4.9 Access control capability

28.5333GPPArchitecture frameworkManagement and orchestrationRelease 17TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

4.9.1 Authentication service

Authentication service producer provides identity management capabilities to provision MnS consumer/producer, group of MnS consumers/producers and authentication policies for the identities.

Authentication service producer provides capabilities for authentication of MnS consumer explicitly or implicitly.

NOTE 1: Explicit authentication: MnS consumer interacts directly with authentication service producer to acquire authentication assertion to interact with MnS producer or authorization service producer.

NOTE 2: Implicit authentication: MnS consumer interacts indirectly with authentication via MnS producer, to establish a secure session.

Note 3: Certificate issued by trusted CA is used by MnS consumer/producer to authenticate the authentication service producer. E.g. a MnS consumer access the authentication service through Transport Layer Security (TLS) (see [33]), then the MnS consumer/producer could authenticate the producer through validating the signature signed with certificate of the producer issued by the trusted CA.

Note 4: Generally, certificate issued by trusted CA is used by MnS consumer to authenticate a MnS producer. E.g. when a MnS consumer accesses the MnS through TLS (see [33]) or SSH (see [34]), the MnS consumer could authenticate the MnS producer through validating the signature signed with certificate of the producer issued by the trusted CA.

Authentication Service producer can be deployed at different levels, for example, at a domain level (e.g. in RAN, CN, domain) and/or in a centralized manner (e.g. at a PLMN level).

Note 5: If the MnS consumer and the MnS producer to be accessed are inside the same domain, Authentication Service producer may be deployed at domain level to support authenticating the MnS consumer explicitly or implicitly. If the MnS consumer and the MnS producer to be accessed are in the different domain, Authentication Service producer is deployed in a centralized manner to support authenticating the MnS consumer explicitly or implicitly.

Figure 4.9.1-1: Authentication capability on service based architecture

4.9.2 Authorization service

Authorization service producer provides management capabilities to provision access permissions on MnSs for a MnS consumer or a group of MnS consumers.

Authorization service producer provides capabilities to grant permissions to a MnS consumer explicitly or implicitly.

NOTE 1: Explicit authorization : MnS consumer interacts with authorization service producer, to acquire access token to interact with MnS Producer. MnS Producer enforces access control by verifying the access token. A token may include a list of permissions with conditions and a digital signature signed by the authorization service producer.

NOTE 2: Implicit authorization : MnS Producer enforces access control using local policies which might be preconfigured locally or synchronized from centralized authorization service producer for the current authentication context.

Authorization Service producer can be deployed at different levels, for example, at a domain level (e.g. in RAN, CN, domain) and/or in a centralized manner (e.g. at a PLMN level). The Centralized Authorization Service producer can be named as Cross Domain Authorization Service producer.

Note 3: Authorization Service producer may be deployed at domain level to support access control between MnS consumer and producer inside the same domain. Specifically, an domain Authorization Service producer may be deployed together with management service producer. Authorization Service producer is deployed in a centralized manner to especially to support access control between MnS consumer and producer from different domains.

Figure 4.9.2-1 Authorization capability on service based architecture