Skip to content
TechSpec
  • Foreword
  • Introduction
  • 1. Scope
  • 2. References
  • 3 Definitions and abbreviations
  • 4 General description
  • 5 Stakeholder requirements
  • 6 General Requirements
  • 7 Security
  • 8 Privacy and Authorisation
  • 9 Charging

8 Privacy and Authorisation

22.2403GPPRelease 17Service requirements for 3GPP Generic User Profile (GUP)Stage 1TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

This clause describes the requirements for the authorization of access to the user profile data. The Privacy can be provided by the means of authorization mechanism.

8.1 General Requirements

It shall be possible for the user to define privacy requirements for components of the 3GPP Generic User Profile to determine access rights.

It is agreed in the subscription agreement between the home network operator and the subscriber how the access and privacy control is carried out e.g. who is able to control different parts of the user profile including the privacy settings. The GUP shall provide means to implement access and privacy control according to the different agreements.

The GUP authorization shall be independent of who has set the privacy rules for each part of the GUP data. A generic mechanism shall be provided to ensure that only such data for which there is a valid authority can be created, read, modified or deleted.

The privacy requirements shall fulfill local privacy regulations. Lawful interception and other regulator requirements may imply that GUP data is delivered to authorities despite the privacy settings.

8.2 Authorisation Rules

Authorisation of the requested action (create, read, modify or delete) on the user profile data depends on the following information:

– identification of the requesting application

– identification of the requesting subscriber (if delivered in the request)

– identification of the targeted user

– identification of the targeted user profile data

The disclosure of the user profile data must be considered based on the identification of the application requesting access to the data. The possible identities of the applications will not be standardized but are implementation specific.

Regarding trusted applications involving other subscribers or comparable entities it shall be possible also to check the access rights of the subscriber being served by the application. This requires that the identification of the served subscriber is passed via the GUP mechanism in addition to the application identification. The access is first defined per applications and secondly per served subscriber. The access may be granted also to the public, some group or a list of subscribers.

The identity of targeted user will be based on the 3GPP network identities (Private and Public User Identities). Public User Identities would be normally applied, but especially within the operator domain the Private Identity could be used as well.

The targeted user profile data will be controlled as per the whole user profile and/or per different GUP components and/or per different GUP data elements.

Depending on the service the privacy of the requested GUP data can additionally be managed in the service level e.g. in Presence or IMS group management. The privacy rules for these services are specified in the corresponding 3GPP specifications.

The GUP shall also support the possibility that the privacy of specific GUP data is queried from other privacy control system. Existing privacy solutions should be considered and adopted if applicable (e.g. LCS).