 5Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-mem
18、bers, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home
19、.asp). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the
20、present document. Foreword This Group Specification (GS) has been produced by ETSI Industry Specification (ISG) Identity and access management for Networks and Services (INS). Introduction Service and network providers need to restrict access to their functions in order to efficiently charge, protec
21、t critical systems and offer personalization. While historically this has been the case for many years, a new type of access control surrounding the user and its data becomes paramount in this day and age. Users are targeted by many different services, not all of them friendly, and require mechanism
22、s to protect their data and information. In addition, the more social services are available, the more information about them is available and the harder it is to ensure that users sensitive data would not be easily subject to theft and misuse. In the present document we analyse not only the require
23、ments for access control related to identity management but also bring this question one step further in considering that providers need to cooperate in order to enforce all the policies related to that users data. This cooperation can be achieved either by exchanging data about the user or the cont
24、ext of the request, sharing policies or, in the case we will evaluate in this document, sharing the decision. In the first part of the present document a summary of some of the activities around access control languages and mechanisms can be found. The second part of the document presents those use
25、cases which we consider present new questions which are not yet addressed by other standardization activities. Finally, the third part of the document introduces a set of requirements extracted from the use cases. ETSI ETSI GS INS 002 V1.1.1 (2010-09) 61 Scope The present document will provide requi
26、rements on the use and application of distributed policy management, decision and enforcement in a hybrid environment (operator and services domains). 2 References References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific
27、 references, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOT
28、E: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. 2.1 Normative references The following referenced documents are necessary for the application of the present document. Not applicable. 2.2 Informative references The
29、following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 H. Schulzrinne, H. Tschofenig, J. Morris, J. Cuellar, J. Polk, and J. Rosenberg: “A Document Format for Expressing Privacy Preferences f
30、or Location Information“, Nov 2003 Feb 2006, IETF draft (draft-ietf-geopriv-policy-08.txt). NOTE: See http:/tools.ietf.org/wg/geopriv/. i.2 H. Schulzrinne, H. Tschofenig, J. Morris, J. Cuellar, J. Polk, and J. Rosenberg: “Common Policy: A Document Format for Expressing Privacy Preferences“, Feb 2004
31、 Aug 2006, IETF draft (draft-ietf-geopriv-common-policy-11.txt). NOTE: See http:/tools.ietf.org/wg/geopriv/. i.3 H. Tschofenig, H. Schulzrinne, A. Newton, J. Peterson, A Mankin, The IETF Geopriv and presence architecture focusing on location privacy, Position paper at W3C Workshop on Languages for P
32、rivacy Policy Negotiation and Semantics-Driven Enforcement, Ispra, Italy, 2006. i.4 IETF RFC 4745: “Common Policy: A Document Format for Expressing Privacy Preferences“. NOTE: See http:/www.rfc-editor.org/rfc/rfc4745.txt. i.5 T. Moses, eXtensible Access Control Markup Language (XACML) Version 2.0 OA
33、SIS Standard, Entrust Inc., 1 Feb 2005. NOTE: See http:/docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf. i.6 IETF RFC 2753: “A Framework for Policy-based Admission Control“. NOTE: See http:/www.ietf.org/rfc/rfc2753.txt. i.7 ISO/IEC 10181-3 (1966): “Information technology - Op
34、en Systems Interconnection - Security frameworks for open systems: Access control framework“. ETSI ETSI GS INS 002 V1.1.1 (2010-09) 7i.8 Moses, T., ed., OASIS Privacy policy profile of XACML v2.0, OASIS Standard 1 Feb 2005. NOTE: See http:/docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-priva
35、cy_profile-spec-os.pdf. i.9 T.Moses et al.,“XACML Profile for Web Services“, OASIS TC Working Draft, September 29th, 2003. NOTE: See www.oasis-open.org/committees/download.php/3661/draft-xacml-wspl-04.pdf. i.10 Anderson, A., ed., Core and hierarchical role based access control (RBAC) profile of XACM
36、L v2.0; OASIS Standard, February 1, 2005. NOTE: See http:/docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf. i.11 Erik Rissanen et al., “XACML 3.0 administrative policy“, working draft 07, 3 November 2008. NOTE: See http:/www.oasis-open.org/committees/tc_home.php?wg_ab
37、brev=xacml. i.12 IBM, Enterprise Privacy Authorization Language (EPAL), Version 1.2, 2003. NOTE: See http:/www.w3.org/Submission/2003/SUBM-EPAL-20031110/. i.13 A. H. Anderson. A comparison of two 5, New York, NY, USA, 2006. ACM Press. i.14 IETF RFC 3261: “SIP: Session Initiation Protocol“. 3 Abbrevi
38、ations For the purposes of the present document, the following abbreviations apply: 3GPP Third Generation Partnership Project AF Application Function BGF Border Gateway Function BGS Border Gateway ServicesBTF Basic Transport Functions CPN Customer Premises Network EPAL Enterprise Privacy Authorizati
39、on Language FMC Fixed and Mobile Converged GBR Guaranteed Bit Rate GGSN Gateway GPRS Service Node GPRS General Package Radio Service IdM Identity Management IdP Identity ProviderIP Internet Protocol ITU-T International Telecommunication Union MBR Maximum Bit Rate NACF Network Attachment Control Func
40、tions NAPT Network Address and Port Translation NASS Network Attachment Sub-System NAT Network Address Translation NO Network Operator OASIS Organization for the Advancement of Structured Information Standards OCS On-line Charging System PAP Policy Administration Point PCC Policy Control and Chargin
41、g PCEF Policy and Charging Enforcement Function PCRF Policy Control and Charging Rule Function PD-FE Policy Decision Function Entity PDG Packet Data Gateway PDN Packet Data Network PDP Policy Decision Point PE-FE Policy Enforcement Functional Entity ETSI ETSI GS INS 002 V1.1.1 (2010-09) 8PEP Policy
42、Enforcement Point PIP Policy Information Point QoS Quality of Service RACF Resource and Admission Control Functions RACS Resource and Admission Control Subsystem RBAC Role Based Access Control RCEF Resource Control Enforcement Function SaaS Software as a Service SBP Service-Based Policy control SCF
43、Service Control Function SDO Standards Development Organization SDP Service Delivery Platform SIP Session Initiation Protocol SLA Service Level Agreement SPDF Service Policy Decision Function SPR Subscription Profile Repository TRC-FE Transport Resource Control Functional Entity UE User Equipment Wi
44、Fi Wireless FidelityWLAN Wireless LAN WS Web ServiceXACML eXtensible Access Control Markup Language XML eXtended Mark up Language 4 Current Landscape The need for Identity Management has surpassed the enterprise and web providers world. Today, the need for Identity Management is present whenever the
45、 user needs to login or the provider needs information about the user. Information, authentication and authorization should be consistent and act as the glue between the different applications the user interacts with. Access Control is one important aspect in the users control of his/her identity. I
46、n a Distributed Identity Management Platform the user should be able to deal with various services, specify the preferences regarding the information revealed, coordinate between different hierarchical entities of an Identity Management Platform. Access policies have the tendency to grow more comple
47、x over time. A policy may also depend on (generic) privacy policies which must be enforced by organizations due to legal regulations. Enterprises have complex policies instantiated by different divisions. In case of SaaS, two major reasons come into play: on the one hand these services could be comp
48、osed from various elements, thus access to the service as a whole depends on access privileges from all those providers. On the other hand, the SaaS domain can be outside of the enterprise domain. Both these reasons imply that a monolithic policy definition is impractical. The key point of Distribut
49、ed Access Control is to introduce an abstraction or modularization which splits the policies into building blocks. Through these building blocks, specific aspects (e.g. generic data privacy) could be specified. As each policy can have its own notion of subject, resources and action, an important aspect is the mapping of these definitions between different sets of policies. 4.1 General Access Control Frameworks 4.1.1 IETF Geopriv Working Group Policies Frameworks The IETF Geographic Location/Privacy (Geopriv) working group has defined
