J.3 Authorisation fields

33.1803GPPRelease 17Security of the Mission Critical (MC) serviceTS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

J.3.1 General

Authorisation fields are used to convey the entity’s authorisations within the entity’s identity. They are a set of name, value pairs added as SIP URI Headers.

J.3.2 Authorisation field names

MC authorisation fields are encoded using the standard SIP URI Header mechanism (RFC 3261). After the ‘?’, the fields are encoded as ampersand separated hname = hvalue pairs. Each authorisation hvalue is a bit field denoting the entity’s permissions. The bit fields are defined in Clause J.3.3. The bit field is encoded in hex within the SIP URI.

Table J.3.2-1 contains the defined SIP URI header names (hname) for the authorisation fields.

Table J.3.2-1: SIP URI Header name denoting a MC authorisation field

SIP URI Header name	Purpose	Table defining value bit-field
mc-role-client	Defines the authorised roles for the client	Table J.3.2-1
mc-role-server	Defines the authorised roles for the network function/entity	Table J.3.2-2
mc-priv-mcptt	Defines the authorised MCPTT privileged signalling.	Table J.3.3-1
mc-priv-mcvideo	Defines the authorised MCVideo privileged signalling.	Table J.3.3-2
mc-priv-mcdata	Defines the authorised MCData privileged signalling.	Table J.3.3-3
mc-offnet-mcptt	Defines the authorised MCPTT off-network signalling.	Table J.3.4-1
mc-offnet-mcvideo	Defines the authorised MCVideo off-network signalling.	Table J.3.4-2
mc-offnet-mcdata	Defines the authorised MCData off-network signalling.	Table J.3.4-3

J.3.3 Authorisation field values

J.3.3.1 General

The tables contained in this clause define the bit fields used for authorisation. In the tables, the byte ordering is left-most byte first. The bit ordering is least-signficant bit first.

The bit fields may be extended with further bytes in future specifications. Any bytes within the authorisation fields of a MC Service ID that do not correspond with a bit in a table below shall be ignored. The maximum length of a bit field shall be 1024 bits (or 256 hex characters).

J.3.3.2 Role authorisations

Table J.3.3.2-1: User role authorisations (mc-role-client)

Byte	Bit	Role authorisation	Idm scope definition
0	0	MCPTT client	"3gpp:mc:auth:role:client:ptt"
	1	MCVideo client	"3gpp:mc:auth:role:client:video"
	2	MCData client	"3gpp:mc:auth:role:client:data"

Table J.3.3.2-2: Server role authorisations (mc-role-server)

Byte	Bit	Role authorisation	Idm scope definition
0	0	Group Management Server	"3gpp:mc:auth:role:server:gms"
	1	CS Proxy	"3gpp:mc:auth:role:server:cs_proxy"
	2	IS Proxy	"3gpp:mc:auth:role:server:is_proxy"
	3	MCPTT server	"3gpp:mc:auth:role:server:mcptt"
	4	MCVideo server	"3gpp:mc:auth:role:server:mcvideo"
	5	MCData server	"3gpp:mc:auth:role:server:mcdata"

J.3.3.3 Authorisations for priviledged signalling

Table J.3.3.3-1: MCPTT privileged signalling authorisations (mc-priv-mcptt)

Byte	Bit	Privileged signalling authorisation	Idm scope definition
0	0	MCPTT Private call request in automatic commencement mode (TS 23.379).	"3gpp:mc:auth:priv:mcptt:automatic_private_call"
	1	MCPTT Ambient listening call request (TS 23.379).	"3gpp:mc:auth:priv:mcptt:ambient_listening"
	2	MCPTT Remotely initiated MCPTT call request, in unnotified mode (TS 23.379).	"3gpp:mc:auth:priv:mcptt:unnotified_remote_call"

Table J.3.3.3-2: MCVideo privileged signalling authorisations (mc-priv-mcvideo)

Byte	Bit	Privileged signalling authorisation	Idm scope definition
0	0	MCVideo Private call request (including private call, video pull and video push) in automatic commencement mode (TS 23.281).	"3gpp:mc:auth:priv:mcvideo:automatic_private_call"
	1	MCVideo Remote video push request in automatic commencement mode (TS 23.281).	"3gpp:mc:auth:priv:mcvideo:automatic_remote_video_push"
	2	MCVideo Ambient viewing call request (TS 23.281).	"3gpp:mc:auth:priv:mcvideo:ambient_viewing"

Table J.3.3.3-3: MCData privileged signalling authorisations (mc-priv-mcdata)

Byte	Bit	Privileged signalling authorisation	Idm scope definition
0	0	MCData standalone data request for application consumption (TS 23.282).	"3gpp:mc:auth:priv:mcdata:sds:unnotified_req"
	1	MCData standalone session data request for application consumption (TS 23.282).	"3gpp:mc:auth:priv:mcdata:sds:unnotified_standalone_session_req"
	2	MCData session data request for application consumption (TS 23.282).	"3gpp:mc:auth:priv:mcdata:sds:unnotified_session_req"
	3	MCData group standalone data request for application consumption (TS 23.282).	"3gpp:mc:auth:priv:mcdata:sds:unnotified_group_standalone_req"
	4	MCData group data request for application consumption (TS 23.282).	"3gpp:mc:auth:priv:mcdata:sds:unnotified_group_req"
	5	MCData FD request with mandatory indication (TS 23.282).	"3gpp:mc:auth:priv:mcdata:fd:mandatory_req"
	6	MCData group standalone FD request with mandatory indication (TS 23.282).	"3gpp:mc:auth:priv:mcdata:fd:mandatory_group_req"

J.3.3.4 Authorisations for off-network signalling

Table J.3.3.4-1: MCPTT Off-network signalling authorisations (mc-offnet-mcptt)

Byte	Bit	Off-network signalling authorisation	Idm scope definition
0	0	Permission to transmit MCPTT off-network	"3gpp:mc:auth:offnet:mcptt:use"
	1	MCPTT Group call announcement (TS 23.379).	"3gpp:mc:auth:offnet:mcptt:group_call_announcement"
	2	MCPTT emergency alert announcement (TS 23.379).	"3gpp:mc:auth:offnet:mcptt:emergency_alert_announcement"
	3	MCPTT Call setup request (TS 23.379).	"3gpp:mc:auth:offnet:mcptt:call_setup_req"

Table J.3.3.4-2: MCVideo Off-network signalling authorisations (mc-offnet-mcvideo)

Byte	Bit	Off-network signalling authorisation	Idm scope definition
0	0	Permission to transmit MCPTT off-network	"3gpp:mc:auth:offnet:mcvideo:use"
	1	MCVideo Group communication announcement (TS 23.281).	"3gpp:mc:auth:offnet:mcvideo:group_communication_announcement"
	2	MCVideo emergency alert announcement (TS 23.281).	"3gpp:mc:auth:offnet:mcvideo:emergency_alert_announcement"
	3	MCVideo Private communication request (TS 23.281).	"3gpp:mc:auth:offnet:mcvideo:private_communication_req"
	4	MCVideo Capability request (TS 23.281).	"3gpp:mc:auth:offnet:mcvideo:capability_req"
	5	MCVideo Activity request (TS 23.281).	"3gpp:mc:auth:offnet:mcvideo:activity_req"

Table J.3.3.4-3: MCData Off-network signalling authorisations (mc-offnet-mcdata)

Byte	Bit	Off-network signalling authorisation	Idm scope definition
0	0	Permission to transmit MCPTT off-network	"3gpp:mc:auth:offnet:mcdata:use"
	1	MCData standalone data request (Clause 7.4.3.3.2, TS 23.282).	"3gpp:mc:auth:offnet:mcdata:standalone_data_req"
	2	MCData group standalone data request (Clause 7.4.3.4.2, TS 23.282).	"3gpp:mc:auth:offnet:mcdata:group_standalone_data_req"

J.3.4 Example Authorised Identities

J.3.4.1 General

This clause contains examples of Authorised Identities using the names from Clause J.3.2 and the values from Clause J.3.3.

J.3.4.2 PTT User (on and off-network)

If a user has the following MC Service ID (without authorisation):

sip:mc.user@example.org

If the user is authorised to use a mcptt client, on and off-network (but no privileged signalling), then the IdM-provided access token sent to the KMS will contain the following values in the scope:

"3gpp:mc:auth:role:client:ptt"

"3gpp:mc:auth:offnet:mcptt:use"

"3gpp:mc:auth:offnet:mcptt:group_call_announcement"

"3gpp:mc:auth:offnet:mcptt:emergency_alert_announcement"

"3gpp:mc:auth:offnet:mcptt:call_setup_req"

The following is the user’s authorised MC Service ID:

sip:mc.user@example.org?mc-role-client=01&mc-offnet-mcptt=0f

If supported, the KMS shall provision keys to the user’s KM client for both the original MC Service ID and the authorised MC Service ID.

J.3.4.3 Dispatcher

If we assume a dispatcher has full permission to take any action (on-network) and the following MC Service ID:

sip:mc.dispatcher@example.org

Then the authorised MC Service ID is:

sip: mc.dispatcher@example.org?mc-role-client=07&mc-priv-mcptt=07&mc-priv-mcvideo=07&mc-priv-mcdata=7f

Annex K (informative):
Non-3GPP security mechanisms