Consent & Identity Management

Overview

First, let's talk about the difference between consent and identity. It is extremely important to know which applications can access or modify devices' data. Applications need to process personal or private enterprise information, but to do so with "legitimate interest" and have a legal basis to handle this information, we need to get consent (authorization) from device owners. Network as Code (NaC) also adopts the privacy-by-design approach and must comply with data protection regulations, for example, the GDPR regulation in Europe and other ones depending on the region. In summary, this means that a device's owner will allow which applications or APIs can access their device. So, consent management is about granting or revoking the access an application has to APIs and their parameters, so that authorized devices can be safely used.

Now, let's suppose your organization already has several identifiers (IDs) assigned to its devices and now they need to be managed or authorized. Identity management literally means handling these different device IDs. This will allow choosing different authorization scopes (API names) for multiple device IDs and organizations. For example, let's say you need consent to query a device's location or modify its network parameters for Quality of Service (QoS). Then, you will need to know if these actions are within the scope authorized for this device ID before performing them. So, an enterprise will define which service or functionality scope can affect its devices through their IDs.

TIP: With NaC SDKs, you can create a Device object, which is a representation of a device's ID. There are multiple ways to identify mobile network devices. Learn more.

Scope: Feature or operation that is authorized. It's usually defined by the API name, such as "Location Verification", "Quality-of-service-on-Demand (QoD) sessions", etc. In addition to the API name, the scope may be extended with a specific resource name and/or an allowed action, such as "read" or "write", to limit the access.

NOTE: The scope names should be from the list of the supported scopes (e.g.: location-retrieval). Please, check the list below.
Device ID: it can be a phone number or the email-like identifier for the device (or subscriber) into the network. E.g.: 36721601234567, device@testcsp.net, and so on.
Authorized Party: the private enterprise or organization name, system integrator and so on, which will be authorized to use the devices within the defined scopes. The NaC Administrator ("Admin") will then validate this authorization with the Operator.
Operator: the owner of a network that can be used through the NaC APIs.

Let's first consider a B2B scenario, in which a farming enterprise owns multiple mobile devices that can be accessed by different organizations and perform different actions. In agriculture, we have many examples of drone applications, such as crop or soil analysis, yield estimation, taking high-quality images, videos or even spraying crops! Since different access types can be granted to different organizations or service providers, this enterprise will need to provide a form listing the different device IDs, API scopes, authorized parties and operators (depending on the area they are located).

Network as Code will make the link to make these actions possible seamlessly. The NaC Admin will validate the form data with the operators on the list and enable different organizations to access their allowed devices and scopes (qod-sessions, location-verification, specialized-network-create, device-status-roaming, etc.).

Submitting an authorization request

Here's how private enterprises can get consent for different devices and authorized parties. In the following document, an organization is authorizing the access of three different enterprises to distinct devices:

First, download the Nokia Network as Code Consent & Authorization template.
In the steps below, you will learn how to fill out the Consent & Authorization form.

NOTE: The Organization Admin needs to send the request via e-mail to support.networkascode@nokia.com

At the top-left field, fill in the name details for the authorizing and authorized organizations, as well as the date for the consent to start. For example: If devices are owned by Enterprise 1 and Enterprise 2 will be authorized to access them, you can fill them like so:
- Legal Name of the Authorizing Organization: Enterprise 1.
- Authorized Party: Enterprise 2.
- Date of Consent: 01/06/2024 (The date format is DD/MM/YYYY).
Fill the Device column with phone numbers and external identifiers as device IDs.
Provide the Scope column only with values described in the scope table below.
The Authorized Party column should contain the Organization Name, which is being authorized to have access to the devices. The Organization Name should be exactly as the one listed in your NaC Portal Dashboard / API Hub under the "Organizations" top menu.
Provide the Operator name from whom you have the mobile subscription.
Fill the Revocation Date with the date your organization wants each consent/authorization to end.

Device	Scope	Authorized Party	Operator	Revocation Date
`device1@abc.com`	`location-verification`, `location-retrieval`	Organization 1	Operator ABC	DD/MM/YYYY
`36721601234567`	`qod-sessions`, `location-retrieval`	Organization 1	Operator ABC	DD/MM/YYYY
`device3@abc.com`	`specialized-network-create`, `specialized-network-delete`	System Integrator 1	Operator ABC	DD/MM/YYYY

Submitting a new request

From time to time, it is necessary to add new devices, authorize new scopes, parties or even delete devices, revoke scopes or authorizations. An Organization Admin can submit a new request whenever necessary and the previous one will be completely cleaned up. This means that the devices that are not included in the new list will lose their authorization and be completely revoked. So, if you want to increase the number of scopes, authorize different parties and device or revoke their authorizations, just submit a new authorization request to Network as Code support e-mail address as described above.

Available scopes

Here are all of the scopes you can include or edit in the authorization request.

Device Status scopes

Scope	Description
`device-status-roaming`	Get device roaming status
`device-status-connectivity`	Get device connectivity status

Location scopes

Scope	Description
`location-verification`	Verify the location
`location-retrieval`	Get the location of a device

Quality-of-service on Demand scopes

Scope	Description
`qod-sessions`	Allow all QoD-session operations
`qod-sessions-read`	Retrieve QoS sessions

Specialized Networks scopes

Scope	Description
`specialized-network-read`	Get slice information
`specialized-network-create`	Create a slice
`specialized-network-delete`	Delete a slice
`specialized-network-activate`	Activate a slice
`specialized-network-deactivate`	Deactivate a slice
`specialized-network-attach-device`	Attach device to a slice
`specialized-network-detach-device`	Detach a device from a slice

Network Insights

Scope	Description
`congestion-insight`	Get Congestion Insights on devices

Other scopes

Scope	Description
`other`	Refer to other desired scopes, which are not listed here

Last updated on July 09, 2024

Overview Consent-specific terminology Getting consent in a Business to Business (B2B) scenario Submitting an authorization request Submitting a new request Available scopes Device Status scopes Location scopes Quality-of-service on Demand scopes Specialized Networks scopes Network Insights Other scopes

Consent and identity management

On this page