Consent and identity management

Overview

First, let's talk about the difference between consent and identity. It is extremely important to know which applications can access or modify devices' data. Applications need to process personal or private enterprise information, but to do so with "legitimate interest" and have a legal basis to handle this information, we need to get consent (authorization) from device owners. Network as Code (NaC) also adopts the privacy-by-design approach and must comply with data protection regulations, for example, the GDPR regulation in Europe and other ones depending on the region. In summary, this means that a device's owner will allow which applications or APIs can access their device. So, consent management is about granting or revoking the access an application has to APIs and their parameters, so that authorized devices can be safely used.

Now, let's suppose your organization already has several identifiers (IDs) assigned to its devices and now they need to be managed or authorized. Identity management literally means handling these different device IDs. This will allow choosing different authorization scopes (API names) for multiple device IDs and organizations. For example, let's say you need consent to query a device's location or modify its network parameters for Quality of Service (QoS). Then, you will need to know if these actions are within the scope authorized for this device ID before performing them. So, an enterprise will define which service or functionality scope can affect its devices through their IDs.

TIP: With NaC SDKs, you can create a Device object, which is a representation of a device's ID. There are multiple ways to identify mobile network devices. Learn more.

  • Scope: Feature or operation that is authorized. It's usually defined by the API name, such as "Location Verification", "Quality-of-service-on-Demand (QoD) sessions", etc. In addition to the API name, the scope may be extended with a specific resource name and/or an allowed action, such as "read" or "write", to limit the access.

NOTE: The scope names should be from the list of the supported scopes (e.g.: location-retrieval). Please, check the list below.

  • Device ID: it can be a phone number or the email-like identifier for the device (or subscriber) into the network. E.g.: 36721601234567, device@testcsp.net, and so on.
  • Authorized Party: the private enterprise or organization name, system integrator and so on, which will be authorized to use the devices within the defined scopes. The NaC Administrator ("Admin") will then validate this authorization with the Operator.
  • Operator: the owner of a network that can be used through the NaC APIs.

Let's first consider a B2B scenario, in which a farming enterprise owns multiple mobile devices that can be accessed by different organizations and perform different actions. In agriculture, we have many examples of drone applications, such as crop or soil analysis, yield estimation, taking high-quality images, videos or even spraying crops! Since different access types can be granted to different organizations or service providers, this enterprise will need to provide a form listing the different device IDs, API scopes, authorized parties and operators (depending on the area they are located).

Network as Code will make the link to make these actions possible seamlessly. The NaC Admin will validate the form data with the operators on the list and enable different organizations to access their allowed devices and scopes (qod-sessions, location-verification, specialized-network-create, device-status-roaming, etc.).

Submitting an authorization request

Here's how private enterprises can get consent for different devices and authorized parties. In the following document, an organization is authorizing the access of three different enterprises to distinct devices.

  1. At the top-left field, fill in the name details for the authorizing and authorized organizations, as well as the date for the consent to start. For example: If devices are owned by Enterprise 1 and Enterprise 2 will be authorized to access them, you can fill them like so:
  • Legal Name of the Authorizing Organization: Enterprise 1.
  • Authorized Party: Enterprise 2.
  • Date of Consent: 01/06/2024 (The date format is DD/MM/YYYY).
  1. Fill the Device column with phone numbers and external identifiers as device IDs.
  2. Provide the Scope column only with values described in the scope table below.
  3. The Authorized Party column should contain the Organization Name, which is being authorized to have access to the devices. The Organization Name should be exactly as the one listed in your NaC Portal Dashboard / API Hub under the "Organizations" top menu.
  4. Provide the Operator name from whom you have the mobile subscription.
  5. Fill the Revocation Date with the date your organization wants each consent/authorization to end.
DeviceScopeAuthorized PartyOperatorRevocation Date
device1@abc.comlocation-verification, location-retrievalOrganization 1Operator ABCDD/MM/YYYY
36721601234567qod-sessions, location-retrievalOrganization 1Operator ABCDD/MM/YYYY
device3@abc.comspecialized-network-create, specialized-network-deleteSystem Integrator 1Operator ABCDD/MM/YYYY

Submitting a new request

From time to time, it is necessary to add new devices, authorize new scopes, parties or even delete devices, revoke scopes or authorizations. An Organization Admin can submit a new request whenever necessary and the previous one will be completely cleaned up. This means that the devices that are not included in the new list will lose their authorization and be completely revoked. So, if you want to increase the number of scopes, authorize different parties and device or revoke their authorizations, just submit a new authorization request to Network as Code support e-mail address as described above.

Available scopes

Here are all of the scopes you can include or edit in the authorization request.

Device Status scopes

ScopeDescription
device-status-roamingGet device roaming status
device-status-connectivityGet device connectivity status

Location scopes

ScopeDescription
location-verificationVerify the location
location-retrievalGet the location of a device

Quality-of-service on Demand scopes

ScopeDescription
qod-sessionsAllow all QoD-session operations
qod-profiles-readRetrieve QoS profiles
qod-sessions-readRetrieve QoS sessions
qod-sessions-writeCreate and update QoS sessions
qod-sessions-deleteDelete QoS sessions

Specialized Networks scopes

ScopeDescription
specialized-network-readGet slice information
specialized-network-createCreate a slice
specialized-network-deleteDelete a slice
specialized-network-activateActivate a slice
specialized-network-deactivateDeactivate a slice
specialized-network-attach-deviceAttach device to a slice
specialized-network-detach-deviceDetach a device from a slice

Last updated on May 23, 2024