ç™»å½•æŸ¥çœ‹æ›´å¤šå†…å®¹

Access Control Policies â€“ Who Can See What in an IoT System

oneM2M

A world of interoperable and secure IoT services where market adoption is easy and delivers benefits to society

å‘å¸ƒæ—¥æœŸ: 2025å¹´1æœˆ7æ—¥

Our last post described oneM2Mâ€™s use of REST APIs for communications between a sensor, an IoT platform (CSE in oneM2M terms) and a visualization dashboard. IoT systems are more complicated than this basic system because they contain multiple sensors and multiple consumers of IoT data. Examples include actuators, databases, decision-making systems, and users from different business units among others.?

For operational purposes, there can be reasons to control which entities are permitted to interact with one another. In other words, â€œwho is allowed to see or update what.â€ The use of access control policies allows system architects to control the way that data-consuming endpoints access IoT data.

oneM2Mâ€™s uses Access Control Lists to allow and filter access to individual resources or attributes. Without the proper access rights, a CSEâ€™s security mechanisms prevent an entity that forms part of an IoT system from retrieving or performing actions on system resources and IoT data.

Each permission can be parameterized with further dependencies, such as schedules (to control access based on time), location information (to control access based on geographic location), IP address ranges, and more. These possibilities enable fine-grained access controls that cover many use cases.

Each REST API request represents an operation (such as CREATE, RETRIEVE, UPDATE, DELETE), has an originator, and is directed at a target resource. A request tuple (originator, resource, operation) sent by an Application Entity (AE) is checked by a CSE against all the assigned permissions. The processing sequence identifies and authenticates the sender, authorizes and then performs the requested operation.

By default, access to a resource is always denied. However, if only one assigned permission grants access, then the request is allowed and will be executed by the CSE. Watch the accompanying animation to see oneM2Mâ€™s Access Control functionality in action. For hands-on experience follow the link below to a video talk and Jupyter Notebook code that shows Access Control in action.