Consent and identity management
Overview
First, let's talk about the difference between consent and identity. It is extremely important to know which applications can access or modify devices' data. Applications need to process personal or private enterprise information, but in order to do so with "legitimate interest" and have a legal basis to handle this information, we need to get consent (authorization) from device owners. Network as Code (NaC) also adopts the privacy-by-design approach and must comply with data protection regulations, for example, the GDPR regulation in Europe and other ones depending on the region. In summary, this means that a device's owner will allow which applications or APIs can access their device. So, consent management is about granting or revoking the access an application has to APIs and their parameters, so that authorized devices can be safely used.
Now, let's suppose your organization already has several identifiers (IDs) assigned to its devices and now they need to be managed or authorized. Identity management literally means handling these different device IDs. This will allow choosing different authorization scopes (API names) for multiple device IDs and organizations. For example, let's say you need consent to query a device's location or modify its network parameters for Quality of Service (QoS). Then, you will need to know if these actions are within the scope authorized for this device ID before performing them. So, an enterprise will define which service or functionality scope can affect its devices through their IDs.
TIP: With NaC SDKs, you can create a
Deviceobject, which is a representation of a device's ID. There are multiple ways to identify mobile network devices. Learn more.
Consent-specific terminology
- Scope: Feature or operation that is authorized. It's usually defined by the API name, such as "Location Verification", "Quality-of-service-on-Demand (QoD) sessions", etc. In addition to the API name, the scope may be extended with a specific resource name and/or an allowed action, such as "read" or "write", to limit the access.
NOTE: The scope names should be from the list of the supported scopes (e.g.:
location-retrieval). Please, check the list below.
- Device ID: it can be a phone number or the email-like identifier for the device (or subscriber) into the network. E.g.:
36721601234567,device@testcsp.net, and so on. - Authorized Party: the private enterprise or organization name, system integrator and so on, which will be authorized to use the devices within the defined scopes. The NaC Administrator ("Admin") will then validate this authorization with the Operator.
- Operator: the owner of a network that can be used through the NaC APIs.
Getting consent in a Business to Business (B2B) scenario
Let's first consider a B2B scenario, in which a farming enterprise owns multiple mobile devices that can be accessed by different organizations and perform different actions. In agriculture, we have many examples of drone applications, such as crop or soil analysis, yield estimation, taking high-quality images, videos or even spraying crops! Since different access types can be granted to different organizations or service providers, this enterprise will need to provide a form listing the different device IDs, API scopes, authorized parties and operators (depending on the area they are located).
Network as Code will make the link to make these actions possible seamlessly.
The NaC Admin will validate the form data with the operators on the list and enable different organizations to access their allowed devices and scopes (qod-sessions, location-verification, specialized-network-create, device-status-roaming, etc.).
Submitting an authorization request
Here's how private enterprises can get consent for different devices and authorized parties. In the following document, an organization is authorizing the access of three different enterprises to distinct devices.
- The Organization Admin needs to send the following request via e-mail to support@networkascode.com
- Download the Nokia Network as Code Consent & Authorization template.
- Fill the Device column with phone numbers and external identifiers as device IDs.
- Provide the Scope column only with values described in the scope table below.
- The Authorized Party column should contain the Organization Names as listed in your NaC Portal /API hub dashboard under the "Organizations" top menu.
- Provide the Operator name, which is the owner of the network your device is using.
- Fill the Revocation Date with the date your organization wants each consent/authorization to end.
| Device | Scope | Authorized Party | Operator | Revocation Date |
|---|---|---|---|---|
device1@abc.com | location-verification, location-retrieval | Organization 1 | Operator ABC | 2024-06-01 |
36721601234567 | qod-sessions, location-retrieval | Organization 1 | Operator ABC | 2024-12-01 |
device3@abc.com | specialized-network-create, specialized-network-delete | System Integrator 1 | Operator ABC | 2024-03-01 |
Submitting a new request
From time to time, it is necessary to add new devices, authorize new scopes, parties or even delete devices, revoke scopes or authorizations. An Organization Admin can submit a new request whenever necessary and the previous one will be completely cleaned up. This means that the devices that are not included in the new list will lose their authorization and be completely revoked. So, if you want to increase the number of scopes, authorize different parties and device or revoke their authorizations, just submit a new authorization request to Network as Code support e-mail address as described above.
Available scopes
Here are all of the scopes you can include or edit in the authorization request.
| Scope | Description |
|---|---|
device-status-roaming | Get device roaming status |
device-status-connectivity | Get device connectivity status |
location-verification | Verify the location |
location-retrieval | Get the location of a device |
qod-sessions | Allow all QoD-session operations |
qod-profiles-read | Retrieve QoS profiles |
qod-sessions-read | Retrieve QoS sessions |
qod-sessions-write | Create and update QoS sessions |
qod-sessions-delete | Delete QoS sessions |
specialized-network-read | Get slice information |
specialized-network-create | Create a slice |
specialized-network-delete | Delete a slice |
specialized-network-activate | Activate a slice |
specialized-network-deactivate | Deactivate a slice |
specialized-network-attach-device | Attach device to a slice |
specialized-network-detach-device | Detach a device from a slice |
Last updated on November 28, 2023