6.22 Unified access control
22.2613GPPRelease 18Service requirements for the 5G systemTS
6.22.1 Description
Depending on operator’s policies, deployment scenarios, subscriber profiles, and available services, different criterion will be used in determining which access attempt should be allowed or blocked when congestion occurs in the 5G System. These different criteria for access control are associated with Access Identities and Access Categories. The 5G system will provide a single unified access control where operators control accesses based on these two.
In unified access control, each access attempt is categorized into one or more of the Access Identities and one of the Access Categories. Based on the access control information applicable for the corresponding Access Identity and Access Category of the access attempt, the UE performs a test whether the actual access attempt can be made or not.
The unified access control supports extensibility to allow inclusion of additional standardized Access Identities and Access Categories and supports flexibility to allow operators to define operator-defined Access Categories using their own criterion (e.g. network slicing, application, and application server).
NOTE: Clauses 4.1 through 4.4a of TS 22.011 are obsolete and replaced by clause 6.22.2 of this specification. However, when a UE is configured for EAB according to TS 22.011, the UE is also configured for delay tolerant service for 5G system.
6.22.2 Requirements
6.22.2.1 General
Based on operator policy, the 5G system shall be able to prevent UEs from accessing the network using relevant barring parameters that vary depending on Access Identity and Access Category. Access Identities are configured at the UE as listed in Table 6.22.2.2-1. Access Categories are defined by the combination of conditions related to UE and the type of access attempt as listed in Table 6.22.2.3-1. One or more Access Identities and only one Access Category are selected and tested for an access attempt.
The 5G network shall be able to broadcast barring control information (i.e. a list of barring parameters associated with an Access Identity and an Access Category) in one or more areas of the RAN.
The UE shall be able to determine whether or not a particular new access attempt is allowed based on barring parameters that the UE receives from the broadcast barring control information and the configuration in the UE.
In the case of multiple core networks sharing the same RAN, the RAN shall be able to apply access control for the different core networks individually.
The unified access control framework shall be applicable both to UEs accessing the 5G CN using E-UTRA and to UEs accessing the 5G CN using NR.
The unified access control framework shall be applicable to UEs in RRC Idle, RRC Inactive, and RRC Connected at the time of initiating a new access attempt (e.g. new session request).
NOTE 1: "new session request" in RRC Connected refers to events, e.g. new MMTEL voice or video session, sending of SMS (SMS over IP, or SMS over NAS), sending of IMS registration related signalling, new PDU session establishment, existing PDU session modification, and service request to re-establish the user plane for an existing PDU session.
The 5G system shall support means by which the operator can define operator-defined Access Categories to be mutually exclusive.
NOTE 2: Examples of criterion of operator-defined Access Categories are network slicing, application, and application server.
The unified access control framework shall be applicable to inbound roamers to a PLMN.
The serving PLMN should be able to provide the definition of operator-defined Access Categories to the UE.
6.22.2.2 Access identities
Table 6.22.2.2-1: Access Identities
|
Access Identity number |
UE configuration |
|
0 |
UE is not configured with any parameters from this table |
|
1 (NOTE 1) |
UE is configured for Multimedia Priority Service (MPS). |
|
2 (NOTE 2) |
UE is configured for Mission Critical Service (MCS). |
|
3 |
UE for which Disaster Condition applies (note 4) |
|
4-10 |
Reserved for future use |
|
11 (NOTE 3) |
Access Class 11 is configured in the UE. |
|
12 (NOTE 3) |
Access Class 12 is configured in the UE. |
|
13 (NOTE 3) |
Access Class 13 is configured in the UE. |
|
14 (NOTE 3) |
Access Class 14 is configured in the UE. |
|
15 (NOTE 3) |
Access Class 15 is configured in the UE. |
|
NOTE 1: Access Identity 1 is used by UEs configured for MPS, in the PLMNs where the configuration is valid. The PLMNs where the configuration is valid are HPLMN, PLMNs equivalent to HPLMN, and visited PLMNs of the home country. NOTE 2: Access Identity 2 is used by UEs configured for MCS, in the PLMNs where the configuration is valid. The PLMNs where the configuration is valid are HPLMN or PLMNs equivalent to HPLMN and visited PLMNs of the home country. Access Identity 2 is also valid when the UE is explicitly authorized by the network based on specific configured PLMNs inside and outside the home country. NOTE 3: Access Identities 11 and 15 are valid in Home PLMN only if the EHPLMN list is not present or in any EHPLMN. Access Identities 12, 13 and 14 are valid in Home PLMN and visited PLMNs of home country only. For this purpose, the home country is defined as the country of the MCC part of the IMSI. NOTE 4: The configuration is valid for PLMNs that indicate to potential Disaster Inbound Roamers that the UEs can access the PLMN. See clause 6.31. |
|
Any number of these Access Identities may be barred at any one time.
6.22.2.3 Access categories
Table 6.22.2.3-1: Access Categories
|
Access Category number |
Conditions related to UE |
Type of access attempt |
|
0 |
All |
MO signalling resulting from paging |
|
1 (NOTE 1) |
UE is configured for delay tolerant service and subject to access control for Access Category 1, which is judged based on relation of UE’s HPLMN and the selected PLMN. |
All except for Emergency, or MO exception data |
|
2 |
All |
Emergency |
|
3 |
All except for the conditions in Access Category 1. |
MO signalling on NAS level resulting from other than paging |
|
4 |
All except for the conditions in Access Category 1. |
MMTEL voice (NOTE 3) |
|
5 |
All except for the conditions in Access Category 1. |
MMTEL video |
|
6 |
All except for the conditions in Access Category 1. |
SMS |
|
7 |
All except for the conditions in Access Category 1. |
MO data that do not belong to any other Access Categories (NOTE 4) |
|
8 |
All except for the conditions in Access Category 1 |
MO signalling on RRC level resulting from other than paging |
|
9 |
All except for the conditions in Access Category 1 |
MO IMS registration related signalling (NOTE 5) |
|
10 (NOTE 6) |
All |
MO exception data |
|
11-31 |
Reserved standardized Access Categories |
|
|
32-63 (NOTE 2) |
All |
Based on operator classification |
|
NOTE 1: The barring parameter for Access Category 1 is accompanied with information that define whether Access Category applies to UEs within one of the following categories: NOTE 2: When there are an Access Category based on operator classification and a standardized Access Category to both of which an access attempt can be categorized, and the standardized Access Category is neither 0 nor 2, the UE applies the Access Category based on operator classification. When there are an Access Category based on operator classification and a standardized Access Category to both of which an access attempt can be categorized, and the standardized Access Category is 0 or 2, the UE applies the standardized Access Category. NOTE 3: Includes Real-Time Text (RTT). NOTE 4: Includes IMS Messaging. NOTE 5: Includes IMS registration related signalling, e.g. IMS initial registration, re-registration, and subscription refresh. NOTE 6: Applies to access of a NB-IoT-capable UEto a NB-IOT cell connected to 5GC when the UE is authorized to send exception data. |
||
Access Category 0 in Table 6.22.2.3-1shall not be barred, irrespective of Access Identities.
NOTE: The network can control the amount of access attempts relating to Access Category 0 by controlling whether to send paging or not.