CN117061093A - Authorization method and device - Google Patents
Authorization method and device Download PDFInfo
- Publication number
- CN117061093A CN117061093A CN202210489905.4A CN202210489905A CN117061093A CN 117061093 A CN117061093 A CN 117061093A CN 202210489905 A CN202210489905 A CN 202210489905A CN 117061093 A CN117061093 A CN 117061093A
- Authority
- CN
- China
- Prior art keywords
- network
- data
- network element
- user
- identification information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 362
- 238000000034 method Methods 0.000 title claims abstract description 221
- 238000012545 processing Methods 0.000 claims abstract description 373
- 238000013523 data management Methods 0.000 claims abstract description 200
- 230000008569 process Effects 0.000 claims abstract description 117
- 238000004891 communication Methods 0.000 claims description 73
- 238000004590 computer program Methods 0.000 claims description 11
- 239000000523 sample Substances 0.000 claims 1
- 238000004458 analytical method Methods 0.000 description 67
- 230000006870 function Effects 0.000 description 53
- 230000004044 response Effects 0.000 description 22
- 238000007405 data analysis Methods 0.000 description 20
- 238000012795 verification Methods 0.000 description 14
- 238000007726 management method Methods 0.000 description 13
- 238000012549 training Methods 0.000 description 13
- 230000009471 action Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 230000014509 gene expression Effects 0.000 description 5
- 238000013499 data model Methods 0.000 description 4
- 230000000977 initiatory effect Effects 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 230000001976 improved effect Effects 0.000 description 3
- 238000010801 machine learning Methods 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 230000003190 augmentative effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 238000013480 data collection Methods 0.000 description 2
- 239000011521 glass Substances 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- OUSLHGWWWMRAIG-FBCAJUAOSA-N (6r,7r)-7-[[(2z)-2-(furan-2-yl)-2-methoxyiminoacetyl]amino]-3-(hydroxymethyl)-8-oxo-5-thia-1-azabicyclo[4.2.0]oct-2-ene-2-carboxylic acid Chemical compound N([C@@H]1C(N2C(=C(CO)CS[C@@H]21)C(O)=O)=O)C(=O)\C(=N/OC)C1=CC=CO1 OUSLHGWWWMRAIG-FBCAJUAOSA-N 0.000 description 1
- 102100022734 Acyl carrier protein, mitochondrial Human genes 0.000 description 1
- 101000678845 Homo sapiens Acyl carrier protein, mitochondrial Proteins 0.000 description 1
- 101150119040 Nsmf gene Proteins 0.000 description 1
- 241000497429 Obus Species 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000012517 data analytics Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- GVVPGTZRZFNKDS-JXMROGBWSA-N geranyl diphosphate Chemical compound CC(C)=CCC\C(C)=C\CO[P@](O)(=O)OP(O)(O)=O GVVPGTZRZFNKDS-JXMROGBWSA-N 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000008093 supporting effect Effects 0.000 description 1
- 238000001356 surgical procedure Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3228—One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
An authorization method for realizing authorization of processing user data in a cross-network scene, the method comprising: the authorization check network element receives a request message from the data use network element for triggering processing of user data; the authorization check network element obtains identification information of a network which allows a user to process the user data from a data management network element, a data processing purpose and a user consent result, wherein the data processing purpose is used for indicating the purpose of processing the user data, and the user consent result is used for indicating whether the user consents to process the user data based on the data processing purpose, wherein the data management network element and the authorization check network element are not in the same network, or the data management network element and the data using network element are not in the same network; the authorization check network element determines whether to authorize processing of the user data according to the identification information of the network.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to an authorization method and apparatus.
Background
Current laws and regulations for protecting personal information place demands on how to protect personal information. For example, if a data controller (e.g., business) should obtain user consent before processing personal information in accordance with legal regulations, the data controller needs to obtain explicit consent of the user for data processing purposes before processing personal information. For example, if the data controller, with user consent, processes the user's location information for the purpose of providing a location-based quality of service enhancement service, the data controller gathers the user's location information that cannot be used for other purposes (such as a location-based advertising service) unless the user's consent for such other purposes is obtained.
The field of communication technology is considering the technological legislation that requires the consent of the user to be obtained before processing the user data. For example, a network should obtain consent from the user to processing user data based on a certain purpose before processing the user data based on the purpose. That is, the network may obtain authorization to process user data based on user consent to process user data based on the purpose. The authorization scheme does not take into account how user data processing is authorized across network scenarios.
Disclosure of Invention
The application provides an authorization method for realizing the authorization of processing user data in a cross-network scene.
In a first aspect, the present application provides a method of authorisation, the method comprising: the authorization check network element receives a request message from the data use network element for triggering processing of user data; the authorization check network element obtains identification information of a network which allows a user to process the user data from a data management network element, a data processing purpose and a user consent result, wherein the data processing purpose is used for indicating the purpose of processing the user data, and the user consent result is used for indicating whether the user consents to process the user data based on the data processing purpose, wherein the data management network element and the authorization check network element are not in the same network, or the data management network element and the data using network element are not in the same network; the authorization check network element determines whether to authorize processing of the user data according to the identification information of the network.
By the method, under the cross-network scene that the data management network element and the authorization check network element are not in the same network or the data management network element and the data use network element are not in the same network, after the authorization check network element receives the request message triggering the processing of the user data, whether the processing of the user data is authorized or not is determined according to the identification information of the network which allows the user to process the user data. Thus, the authorization for processing the user data in the cross-network scene is realized. In one possible implementation, the determining, by the authorization check network element, whether to authorize processing of the user data according to the identification information of the network includes: the authorization check network element determines whether the request message comes from the network indicated by the identification information of the network according to the identification information of the network; if the request message comes from the network indicated by the identification information of the network, the authorization check network element determines whether to authorize processing of the user data according to the user consent result; if the request message is not from a network indicated by the identification information of the network, the authorization check network element does not authorize processing the user data.
In this way, if the request message comes from the network indicated by the identification information of the network, that is, the network from which the request message originates is allowed to process the user data, the authorization check network element further determines whether to authorize processing the user data according to the user consent result; if the request message is not from the network indicated by the identification information of the network, it means that the network from which the request message originates is not allowed to process the user data, and the authorization check network element is directly not authorized to process the user data, without further judgment. Therefore, the efficiency of authorizing and checking the network element authorization is improved, and the potential safety hazard caused by processing the user data by the network which is not allowed is avoided.
In one possible implementation manner, the determining, by the authorization check network element, whether the request message is from the network indicated by the identification information of the network according to the identification information of the network includes: if the authorization check network element belongs to the network indicated by the identification information of the network, the authorization check network element determines that the request message comes from the network indicated by the identification information of the network; if the authorization check network element does not belong to the network indicated by the identification information of the network, the authorization check network element determines that the request message is not from the network indicated by the identification information of the network.
In this way, the authorization check network element determines whether the request message comes from the network indicated by the identification information of the network by judging whether itself belongs to the network indicated by the identification information of the network.
In one possible implementation, the data use network element and the authorization check network element are located in the same network.
In one possible implementation, the method further includes: the authorization check network element obtains the identification of the network where the data use network element is located; the authorization check network element determining whether the request message is from a network indicated by the identification information of the network according to the identification information of the network comprises: if the network indicated by the identification information of the network to which the data using network element belongs is determined according to the identification of the network to which the data using network element belongs, the authorization check network element determines that the request message comes from the network indicated by the identification information of the network; if the network indicated by the identification information of the network where the data using network element is located is determined according to the identification of the network where the data using network element is located, the authorization check network element determines that the request message is not from the network indicated by the identification information of the network.
In this way, the authorization check network element determines, through the acquired data, whether the request message is from the network indicated by the identification information of the network in which the network element is located, using the identification of the network.
In one possible implementation, the request message includes an identification of the network in which the data usage network element is located. That is, the authorization check network element may obtain the identity of the network in which the data use network element is located through the request message.
In one possible implementation, the authorizing verification network element not authorizing processing the user data includes: the authorization check network element sends a reject message to the data use network element, the reject message containing a reject cause value indicating that the data use network element is not from a network where the user is allowed to process the user data.
In this way, in the case of unauthorized processing of user data, the authorization check network element indicates to the data use network element the reason for failure because the data use network element is not from the network the user allows processing of user data, so that the subsequent data use network element knows the reason for being rejected, and stops triggering processing of the user data. Therefore, the subsequent data use network element can not trigger the processing of the user data according to the reasons of refused, thereby avoiding unnecessary signaling interaction and improving the efficiency of providing service by the network.
In a possible implementation manner, the authorization check network element does not authorize processing of the user data includes: the authorization check network element records events that process the user data without authorization. In this way, the authorization check network element records unauthorized events without authorizing processing of the user data.
In a possible implementation manner, the method further includes: the authorization check network element requests the user data from the data providing network element; the authorization check network element receives the user data from the data providing network element. In this way, the authorization check network element performs processing of the user data.
In one possible implementation, the obtaining, by the authorization check network element, the identification information of the network from the data management network element, the data processing purpose, and the user consent result includes: the authorization check network element requests the user subscription data from the data management network element; the authorization check network element receives user subscription data from the data management network element, wherein the user subscription data comprises identification information of the network, the data processing purpose and the user consent result.
That is, in this manner, the authorization check network element may acquire the identification information of the network, the data processing purpose, and the user consent result from the subscription data of the user.
In one possible implementation, the identification information of the network is an identification ID of a public land mobile network PLMN.
In a second aspect, the present application provides a method of authorisation, the method comprising: the data management network element receives identification information of a user from an authorization check network element and identification information of a first network, wherein the identification information of the first network is used for identifying a network for processing data of the user, and the network where the data management network element is located and the network for processing the data of the user are not the same network; the data management network element determines a first user consent result according to the identification information of the first network and the identification information of a second network, wherein the identification information of the second network is used for identifying a network which allows the user to process the data of the user, and the first user consent result indicates whether the user agrees to process the data of the user based on a first data processing purpose in the first network; the data management network element sends the first user consent result to the authorization check network element.
According to the method, under a cross-network scene that a network where a data management network element is located and a network which processes data of the user are not the same network, after the data management network element receives identification information of a first network, a first user consent result is determined according to the identification information of the first network and identification information of a second network of the network where the user is allowed to process the data of the user, and the first user consent result is sent to an authorization check network element. Therefore, the authorization checking network element can determine whether to process the user data according to the first user consent result, thereby realizing the authorization of processing the user data under the cross-network scene.
In one possible implementation manner, the determining, by the data management network element, the first user consent result according to the identification information of the first network and the identification information of the second network includes: if the identification information of the second network includes the identification information of the first network, the data management network element determines that one or more data processing purposes corresponding to the identification information of the first network are the first data processing purposes, and determines that a user consent result corresponding to the one or more data processing purposes is the first user consent result; if the identification information of the second network does not include the identification information of the first network, the data management network element determines that the data processing purpose corresponding to the identification information of the second network is the first data processing purpose, and determines that the first user agrees to result in disagreement.
In this way, in the case that the identification information of the second network is determined to contain the identification information of the first network, that is, means that the user allows the first network to process the user data, the data management network element determines the data processing purpose corresponding to the first network and the user consent result; and under the condition that the identification information of the second network does not contain the identification information of the first network, namely that the user is not allowed to process the user data, the data management network element determines that the first user agreeing result is disagreeable, so that the subsequent authorization checking network element does not authorize to process the user data based on the disagreeable first user agreeing result, and potential safety hazards caused by the fact that the disallowed network processes the user data are avoided.
In one possible implementation manner, the sending, by the data management network element, the first user consent result to the authorization check network element includes: the data management network element sends the first data processing purpose and the first user consent result to the authorization check network element.
In one possible implementation, the receiving, by the data management network element, the identification information of the user and the identification information of the first network from the authorization check network element includes: the data management network element receives a message from the authorization check network element, wherein the message comprises the identification information of the user, the identification information of the first network and the first data processing purpose; the data management network element determines, according to the identification information of the first network and the identification information of the second network, that the first user agrees with the result includes: if the identification information of the second network comprises the identification information of the first network, the data management network element determines that the user consent result corresponding to the first data processing purpose is the first user consent result; if the identification information of the second network does not contain the identification information of the first network, the data management network element determines that the first user agrees to result in disagreement.
In this manner, the authorization check network element also provides the first data processing objective to the data management network element, which data management network element needs to consider that the first user consent result corresponds to the first data processing objective when determining the first user consent result. And under the condition that the identification information of the second network does not contain the identification information of the first network, the first user consent result is determined to be disagreeable, so that potential safety hazards caused by processing of user data by the disallowed network are avoided.
In one possible implementation, the method further includes: the data management network element sends identification information of a network for determining whether to authorize processing of the user's data to the authorization check network element. That is, the authorization check network element may further obtain, from the data management network element, identification information of a network for determining whether to authorize processing of the user data, so as to determine whether to authorize processing of the user data based on the identification information of the network, thereby implementing dual authorization and ensuring accuracy of authorization.
In one possible implementation, the identification information of the second network is an identification ID of a public land mobile network PLMN the user is allowed to process data of the user.
In one possible implementation, the identification information of the first network is an identification ID of a public land mobile network PLMN where the authorization check network element is located or an identification ID of a public land mobile network PLMN where a network element triggering processing the first data is located.
In a third aspect, the present application provides a method of authorisation, the method comprising: the data management network element receives a message from an authorization check network element requesting subscription data of a user, wherein the data management network element and the authorization check network element are not in the same network; the data management network element transmits the subscription data of the user to the authorization check network element, wherein the subscription data of the user comprises identification information of a network which the user is allowed to process the user data, a data processing purpose and a user consent result, the data processing purpose is used for indicating the purpose of processing the user data, and the user consent result is used for indicating whether the user consents to process the user data based on the data processing purpose.
By the method, under the cross-network scene that the data management network element and the authorization check network element are not in the same network, the subscription data of the user comprises the identification information of the network which the user allows to process the user data, so that the authorization check network element can authorize the network which requests to process the user data based on the identification information of the network. Thus, the authorization for processing the user data in the cross-network scene is realized.
In a fourth aspect, the present application provides a method of authorisation, the method comprising: the authorization check network element receives a request message from the data use network element for triggering processing of the user's data; the authorization check network element sends the identification information of the user and the identification information of a first network to a data management network element, wherein the identification information of the first network is used for identifying a network for processing the data of the user, and the network where the data management network element is located and the network for processing the data of the user are not the same network; the authorization check network element receives a first user consent result from the data management network element, the first user consent result indicating whether the user agrees to process data of the user based on a first data processing purpose in the first network; and the authorization checking network element determines whether to authorize processing of the data of the user according to the result of the agreement of the first user.
In the method, under a cross-network scene that a network where the data management network element is located and a network where the data processing of the user is not the same network, an authorization check network element receives a first user consent result from the data management network element, and the first user consent result aims at whether the user agrees to process the data of the user based on a first data processing purpose in the first network. The authorization check network element determines whether to authorize processing of the user data based on the first user consent result. Thus, the authorization for processing the user data in the cross-network scene is realized.
In one possible implementation, if the first network does not belong to a network where the user allows processing of the user's data, the first user consent result indicates that the user does not consent to process the user's data in the first network. In the method, under the condition that the first network is not allowed to process the user data, the authorization checking network element determines that the user data is not allowed to process according to the first user consent result which is disagreeable, so that potential safety hazards caused by the fact that the disallowed network processes the user data are avoided.
In one possible implementation, the receiving, by the authorization check network element, the first user consent result from the data management network element includes: the authorization check network element receives the first user consent result and the first data processing objective from the data management network element.
In one possible implementation manner, the sending, by the authorization check network element, the identification information of the user and the identification information of the first network to the data management network element includes: the authorization check network element sends a message to the data management network element, the message comprising the identification information of the user, the first data processing purpose and the identification information of the first network.
In a fifth aspect, embodiments of the present application provide a communication device, which may be an authorization check network element or a module (e.g. a chip) applied in the authorization check network element. The apparatus has the function of implementing any implementation method of the first aspect or the fourth aspect. The functions can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the functions described above.
In a sixth aspect, embodiments of the present application provide a communication device, which may be a data management network element or a module (e.g. a chip) applied in the data management network element. The apparatus has the function of implementing any implementation method of the second aspect or the third aspect. The functions can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the functions described above.
In a seventh aspect, an embodiment of the present application provides a communication device, including a processor coupled to a memory, the processor configured to invoke a program stored in the memory, to perform any implementation method of the first aspect to the fourth aspect. The memory may be located within the device or may be located external to the device. And the processor may be one or more.
In an eighth aspect, an embodiment of the present application provides a communication apparatus, including a processor and a memory; the memory is configured to store computer instructions that, when executed by the apparatus, cause the apparatus to perform any of the implementation methods of the first to fourth aspects.
In a ninth aspect, embodiments of the present application provide a communications device comprising means for performing the steps of any implementation method of the first to fourth aspects described above.
In a tenth aspect, an embodiment of the present application provides a communication device, including a processor and an interface circuit, where the processor is configured to communicate with other devices through the interface circuit, and perform any implementation method of the first aspect to the fourth aspect. The processor includes one or more.
In an eleventh aspect, an embodiment of the present application further provides a chip system, including: a processor configured to perform any implementation method of the first to fourth aspects.
In a twelfth aspect, embodiments of the present application also provide a computer-readable storage medium having instructions stored therein that, when executed on a communication device, cause any implementation method of the first to fourth aspects described above to be performed.
In a thirteenth aspect, embodiments of the present application also provide a computer program product comprising a computer program or instructions which, when executed by a communication device, cause any of the implementation methods of the first to fourth aspects described above to be performed.
In a fourteenth aspect, an embodiment of the present application provides a communication system including a communication apparatus that performs any of the implementation methods in the first aspect and a communication apparatus that performs any of the implementation methods in the third aspect. Optionally, other communication means for communicating with the above means, such as a data use network element, a base station, or a user equipment, etc., are also included.
In a fifteenth aspect, an embodiment of the present application provides a communication system including a communication apparatus that performs any of the implementation methods in the second aspect and a communication apparatus that performs any of the implementation methods in the fourth aspect. Optionally, other communication means for communicating with the above means, such as a data use network element, a base station, or a user equipment, etc., are also included.
Drawings
Fig. 1 is a schematic diagram of a 5G network architecture according to an embodiment of the present application;
fig. 2 is a schematic diagram of another 5G network architecture according to an embodiment of the present application;
Fig. 3 is a flowchart of a method for authorizing processing user data according to an embodiment of the present application;
FIG. 4 is a flowchart of another method for authorizing processing user data according to an embodiment of the present application;
FIG. 5 is a flowchart of a method for authorizing processing user data according to an embodiment of the present application;
FIG. 6 is a flowchart of a method for authorizing processing user data according to another embodiment of the present application;
FIG. 7 is a flowchart of a method for authorizing processing user data according to another embodiment of the present application;
FIG. 8 is a flowchart of a method for authorizing processing user data according to another embodiment of the present application;
fig. 9 is a schematic structural diagram of a communication device according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of a communication device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, embodiments of the present application will be described below with reference to the accompanying drawings.
In the present application, "/" means that the related objects are an "or" relationship, for example, a/B may mean a or B, unless otherwise specified; the "and/or" in the present application is merely an association relationship describing the association object, and the representation may have three relationships, for example, a and/or B may represent: there are three cases where A alone exists, where A and B together exist, and where A and B may be singular or plural, respectively. Also, in the present application, unless otherwise indicated, "a plurality" means two or more than two. "one or more" or similar expressions thereof refer to any combination of these items, including any combination of single item(s) or plural items(s), e.g., one or more of a, b, or c may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, and c may each be single or multiple. In addition, in order to facilitate the clear description of the technical solution of the present application, the words "first", "second", etc. are used in the present application to distinguish the same item or similar items having substantially the same function and function. It will be appreciated by those of skill in the art that the words "first," "second," and the like do not limit the amount and order of execution, and that the words "first," "second," and the like do not necessarily differ.
The technical scheme of the application can be applied to various communication systems, such as a fifth generation (5th generation,5G) mobile communication system, a New Radio (NR) system, a home base station network, a mobile network accessed by non-3 GPP such as wireless fidelity (wireless fidelity, WIFI), a fixed mobile convergence (fixed mobile convergence, FMC) network or a future 6G network, etc.; the method can be applied to independent non-public networks (SNPN), public land mobile networks (public land mobile network, PLMN) and non-public networks (PNI-NPN), or networks built by enterprises and universities.
In the following, some terms used in the present application are explained for easy understanding by those skilled in the art.
1) A User Equipment (UE) is a device having a wireless transceiving function. The user equipment may communicate with the core network or the internet via a radio access network (e.g., radio access network, RAN) to exchange voice and/or data with the RAN.
The user equipment in the present application may be referred to as a terminal equipment, and may be, for example, a wireless terminal equipment, a mobile terminal equipment, a device-to-device (D2D) terminal equipment, a vehicle-to-machine (V2X) terminal equipment, a machine-to-machine/machine-type communications, an M2M/MTC) terminal equipment, an internet of things (internet of things, ioT) terminal equipment, a subscriber unit (subscriber unit), a subscriber station (subscriber station), a mobile station (mobile station), a remote station (remote station), an Access Point (AP), a remote terminal (remote terminal), an access terminal (access terminal), a user terminal (user terminal), a user agent (user agent), or a user equipment (user device), etc.
For example, the user equipment in the application can be a mobile phone, a tablet computer, a computer with a wireless receiving and transmitting function, a portable, pocket-sized, hand-held, a mobile device built in the computer and the like; also for example, it may be a Virtual Reality (VR) terminal device, an augmented reality (augmented reality, AR) terminal device, a wireless terminal in an industrial control (industrial control), a wireless terminal in a self driving (self driving), a wireless terminal in a teleoperation (remote medical surgery), a wireless terminal in a smart grid (smart grid), a wireless terminal in a transportation security (transportation safety), a wireless terminal in a smart city (smart city), a wireless terminal in a smart home (smart home), a terminal device in a future evolved public land mobile network (public land mobile network, PLMN), or a vehicle device in V2X, a customer premise equipment (customer premises equipment, CPE), or the like. As another example, the terminal device may also be a personal communication services (personal communication service, PCS) phone, cordless phone, session initiation protocol (session initiation protocol, SIP) phone, wireless local loop (wireless local loop, WLL) station, personal digital assistant (personal digital assistant, PDA) or the like.
By way of example, and not limitation, the user device in the present application may also be a wearable device. The wearable device can also be called as a wearable intelligent device or an intelligent wearable device, and is a generic name for intelligently designing daily wear and developing wearable devices, such as glasses, gloves, watches, clothes, shoes, and the like, by applying wearable technology. The wearable device is a portable device that is worn directly on the body or integrated into the clothing or accessories of the user. The wearable device is not only a hardware device, but also can realize a powerful function through software support, data interaction and cloud interaction. The generalized wearable smart device may implement complete or partial functionality independent of the smart phone, such as: the intelligent watch or the intelligent glasses and the like can also be used together with other equipment such as a smart phone by focusing on certain application functions, such as various intelligent bracelets, intelligent helmets, intelligent jewelry and the like for physical sign monitoring. While the various devices described above, if located on the vehicle (e.g., placed in the vehicle or installed in the vehicle), may be considered as in-vehicle terminal devices, such as also known as in-vehicle units (OBUs).
The embodiment of the application does not limit the specific technology and the specific equipment form adopted by the user equipment.
2) A radio access network device is a device in a communication system for accessing a UE to a wireless network. The radio access network device may typically be connected to the core network by a wired link, such as a fiber optic cable. The radio access network device may be a node in the RAN, also referred to as a base station, also referred to as a RAN node (or device).
The radio access network device may include a base station, an evolved NodeB (eNodeB) in an LTE system or an evolved LTE-a system (LTE-Advanced), a next generation NodeB (gNB) in a 5G communication system, a transmission reception point (transmission reception point, TRP), a Base Band Unit (BBU), an Access Point (AP) in a wireless local area network (wireless local area networks, WLAN), an access backhaul integrated (integrated access and backhaul, IAB) node, a base station in a future mobile communication system, or an access node in a WiFi system, and so on. The radio access network device may also be a module or unit that performs the functions of the base station part, such as a Centralized Unit (CU) or a Distributed Unit (DU).
For example, in one network architecture, the radio access network device may be a CU node, or a DU node, or a radio access network device including a CU node and a DU node. The CU node is used for supporting protocols such as radio resource control (radio resource control, RRC), packet data convergence protocol (packet data convergence protocol, PDCP), service data adaptation protocol (service data adaptation protocol, SDAP) and the like; the DU node is used to support radio link control (radio link control, RLC) layer protocols, medium access control (medium access control, MAC) layer protocols, and physical layer protocols.
The radio access network devices and user equipment may be deployed on land, including indoor or outdoor, hand-held or vehicle-mounted; the device can be deployed on the water surface; but also on aerial planes, balloons and satellites. The embodiment of the application does not limit the application scenes of the wireless access network equipment and the user equipment. In the embodiment of the present application, the radio access network device may be simply referred to as an access network device, where, unless otherwise specified, the access network devices hereinafter refer to the radio access network devices.
The specific technology and the specific equipment form adopted by the access network equipment are not limited.
3) The core network device refers to a device in a Core Network (CN) that provides service support for the user equipment. As shown in fig. 1, which is a schematic diagram of a 5G communication system to which an embodiment of the present application is applicable, a 5G core network device includes a plurality of network elements including an access and mobility management function (access and mobility management function, AMF), a session management function (session management function, SMF), a policy control function (policy control function, PCF), a network slice selection function (network slice selection function, NSSF), an authentication server function (authentication server function, AUSF), a unified data management function (unified data management, UDM), a user plane function (user plane function, UPF), a network capability opening function (network exposure function, NEF) (not shown in the figure), a network data analysis function (network data analytics function, NWDAF) (not shown in the figure), an application function (application function, AF), and the like.
The AMF network element (hereinafter referred to as AMF) is mainly responsible for services such as mobility management and access management. The SMF network element (hereinafter referred to as SMF) is mainly responsible for session management, user equipment address management and allocation, dynamic host configuration protocol functions, selection and control of user plane functions, and the like. PCF network elements (hereinafter PCF) are mainly responsible for providing a unified policy framework for network behavior management, providing policy rules for control plane functions, obtaining registration information related to policy decisions, etc. The NSSF network element is primarily responsible for selecting a set of network slice instances to serve the user equipment. The AUSF network element is mainly responsible for authentication functions and the like for the user equipment. NSSAAF network elements mainly support authentication and authorization of network slices. The UDM network element (hereinafter referred to as UDM) is mainly responsible for storing subscription data, credentials (trust), and persistent identities (subscriber permanent identifier, SUPI) of subscription user devices in the network. The UPF network element (hereinafter referred to as UPF) is mainly responsible for packet routing forwarding, packet filtering, performing quality of service (quality of service, qoS) control related functions, etc. of the Data Network (DN) connected to the outside. The NEF network element (hereinafter, NEF) is mainly responsible for opening network capabilities and events, acquiring external application information from the AF, and storing the information for external opening in a user database (user data repository, UDR). NWDAF is mainly used for analyzing various kinds of network data, including network operation data collected from a Network Function (NF) or application data acquired from a third party AF. The analysis result generated by NWDAF is also output to NF and third party AF. The AF network element (hereinafter referred to as AF) is mainly responsible for providing services to the 3GPP network, such as affecting service routing, interacting with PCF network elements for policy control, etc.
The network elements may communicate through a next generation Network (NG) interface, for example: n1 is an interface between the AMF and the UE for delivering QoS control rules and the like to the UE. N2 is an interface between the AMF and the RAN, and is used to transfer radio bearer control information from the core network side to the RAN, etc. N3 is an interface between the RAN and the UPF for transferring user plane data between the RAN and the UPF. And N4 is an interface between the SMF and the UPF and is used for transmitting information between the control plane and the user plane, including the issuing of forwarding rules, qoS control rules, flow statistics rules and the like of the control plane facing the user plane and the information reporting of the user plane. And N5 is an interface between the AF and the PCF and is used for issuing application service requests and reporting network events. N6 is an interface between the UPF and DN connections for transferring user plane data between the UPF and DN. N7 is the interface between PCF and SMF for issuing protocol data unit (protocol data unit, PDU) session granularity and traffic data flow granularity control policies. N8 is an interface between the AMF and the UDM, and is configured to obtain, from the AMF to the UDM, subscription data and authentication data related to access and mobility management, and register, from the AMF to the UDM, information related to current mobility management of the UE, and the like. N10 is an interface between the SMF and the UDM, and is configured to obtain session management related subscription data from the SMF to the UDM, and register current session related information of the UE to the UDM by the SMF. N11 is an interface between the SMF and the AMF for delivering PDU session tunnel information between the RAN and the UPF, delivering control messages sent to the UE, delivering radio resource control information sent to the RAN, etc. There may be a southbound interface (not shown) between the NEF and other NFs, such as an N29 interface between the NEF and the SMF, and an N30 interface between the NEF and the PCF. An N23 interface (not shown) is provided between the NWDAF and the PCF.
Fig. 2 is a schematic diagram of another 5G communication system to which the embodiment of the present application is applicable.
In the system, the network elements can use a service interface to communicate, for example: the server interface provided by the AUSF can be Nausf; the external service interface provided by the AMF can be Namf; the service interface provided by the SMF to the outside can be Nsmf; the service interface provided by NSSF can be Nnssf; the service interface provided by the NEF to the outside can be Nnef; the service interface externally provided by the NRF can be Nnrf; the service interface externally provided by the PCF can be an Npcf; the service interface provided by the UDM externally can be Nudm; the service interface provided by AF can be Naf; the serving interface provided by NWDAF to the outside may be Nnwdaf.
It should be noted that the above-mentioned network elements may be referred to as functional units or functional entities, which may be network elements in hardware devices, as well as software functions running on dedicated hardware, or virtualized functions instantiated on a platform (e.g. a cloud platform). Alternatively, the above functional unit may be implemented by one device, or may be implemented by a plurality of devices together, or may be different functional modules in one device, which is not limited by the embodiment of the present application.
It should be noted that, in the embodiment of the present application, the user may be a person or other entity that signs up with the network to implement communication by using network connection, and the user device may be a device used by the user, where the data generated by the user using the user device may be referred to as data of the user or data of the user device. It is understood that data, whether referred to as user data or user device data, is attributed to the user.
Fig. 3 is a flowchart of a method for authorizing operation (or processing) of user data according to an embodiment of the present application, the method includes the following steps:
s101: a Network Function (NF) consumer (consumer) sends an analysis subscription request message to the NWDAF, which in turn receives the analysis subscription request message from the NF consumer.
The NF consumer may be, for example, an AF, or a network element such as PCF that requests analysis of data.
The analyze subscription request message may contain identification information of the user such as a user permanent identification (subscription permanent identifier, SUPI) and an analyze identification, analytical ID. Among other things, the analysis ID may indicate a current analysis type, such as mobility analysis of the UE (UE mobility Analytics), or communication analysis of the UE (UE communication Analytics), etc.
Mobility analysis of a UE is used for statistics and predictions of UE movement characteristics, e.g. at least one of analysing the UE's position at a certain time, analysing the UE's possible movement trajectories, etc.
The communication analysis of the UE is used for statistics and predictions of UE communication characteristics, such as analyzing traffic characteristics of the UE at a certain time, including at least one of flow rate, traffic size, etc.
It will be appreciated that the analysis subscription request message is used to request analysis of data, that is, the message sent in step S101 can indicate the purpose of processing, for example, data analysis. For example, the analyze subscription request message is an nnwdaf_analysis subscription_ Subscribe Request message. In addition, analytical IDs are used to represent specific types of data analysis. For example, when the analysis ID is UE mobility Analytics or UE communication Analytics, analysis is performed with respect to the user data. When the analysis ID is the network function load information NF load information, analysis is performed with respect to the network data, and no user data is involved. In the case of analysis for user data, the name of the analysis subscription request message (or the analysis subscription request message itself) indicates that the user data processing purpose to which the message corresponds is data analysis.
The NF consumer sending an analysis subscription request message to the NWDAF may also be understood as a service invoking analysis subscription of the NWDAF.
S102: the NWDAF determines whether user consent is required to be checked for the current call.
For example, the NWDAF may determine, according to a local policy, whether the user consent needs to be checked for the current call.
The local policy may include: if the call does not involve an operation on the user' S data (e.g., an operation involving network data), then no verification is required, and steps S103-S105 are skipped; if an operation on the user's data is involved, verification is required. If the NWDAF is related to the operation of the user data and the locally stored context includes the user consent information, checking is directly performed according to the locally stored user consent information, and steps S103 to S105 are skipped, and if the NWDAF is related to the operation of the user data and the NWDAF is not locally stored with the user consent information, steps S103 to S105 are continued.
The user consent information may include data processing purposes and user consent results. The data processing purpose is used to indicate the purpose of manipulating the user data, including for example data analysis, or data model training, etc. The user consent result is used to indicate whether to consent to use the destination operation user data based on the data, for example, 1 represents consent and 0 represents disagreement.
For example, if the data processing purpose is data analysis, the representative will collect the data of the user and analyze the data to obtain an analysis result, such as at least one of mobility analysis of the UE, communication analysis of the UE, and the like. If the data processing purpose is training a data model, the data processing purpose represents training a model for machine learning by collecting data of a user, and a machine learning model is obtained.
S103: the NWDAF sends a subscription data acquisition request message to the UDM, and accordingly the UDM receives the subscription data acquisition request message from the NWDAF.
The subscription data obtaining Request message may be a nudm_sdm_get Request message, which is used to obtain subscription data of the user. The subscription data acquisition request message may contain a subscriber identity SUPI, optionally a subscription type indicating the type of subscription data, e.g. indicating that the type of subscription data is access and mobility subscription data (access and mobility subscription data), SMF-selected subscription data (SMF selection subscription data), SMF-managed subscription data (SMF management subscription data), or subscription data related to user agreements. The subscription type here may be a subscription type indicating agreement of the user.
S104: the UDM obtains subscription data of the user according to a user identifier SUPI, wherein the subscription data comprises user consent information.
Optionally, if the subscription type is that the user agrees with the related subscription data, the UDM obtains the user agreement information according to the user identifier SUPI.
S105: the UDM sends subscription data to the NWDAF, which receives subscription data from the UDM accordingly.
In one implementation, the UDM sends a nudm_sdm_get Response message to the NWDAF, which may include the user's subscription data containing the user consent information.
S106: the NWDAF determines whether to authorize the analysis of the data operation corresponding to the subscription request message.
In one implementation of the method, in one implementation, the NWDAF determines whether to authorize the analysis of the data operation corresponding to the subscription request message according to the nwdaf_analytics subscription_subsubscription_subsriberequest message, the data processing purpose in the user consent information, and the user consent result message. For example, the NWDAF determines, according to the nnwdaf_analysis description_ Subscribe Request message, that the data processing purpose corresponding to the message is data analysis, further obtains a user consent result corresponding to the data analysis, and if the result is consent, authorizes to analyze the data analysis corresponding to the subscription request message, and if the result is disagreement, does not authorize to analyze the data analysis corresponding to the subscription request message.
S107: the NWDAF sends an analysis subscription response message to the NF consumer, and accordingly, the NF consumer receives the analysis subscription response message from the NWDAF.
The analysis subscription response message may be an nnwdaf_analysis subscription_ Subscribe Response message.
For example, if the NWDAF does not authorize the corresponding data operation according to the user consent result in S106, the analysis subscription response message is used to indicate that the analysis subscription (e.g. nnwdaf_analysis subscription_subscription) request fails. If the NWDAF grants the corresponding data operation according to the result of the user consent in S106, the analysis subscription response message is used to indicate that the analysis subscription request is successful. In the case of the authorization data operation, S108 to S110 are performed.
S108: the NWDAF sends a user data request message to an NF provider (NF provider), and accordingly, the NF provider receives the user data request message from the NWDAF.
The NF provider may be an AMF, SMF, or a network element that provides data. The user data request message may be a Nnf _eventExposure_substrice message for requesting to obtain user data of the terminal device. The user data request message may include a user identification SUPI.
S109: NF provider transmits the user data to the NWDAF, which in turn receives the user data from NF provider.
In one implementation, the NF provider sends a Nnf _eventExposure_notify message to the NWDAF, which carries the user data requested by the NWDAF. The requested user data may be, for example, location data provided by the AMF (e.g., tracking area identity (tracking area identity, TAI), etc.), or communication data provided by the SMF (e.g., communication interval, or communication rate), etc.
S110: the NWDAF analyzes the user data according to the analysis of the NF consumer request according to the collected user data, and obtains an analysis result.
For example, when the analysis ID indicates mobility analysis of the UE, the analysis result is location statistics of the UE. The location statistics of the UE may include at least one of a location of the UE, a time when the UE appears at the location, a time when the UE stays at the location, and the like. For another example, when the analysis ID indicates communication analysis of the UE, the analysis result is communication characteristic information. The communication characteristic information of the UE may include at least one of a periodic communication, a communication interval, a communication start time, a communication end time, a traffic size of the communication, a flow rate of the communication, and the like.
In one implementation, the NWDAF sends an nwdaf_analysis_notify message to the NF consumer, which contains the analysis result.
In the method shown in fig. 3, NWDAF and UDM are in the same public land mobile network (public land mobile network, PLMN), and no consideration is given to the scenarios where NWDAF and UDM, or NF consumer and UDM are in different PLMNs.
Fig. 4 is a method for authorizing processing of user data according to the present application. It should be noted that, in the embodiment of the present application, the processing (process) of the user data may include any operation on the user data, for example, collecting, recording, acquiring, configuring, storing, updating, analyzing, compressing, retrieving, sharing, using, deleting, and the like.
The method shown in fig. 4 involves interactions between data use network elements, authorization check network elements, data management network elements, and data providing network elements.
A data-using network element may be understood as a network element that triggers processing of user data. For example, in the flow shown in fig. 3, the analysis of the user data is performed in relation to a request of the data using a network element (NF consumer), that is, the analysis of the user data is triggered. In addition, the data usage network element can also process user data. For example, the step of NF consumer obtaining the analysis result of the user is to process the user data. In the embodiment of the present application, this name of "data use network element" is merely an example, and does not impose any limitation on the function or characteristics of the network element. For example, the data use network element may also be referred to as a data request network element, a network function consumer, a service consumption network element, a data consumer, or the like. In a 5G architecture, the data use network element may be a PCF, or an AF, or the like.
An authorization check network element may be understood as a network element that authorizes the processing of user data. For example, in the flowchart shown in fig. 3, the NWDAF is involved in determining whether to authorize the data operation corresponding to the subscription request message, that is, authorizing processing the user data. In addition, the authorization check network element may also process the user data. For example, the NWDAF analyzes the user data according to the collected user data, i.e. processes the user data. In the embodiment of the present application, this name of "authorization check network element" is merely an example, and does not set any limitation on the function or characteristics of the network element. In the 5G architecture, the authorization check network element may be a NEF, NWDAF, a data collection coordination function network element (Data Collection Coordination Function, DCCF), or an edge enabled server (edge enabler server, EES), or the like. The authorization checking network element and the data using network element can be combined in one device.
The data management network element may be understood as a network element for storing or managing relevant parameters agreed by the user, and may be UDM, UDR, PCF, or the like.
The data providing network element is used for providing data of the user, and may be an AMF, an SMF, or a UPF. The data providing network element may be co-located with the authorization check network element in one device.
Wherein the data management network element and the authorization check network element may be located in different networks (e.g. different PLMNs or different slices), or the data management network element and the data usage network element may be located in different networks (e.g. different PLMNs or different slices).
As shown in fig. 4, the method comprises the steps of:
s200: the subscription data of the user prestores an identification of a network (hereinafter, may be simply referred to as an allowed network) in which the user is allowed to process the user data.
Wherein the allowed network indicates that the network can be authorized to process the user data, i.e. the allowed network is allowed to control, use or store the user data by the user, and takes on the responsibility of protecting the user data. The network may be authorized to process user data based on some or all of the data processing purposes for which the user is subscribed, as the application is not limited.
The allowed network may be PLMN-granularity, e.g. the identity of the allowed network may be a PLMN ID, for example. Alternatively, the allowed network may be slice-granularity, and the application is not limited in this regard.
The identification of the allowed network may be pre-configured by an administrator in the subscription data of the UE at the time of the user's subscription, e.g. according to the network the user accepts in a contract with the operator.
The subscription data of the user may be pre-stored at the data management network element, e.g. at the UDM.
S201: the data use network element sends a data call request message to the authorization check network element, and correspondingly, the authorization check network element receives the data call request message from the data use network element.
Wherein the data call request message is used for triggering processing of user data. The data call request message contains a user identification 01. The data call request message may be triggered by a specific application programming interface (application programming interface, API).
"01" in user identification 01 represents one type of user identification and is not intended to limit the specific content in the user identification. For example, the user identifier 01 is used to identify the user, and may be a SUPI or a general public subscription identifier (generic public subscription identifier, GPSI), etc., and the present application is not limited.
Optionally, the data call request message is used to instruct the data to use the network element for processing purposes of the user data, such as collection, reading, analysis, sharing, or model training. Wherein, the collecting of the user data may be an operation of acquiring the user data from a plurality of devices or from different moments of one device; reading user data may be operations to retrieve user data and place it in the local/store it in other devices; analyzing the user data may be an operation of decomposing and integrating the user data to draw a conclusion; sharing user data may be an operation of providing user data to an external device; model training may be the operation of machine learning user data to arrive at a training model.
For example, the processing purpose of the user data may be embodied by the name of the data call request message, e.g., nnwdaf_analysis description_subsubriberequest in fig. 3 is used to indicate that the processing purpose of the user data is analysis. Alternatively, the data call request message may include an operation indication (or referred to as a processing indication) to indicate the purpose of processing the user data. In addition, the data call request message may also carry an analysis ID, where the analysis ID is used to indicate a specific type of data analysis, such as mobility analysis of the UE, or communication analysis of the UE.
Optionally, the data call request message may further include identification information of a network where the data use network element is located, where the identification information of the network where the data use network element is located is used to identify the network where the data use network element is located, for example, may be a PLMN ID. The identification information of the network where the data use network is located may be carried in the identification information of the data use network element, that is, the data call request message includes an identification of the data use network element, and the identification of the data use network element includes the identification information of the network where the data use network element is located. For example, the identification information of the data usage network element is an NF ID, which may include a PLMN ID.
For example, when the authorization check network element is NEF, the data call request message may include nnef_ Location, nnef _ueidentifier_get. When the authorization check network element is NWDAF, the data call request message may include a message such as nnwdaf_analysis description_subset.
For example, the data use network element is a server of an online shopping platform, and the service of the online shopping platform calls an API for requesting UE identification, which is opened by an authorization check network element NEF. For example, the online shopping platform server initiates a call request of nnef_ueidentifier_get to the NEF, and sets a user information in the nnef_ueidentifier_get to an IP address of a UE, where the action represents that the online shopping platform server requests to obtain identification information of a user corresponding to the IP address. In this example, the data call message that calls the NEF's API instructs the online shopping platform server to take the read process of the user's data (i.e., identity information).
For another example, the data use network element is a PCF that invokes an API authorizing data analysis provided by the checking network element NWDAF and indicates the analysis UE location. For example, the PCF initiates an nwdaf_analysis_subscriber call request to the NWDAF, and the PCF sets the analysis ID in the nwdaf_analysis_subscriber to UE mobility analytics, target of Analytics Reporting to the SUPI of a UE, to indicate that the PCF requests the NWDAF to analyze mobility data of the UE. In this example, the data call message of the API calling NWDAF indicates the process by which the PCF takes analysis of the user's data (i.e., mobility data).
S202: the authorization checking network element judges whether user consent information of the UE is locally stored.
If the user consent information of the UE is stored in the context of the authorization checking network element, the user consent information is directly obtained from the context, and the user consent information is not required to be obtained from the data management network element. Wherein, the user consent information is detailed in the related description in S204.
If the user agreement information of the UE is not stored in the context of the authorization check network element, S203-S204 are performed.
S203: the authorization check network element sends a subscription data acquisition request message to the data management network element, and correspondingly, the data management network element receives the subscription data acquisition request message from the authorization check network element.
The subscription data acquisition request message is used for requesting subscription data of the user. The subscription data acquisition request message may contain a user identification 02. The user identifier 02 may be the same as the user identifier 01, or may be converted by the authorization verification network element according to the user identifier 01. For example, the authorization check network element converts GPSI to SUPI, as the application is not limited in this regard. Optionally, the subscription data obtaining request message may further include a subscription type, where the subscription type is a subscription type indicating agreement of the user.
The subscription information acquisition Request message may be a nudm_sdm_get Request message.
S204: the data management network element sends a subscription data acquisition response message to the authorization check network element, and correspondingly, the authorization check network element receives the subscription data acquisition response message from the data management network element.
The subscription data acquisition response message contains user consent information. The subscription data acquisition Response message may be a nudm_sdm_get Response message.
For example, the data management network element obtains subscription data of the user according to the user identifier 02, where the subscription data includes user consent information. The user consent information contains data processing purposes, user consent results, and also contains an identification of the allowed networks. The data processing purpose is used to indicate the purpose of processing user data, including for example data analysis, data model training, data reading, or data sharing, etc. The user consent result is used to indicate whether the user agrees to process data based on the data processing purpose, for example, 1 stands for consent, 0 stands for disagreement. The description of the identification of the allowed network is referred to S200.
In one example, the user consent information is as shown in table 1:
TABLE 1
In one implementation, the authorization check network element saves the obtained user consent information as a context of the UE, and may provide the context of the UE to other authorization check network elements.
S205: and the authorization checking network element determines whether to authorize processing of the user data according to the user consent information.
In a first implementation, the authorization check network element determines whether the data call request message originates from an allowed network (i.e., whether the data usage network element belongs to an allowed network) to thereby determine whether processing of the user data is authorized (e.g., authorizing the data usage network element to process the user data).
Wherein, in case that the data call request message originates from an allowed network and the user agrees to process the user data based on the data processing purpose of the data call request, the authorization data processes the user data using the network element; in case the data call request message is not originating from an allowed network or the user does not agree to process the user data for data processing purposes based on the data call request though originating from an allowed network, the user data is not authorized to process the user data using the network element.
In this implementation manner, if the authorization check network element and the data use network element are located in the same network, the specific judgment of the authorization check network element may be as follows:
(A1) And (3) the authorization checking network element judges whether the authorization checking network element belongs to an allowed network or not, if so, further judges (A2), and if not, the authorization checking network element is used for processing the user data by using the network element.
(A2) The authorization checking network element determines whether a user consent result corresponding to the data processing purpose of the data call request is consent or not in the user consent information, and if so, the authorization data uses the network element to process the user data; if not, the unlicensed data uses the network element to process the user data.
In connection with the example of table 1, assuming that the authorization check network element is located in network PLMN a, the decisions of (A1) and (A2) corresponding thereto may be:
(A1) The authorization checking network element judges whether the network PLMN A where the authorization checking network element is located belongs to an allowed network, and if the authorization checking network element is determined to belong to the allowed network according to the allowed network identification in the table 1, further judges (A2).
(A2) The authorization verification network element determines that the data processing purpose of the data call request is target #1 in the user consent information, and the corresponding user consent result is consent, and the authorization data uses the network element to process the user data.
Alternatively, assuming that the authorization check network element is located in the network PLMN C, the judgment of the corresponding (A1) and (A2) may be:
(A1) And because the user consent information received by the authorization checking network element does not comprise the identification of the PLMN C, the authorization checking network element judges that the network PLMN C where the authorization checking network element is positioned does not belong to the allowed network, and the unauthorized data uses the network element to process the user data.
Optionally, the authorization verification network element may obtain the data processing purpose corresponding to the data call request through the name of the data call request message itself or the operation instruction included in the data call request message. For example, if the data call request message is nnef_ueidentifier_get, the data processing purpose corresponding to the data call request is data reading; if the operation instruction is used for indicating that the operation on the user data is analysis, the data processing purpose corresponding to the data calling request is data analysis.
In this implementation manner, if the authorization check network element and the data use network element are located in different networks, the authorization check network element may acquire, in the data call request, identification information of the network in which the data use network element is located, where the network in which the data use network element is located may be a PLMN in which the data use network element is located. In the case that the authorization check network element and the data use network element are located in different networks, the specific judgment of the authorization check network element may be as follows:
(B1) And (3) the authorization check network element judges whether the data use network element belongs to an allowed network, if so, further judges (B2), and if not, the authorization check network element does not authorize the data use network element to process the user data.
(B2) The authorization checking network element determines whether a user consent result corresponding to the data processing purpose of the data call request is consent or not in the user consent information, and if so, the authorization data uses the network element to process the user data; if not, the unlicensed data uses the network element to process the user data.
It will be appreciated that the steps of determining (B1) and (B2) are similar to those of (A1) and (A2) described above, except that the authorization check network element determines whether the network in which the authorization check network element is located or the network in which the data usage network element is located belongs to an allowed network, and the description of (B1) and (B2) will refer to the above exemplary descriptions of (A1) and (A2) and will not be repeated herein.
In a second implementation, the authorization check network element determines whether itself belongs to an allowed network, thereby determining whether processing of the user data is authorized (e.g., whether processing of the user data is authorized itself).
Wherein, under the condition that the authorization check network element belongs to the allowed network and the user agrees to process the data based on the data processing purpose of the data calling request, the authorization check network element processes the user data; in case the authorization checking network element itself does not belong to the network where the user allows processing of the user data or, although the user does not agree to process the user data for data processing purposes based on the data call request, the user is not authorized to process the user data itself.
In this implementation manner, the specific judgment of the authorization check network element may be as follows:
(C1) The authorization checking network element judges whether the authorization checking network element belongs to an allowed network or not, if the authorization checking network element belongs to the allowed network, further judges (C2), and if the authorization checking network element does not belong to the allowed network, the authorization checking network element does not authorize the authorization checking network element to process the user data.
(C2) The authorization checking network element determines whether a user consent result corresponding to the data processing purpose of the data calling request is consent or not, and if so, authorizes the user to process the user data; if not, the user data is not authorized to be processed by the user.
It will be appreciated that the steps of determining (C1) and (C2) are the same as those of (A1) and (A2) described above, and reference is made to the above description of (A1) and (A2) for example, and details are not repeated here.
In another implementation, the authorization check network element may determine whether itself belongs to an allowed network and whether the data usage network element belongs to an allowed network, in which case this operation of authorizing processing of user data is determined. It should be noted that, in the above implementation manner, the determining sequence of the authorization check network element is to determine whether the authorization check network element belongs to the allowed network first, and then determine whether the user agrees to the network. The scheme of judging whether the user consent result corresponding to the data processing purpose of the data call request is consent or not and judging whether the authorization check network element and/or the data using network element belong to the allowed network or not is also included in the scope of the embodiment of the present application, and the embodiment of the present application does not limit the judging order.
Authorization to process user data may be understood as authorization to an action of an associated network element that processes user data, or authorization to a request for a data call, or authorization to an event that processes data. The expression form can be that the related network element for processing the user data executes the data calling request according to the normal flow. The relevant network elements for processing the user data can comprise authorization check network elements or data use network elements. The action of the related network element for processing the user data can be, for example, that the authorization check network element acquires the user data according to the data call request message, or uses the acquired user data to perform data analysis, or uses the acquired user data to perform model training, etc.; the action of the relevant network element handling the user data may also be, for example, the data use network element obtaining the user data or the data analysis results or the model training results.
Accordingly, unauthorized processing of user data may be understood as unauthorized of the action of the relevant network element processing the user data, or unauthorized of the request for a data call, or authorized of the event of processing the data. The expression form can be that the related network element for processing the user data does not execute the data calling request according to the normal flow.
Specifically, in the case where the processing of the user data is authorized, S206a may be initiated. In the case of unauthorized processing of user data, S206b may be initiated, i.e. the authorization check network element sends a message to the data use network element rejecting the data call request, or other unauthorized means. Alternatively, in the event that unauthorized is determined, for example, that the data call request is still initiated S206a, i.e., authorized and initiated according to the data call request message, but an unauthorized event of the request is recorded, the application is not limited in this regard.
According to the judgment of step S205, 1 of the following 2 flows is performed:
s206a: and the authorization check network element sends a data request message to the data providing network element according to the data call request message, wherein the data request message is used for requesting user data 01 required by the data call request message.
S206b: the authorization check network element sends a message rejecting the data call request to the data use network element for rejecting the data call request message in S201.
Wherein the message rejecting the data call request may comprise a cause value indicating that the data use network element does not belong to the network where the user is allowed to process the data. For example, the cause value may indicate an unauthorized network, or indicate that the data usage network element does not belong to an allowed network, etc. After receiving the cause value, the data using network element will terminate the data call request.
S207: the data providing network element provides user data 01 to the authorization check network element, which in turn receives user data 01 from the data provider.
Among them, the user data 01 is input data required for obtaining the user data 02, and the user data 02 is described in detail in S208.
S208: the authorization check network element provides the user data 02 to the data use network element, and accordingly the data use network element receives the user data 02 from the authorization check network element.
Where user data 02 is the result of the operation of the user data requested by the data call message request message. For example, the data uses an on-line shopping platform server to call an API requesting for UE identification that authorizes the verification of the opening of the network element NEF, for example, an on-line shopping platform server to call the Nnef_UEIdentifier_get of NEF, and the user information is set as the IP address of a certain UE, both the user data 01 and the user data 02 may be the identification information of the user corresponding to the requested IP address.
For another example, the data use network element PCF invokes an API for authorizing data analysis provided by the checking network element NWDAF and provides an analysis UE location, for example, the PCF invokes nnwdaf_analysis subscribers_subscribers of NWDAF and sets the input analysis ID to UE mobility analytics, target of Analytics Reporting to the SUPI of a certain UE), then the user data 01 is location information of the UE, and the user data 02 is an analysis result obtained according to the location information of the UE.
Note that S207 and S208 may be performed in the case where it is determined in S205 that the user data is authorized to be processed, or in the case where S206a is performed although the user data is not authorized to be processed in S205.
According to the method shown in fig. 4, in a cross-network scenario in which the data management network element and the authorization check network element are located in different networks, or in which the data management network element and the data usage network element may be located in different networks, the authorization check network element obtains the identifier of the allowed network from the data management network element, and checks, in the authorization process, whether the network element currently processing the user data belongs to the allowed network of the user according to the identifier of the allowed network. Authorization to process user data across scenarios may be implemented.
It will be appreciated that the network in which the data management network element is located stores user consent information as a network that allows processing of user data. If the authorization check network element and the data use network element are also located in the network where the data management network element is located, the network where the authorization check network element is located or the network where the data use network element is located does not need to be checked. However, the embodiment of the present application does not exclude a scenario in which the authorization check network element and the data use network element are also located in the network where the data management network element is located, that is, in the scenario, the network where the authorization check network element or the data use network element is located may be checked.
Further, because the authorization checking network element performs authorization according to the identifier of the allowed network, the accuracy of authorization is improved, and the potential safety hazard caused by processing user data by the network which is not allowed is avoided.
Meanwhile, as the detection is put in the authorization check network element, the user consent information can be used as the context of the UE to migrate among different authorization check network elements, so that the frequency of repeated request of the authorization check network element for the user consent information is reduced, and the influence on the data management network element is reduced.
The present application provides yet another method of authorizing processing of user data. Fig. 5 is a flow chart of the method in which a data management network element checks whether a network currently processing user data belongs to a network allowed by a user, the method comprising the steps of:
S300-S301 are the same as S200-S201 in FIG. 4, and are not described in detail.
S302: the authorization checking network element judges whether user consent information of the UE is locally stored.
If the user consent information of the UE is stored in the context of the authorization checking network element, the user consent information is directly obtained from the context, and the user consent information is not required to be obtained from the data management network element. Wherein, the user consent information is detailed in the related description in S304.
If the user agreement information of the UE is not stored in the context of the authorization check network element, S303-S304 are performed.
S303: the authorization check network element sends a subscription data acquisition request message to the data management network element, and correspondingly, the data management network element receives the subscription data acquisition request message from the authorization check network element.
The subscription data acquisition request message is used for requesting subscription data of the user. The subscription data acquisition request message may contain the user identification 02 and an identification of the network handling the user data. The user identifier 02 may be the same as the user identifier 01, or may be converted by the authorization verification network element according to the user identifier 01. For example, the authorization check network element converts GPSI to SUPI, as the application is not limited in this regard. The identifier of the network for processing the user data is used to identify the network where the network element for processing the user data is located, for example, the identifier of the network where the network element for authorization verification is located, or the identifier of the network where the network element for data use is located.
Optionally, the subscription data obtaining request message may further include a subscription type, where the subscription type is a subscription type indicating agreement of the user. Or the subscription data acquisition request message may further include indication information for data processing purpose, where the indication information is used to indicate the purpose of processing data, and may be understood as being used to indicate the purpose of data processing corresponding to the data call request message in S301. The indication information may specifically be an operation indication included in the data call request message, or a new information generated by the authorization check network element according to the data call request message, for example, the new information and the operation indication may both indicate to analyze the data, but the forms of the new information and the operation indication may be different.
For example, the operation instruction #1 included in the data call request message may be the operation instruction #1 as the instruction information for the data processing purpose. Alternatively, the instruction information for the data processing purpose may be a character string #1, and the character string #1 may be used to indicate the data processing purpose indicated by the operation instruction #1.
The network in which the data management network element is located and the network that processes the user data may not be the same network (e.g., not the same PLMN or slice).
In one implementation, if the identifier of the network that processes the user data is the identifier of the network where the authorization check network element is located, the authorization check network element may obtain the identifier of the network where the authorization check network element is located from its own context. If the identification of the network for processing the user data is the identification of the network where the data use network element is located, the authorization check network element can obtain the identification of the network where the data use network element is located from the message interacted with the data use network element. For example, the authorization check network element may obtain from S301 the identity of the network in which the data usage network element is located.
Optionally, the identifier of the network where the authorization check network element is located is an ID of the PLMN where the authorization check network element is located, where the ID of the PLMN where the authorization check network element is located may be included in the identifier of the authorization check network element, that is, the subscription data acquisition request message includes the identifier of the authorization check network element, where the identifier of the authorization check network element includes the ID of the PLMN where the authorization check network element is located. The identity of the authorization check network element may be, for example, an NF ID. Similarly, the identity of the network in which the data use network element is located may be the ID of the PLMN in which the data use network element is located.
The subscription data acquisition Request message may be a nudm_sdm_get Request message.
S304: the data management network element obtains the user consent information 02.
For example, the data management network element obtains subscription data of the user according to the user identifier 02, the subscription data includes user consent information 01, and the user consent information 01 includes the data processing purpose 01 and the user consent result 01. The data processing purpose 01 may include one or more data processing purposes, and the corresponding user consent result 01 may also include one or more user consent results. Additionally, the subscription data also contains an identification of the allowed networks.
The data management network element determines the user consent result 02 in the user consent information 02 according to the identification of the network that handles the user data and the identification of the allowed network.
For example, the data management network element determines the user consent result 02 in the user consent information 02 according to whether the identification of the allowed network contains an identification of the network that handles the user data. If the allowed network identification does not contain the identification of the network for processing the user data, the data management network element constructs a disagreeable user consent result 02; if the identification of the allowed network contains an identification of the network handling the user data, the data management network element obtains the data handling purpose 02 and the user agrees to the result 02.
In the case where the identification of the permitted network does not contain an identification of the network handling the user data, the data management network element is configured to disagree with the user consent result 02 in the following manner.
The first implementation way is: the data management network element constructs its corresponding disagreeable user consent result 02 according to the preconfigured data processing objective 03. The preconfigured data processing purpose 03 may be all data processing purposes supported by the network.
For example, the user agreement information 01 is shown in table 1, and the identifier of the network processing the user data is PLMN C, and the identifiers of the networks not belonging to the allowed PLMNs a and B are shown. The preconfigured data processing destination 03 is destination #1, destination #2 and destination #3, and the data management network element constructs the user consent result 02 as different consent, that is, constructs destination #1, destination #2 and destination #3 to respectively correspond to the different consent result of the user. In this example, the user consent information 02 containing the user consent result 02 may be as shown in table 2.
| Data processing purposes | User consent to results |
| Purpose #1 | 0 |
| Purpose #2 | 0 |
| Purpose #3 | 0 |
TABLE 2
The second implementation mode is as follows: the data management network element constructs a corresponding disagreeable user consent result 02 according to the data processing purpose 04 corresponding to the allowed network identification.
For example, user consent information 01 is shown in table 1. The identity of the network handling the user data is PLMN C, the identities PLMN a and PLMN B not belonging to the allowed networks. The data management network element obtains the data processing purpose corresponding to PLMN A or PLMN B. If the data management network element obtains the data processing purpose #1 and the data processing purpose #2 of the PLMN a, and constructs the user consent result 02 as disagreeable, that is, constructs the user consent result corresponding to the purpose #1 and the purpose #2 respectively, the user consent information 02 including the user consent result 02 may be as shown in table 3.
| Data processing purposes | User consent to results |
| Purpose #1 | 0 |
| Purpose #2 | 0 |
TABLE 3 Table 3
The third implementation mode is as follows: if the subscription data acquisition request message contains the indication information of the data processing purpose, the data management network element constructs a disagreeable user consent result 02 corresponding to the data processing purpose of the data call request according to the indication information of the data processing purpose.
For example, user consent information 01 is shown in table 1. The identity of the network handling the user data is PLMN C, the identities PLMN a and PLMN B not belonging to the allowed networks. For example, the data management network element obtains the data processing purpose of the data call request according to the subscription data obtaining request message as the purpose #1, and constructs the disagreeable user consent result 02 corresponding to the purpose #1, and the user consent information 02 including the user consent result 02 may be as shown in table 4.
| Data processing purposes | User consent to results |
| Purpose #1 | 0 |
TABLE 4 Table 4
It should be noted that, if the data management network element is configured to disagree with the user consent result 02, the user consent information 02 may not include the data processing purpose.
In case the identification of the allowed network contains an identification of the network handling the user data, the data management network element obtains the data handling purpose 02 and the user consent result 02 may be in the following way. .
The first way is: the data management network element obtains a data processing purpose 02 corresponding to the identification of the allowed network (e.g. the identification of the network handling the user data) and a user consent result 02 corresponding to the data processing purpose 02.
For example, user consent information 01 is shown in table 1. The identity of the network handling the user data is PLMN a, belonging to the allowed network identity. The data management network element obtains a data processing destination 02 and a user consent result 02 corresponding to the PLMN a, wherein the data processing destination includes a destination #1 and a destination #2, and the user consent information 02 includes a user consent result corresponding to the destination #1 and being consent and a user consent result corresponding to the destination #2 and being not consent. In this example, the user consent information 02 may be as shown in table 5: .
| Data processing purposes | User consent to results |
| Purpose #1 | 1 |
| Purpose #2 | 0 |
TABLE 5
The second mode is as follows: if the subscription data acquisition request message includes the indication information of the data processing purpose, the data management network element acquires the data processing purpose (namely, the data processing purpose 02) of the data call request and the corresponding user consent result 02 according to the indication information of the data processing purpose.
For example, user consent information 01 is shown in table 1. The identity of the network handling the user data is PLMN a, belonging to the allowed network identity. The data processing purpose 02 of the data call request acquired by the data management network element is the purpose #1, and the data management network element acquires the user consent result 02 corresponding to the purpose #1 as consent according to the user consent information 01. In this example, the user consent information 02 may be as shown in table 6:
| data processing purposes | User consent to results |
| Purpose #1 | 1 |
TABLE 6
In this example, the user consent information 02 may include only the result of the user consent as consent, and does not include the processing purpose 02.
S305: the data management network element sends a subscription data acquisition response message to the authorization check network element, and correspondingly, the authorization check network element receives the subscription data acquisition response message from the data management network element.
The subscription data acquisition response message includes the user consent information 02 obtained in S304. The subscription data acquisition Response message may be a nudm_sdm_get Response message.
S306: the authorization check network element determines whether to authorize processing of the user data according to the user consent information 02.
In a first implementation, if the user consent information 02 includes a user consent result 02, the authorization check network element determines whether the user consents to the current invocation based on the user consent result 02. If not, processing the user data is not authorized. And if yes, authorizing to process the user data.
In a second implementation, if the user consent information 02 includes a data processing purpose 02 and a user consent result 02, the specific judgment of the authorization check network element is as follows:
and the authorization checking network element judges whether the user agrees to the current call according to the data processing purpose, the data processing purpose 02 and the user agreeing result 02 of the data call request message. If not, the processing of the user data is not authorized, and if so, the processing of the user data is authorized.
Optionally, the authorization check network element may obtain the data processing purpose of the data call request through the name of the data call request message itself or the operation instruction included in the data call request message.
For understanding of the authorized processing user data and the unauthorized processing user data, reference may be made to the description in S205, and details thereof will not be repeated here.
Specifically, in the case of authorizing processing of user data, S307a may be initiated, and in the case of not authorizing processing of user data, S307b may be initiated, that is, the authorization check network element sends a message for rejecting the data call request to the data use network element, or other unauthorized manners may be adopted. Other unauthorized means are, for example, still initiating S307a, i.e. authorizing a data call request and initiating a data request according to a data call request message, but recording an unauthorized event of the request, which is not limited by the present application.
According to the judgment of step S306, 1 of the following 2 flows is performed:
s307a: and the authorization check network element sends a data request message to the data providing network element according to the data call request message, wherein the data request message is used for requesting user data 01 required by the data call request message.
S307b: the authorization check network element sends a message rejecting the data call request to the data use network element for rejecting the data call request message in S201.
Wherein the message rejecting the data call request may comprise a cause value indicating that the data use network element does not belong to the network where the user is allowed to process the data. For example, the cause value may indicate an unauthorized network, or indicate that the data usage network element does not belong to an allowed network, etc. After receiving the cause value, the data using network element will terminate the data call request.
S308 to S309 refer to S207 to S208, and are not described here.
Note that S308 and S309 may be performed in the case where it is determined in S306 that the user data is authorized to be processed, or in the case where S307a is performed although the user data is not authorized to be processed in S306.
According to the method shown in fig. 5, in a cross-network scenario where the network where the data management network element is located and the network that processes the user data may not be the same network, the data management network element checks whether the network that processes the user data currently belongs to the network allowed by the user in the process of providing subscription data to the authorization check network element according to the identifier of the allowed network. The data management network element provides a user consent result to the authorization check network element based on the check result, so that the authorization check network element determines whether to authorize processing of the user data according to the user consent result, and therefore authorization of processing of the user data in a cross-network scene can be achieved.
It will be appreciated that the network in which the data management network element is located stores user consent information as a network that allows processing of user data. If the network handling the user data is the network where the data management network element is located, no verification of the network handling the user data is necessary. However, the embodiment of the present application does not exclude a scenario in which the network for processing the user data is the network where the data management network element is located, that is, the network for processing the user data may also be checked in the scenario.
Further, because the data management network element determines the user consent result according to the identifier of the allowed network, the accuracy of authorization is improved, and the potential safety hazard caused by processing the user data by the disallowed network is avoided.
Furthermore, the application provides a further method of authorising processing of user data. Fig. 6 is a flow chart of the method, in which a data management network element checks whether a network currently processing user data belongs to a network allowed by a user, and provides an identifier of the allowed network to an authorization check network element, so that the authorization check network element determines whether to authorize processing of the user data based on the identifier of the allowed network, the method includes the following steps:
S400-S403 are the same as S300-S303 in fig. 5, and are not described in detail.
S404: the data management network element obtains the user consent information 02.
For example, the data management network element obtains subscription data of the user according to the user identifier 02, the subscription data includes user consent information 01, and the user consent information 01 includes the data processing purpose 01 and the user consent result 01. The data processing purpose 01 may include one or more data processing purposes, and the corresponding user consent result 01 may also include one or more user consent results. Additionally, the subscription data also contains an identification 01 of the allowed network.
The data management network element determines the user consent result 02 in the user consent information 02 according to the identification of the network that handles the user data and the identification of the allowed network. For example, the data management network element determines the user consent result 02 in the user consent information 02 according to whether the identification of the allowed network contains an identification of the network that handles the user data. If the allowed network identification does not contain the identification of the network for processing the user data, the data management network element constructs a disagreeable user consent result 02; if the identification of the allowed network comprises an identification of the network handling the user data, the data management network element obtains the identification 02 of the allowed network, the data handling purpose 02 and the user consent result 02.
The network in which the data management network element is located and the network that processes the user data may not be the same network (e.g., not the same PLMN or slice).
In the case where the identification of the permitted network does not contain an identification of the network handling the user data, the data management network element is configured to disagree with the user consent result 02 in the following manner.
The first implementation way is: the data management network element constructs its corresponding disagreeable user consent result 02 according to the preconfigured data processing objective 03. The preconfigured data processing purpose 03 may be all data processing purposes supported by the network.
For example, the user agreement information 01 is shown in table 1, and the identifier of the network that handles the user data is PLMN C, and the identifiers PLMN a and PLMN B that do not belong to the permitted network. The preconfigured data processing destination 03 is destination #1, destination #2 and destination #3, and the data management network element constructs the user consent result 02 as different consent, that is, constructs destination #1, destination #2 and destination #3 to respectively correspond to the different consent result of the user. In this example, the user consent information 02 containing the user consent result 02 may be as shown in table 7.
TABLE 7
It is noted that in this example the data management network element also constructs the allowed network identity in the user consent information 02 as an identity PLMN C of the network handling the user data.
The second implementation mode is as follows: the data management network element constructs a corresponding disagreeable user consent result 02 according to the data processing purpose 04 corresponding to the allowed network identification.
For example, user consent information 01 is shown in table 1. The identity of the network handling the user data is PLMN C, the identities PLMN a and PLMN B not belonging to the allowed networks. The data management network element obtains the data processing purpose corresponding to PLMN A or PLMN B. If the data management network element obtains the data processing purpose #1 and the data processing purpose #2 of the PLMN a, and constructs the user consent result 02 as disagreeable, that is, constructs the user consent result corresponding to the purpose #1 and the purpose #2 respectively, the user consent information 02 including the user consent result 02 may be as shown in table 8.
TABLE 8
It is noted that in this example, the data management network element may construct the allowed network identity in the user consent information 02 as an identity PLMN C of the network handling the user data.
The third implementation mode is as follows: if the subscription data acquisition request message contains the indication information of the data processing purpose, the data management network element constructs a disagreeable user consent result 02 corresponding to the data processing purpose of the data call request according to the indication information of the data processing purpose. For the instruction information for the data processing purpose, reference is made to the description in S303.
For example, user consent information 01 is shown in table 1. The identity of the network handling the user data is PLMN C, the identities PLMN a and PLMN B not belonging to the allowed networks. For example, the data management network element obtains the data processing purpose of the data call request according to the subscription data obtaining request message as the purpose #1, and constructs the disagreeable user consent result 02 corresponding to the purpose #1, and the user consent information 02 including the user consent result 02 may be as shown in table 9.
| Allowed network identification | Data processing purposes | User consent to results |
| PLMN C | Purpose #1 | 0 |
TABLE 9
It is noted that in this example, the data management network element may construct the allowed network identity in the user consent information 02 as an identity PLMN C of the network handling the user data.
It should be noted that, if the data management network element is configured to disagree with the user consent result 02, the user consent information 02 may not include the data processing purpose.
In case the identification of the allowed network contains an identification of the network handling the user data, the data management network element obtains the identification 02 of the allowed network, the data handling purpose 02 and the user consent result 02 may be in the following way.
The first way is: the identifier 02 of the allowed network is the identifier of the network processing the user data, and the data management network element obtains the data processing purpose 02 and the corresponding user consent result 02 according to the identifier of the network processing the user data.
For example, the user agreement information 01 is shown in table 1, and the identifier of the network that handles the user data is PLMN a, which belongs to the permitted network. The data management network element obtains a data processing destination 02 and a user consent result 02 corresponding to the PLMN a, wherein the data processing destination 02 includes a destination #1 and a destination #2, and the user consent information 02 includes a user consent result corresponding to the destination #1 and being consent and a user consent result corresponding to the destination #2 and being a different consent. In this example, the user consent information 02 may be as shown in table 10: .
Table 10
The second mode is as follows: if the subscription data acquisition request message includes the indication information of the data processing purpose, the data management network element obtains the data processing purpose (namely, the data processing purpose 02) of the data call request and the corresponding user consent result 02 according to the identification of the network for processing the user data and the indication information of the data processing purpose.
For example, user consent information 01 is shown in table 1. The identity of the network handling the user data is PLMN a, belonging to the allowed network identity. The data management network element obtains the data processing purpose corresponding to the PLMN A as the purpose #1 and the purpose #2, and then obtains the user consent result 02 corresponding to the purpose #1 as consent according to the data processing purpose 02 of the data calling request as the purpose # 1. In this example, the user consent information 02 may be as shown in table 11:
| identification of allowed networks | Data processing purposes | User consent to results |
| PLMN A | Purpose #1 | 1 |
TABLE 11
In this example, the user agreement information 02 may include only the identification 02 of the permitted network for PLMN a and the user agreement result 02 for agreement, and may not include the processing purpose 02.
S405: the data management network element sends a subscription data acquisition response message to the authorization check network element, and correspondingly, the authorization check network element receives the subscription data acquisition response message from the authorization storage.
The subscription data acquisition response message includes the user consent information 02 obtained in S304. The subscription data acquisition Response message may be a nudm_sdm_get Response message.
And it will be appreciated that the user consent information 02 contains an identification of allowed networks.
S406: the authorization check network element determines whether to authorize processing of the user data according to the user consent information 02.
It is understood that S406 differs from S306 in that the user consent information 02 in S406 includes identification information of permitted networks. Before the authorization checking network element determines whether to authorize processing of the user data according to the user consent result 02, the authorization checking network element needs to determine whether the data use network element or the authorization checking network element belongs to the allowed network according to the allowed network identifier contained in the user consent information 02.
The authorization check network element may determine whether the data call request message originates from the allowed network (i.e. whether the data usage network element belongs to the allowed network) or whether the data call request message itself belongs to the allowed network according to the identification of the allowed network. If it is determined that the data call request originates from an allowed network or that the data call request belongs to the allowed network, the authorization check network element determines whether to authorize processing of the user data according to the user consent result 02.
Regarding the authorization check network element, it may be determined whether the data call request message originates from the allowed network or whether it belongs to the allowed network according to the identification of the allowed network, reference may be made to the relevant description in S205. Regarding the authorization checking network element determining whether to authorize processing of the user data according to the user consent result 02, reference may be made to the related description in S306, which is not described here in detail.
Specifically, the step 407a may be initiated when the user data is authorized, and the step 407b may be initiated when the user data is not authorized, that is, the authorization check network element sends a message for rejecting the data call request to the data using network element, or other unauthorized methods may be used. Other unauthorized manners are, for example, still initiate S407a, that is, authorize the data call request and initiate the data request according to the data call request message, but record the event that the request is unauthorized, which is not limited by the present application.
According to the judgment of step S406, 1 of the following 2 flows is performed:
s407a: and the authorization verification network element sends a data request message to the data provider according to the data call request message, wherein the data request message is used for requesting user data 01 required by the data call request message.
S407b: the authorization check network element sends a message rejecting the data call request to the data use network element for rejecting the data call request message in S201.
Wherein the message rejecting the data call request may comprise a cause value indicating that the data use network element does not belong to the network where the user is allowed to process the data. For example, the cause value may indicate an unauthorized network, or indicate that the data usage network element does not belong to an allowed network, etc. After receiving the cause value, the data using network element will terminate the data call request.
S408-S409 refer to S207-S208, and are not described here.
Note that S408 and S409 may be performed in the case where it is determined in S406 that the user data is authorized to be processed, or in the case where S407a is performed although the user data is not authorized to be processed in S406.
According to the method shown in fig. 6, in a cross-network scenario where the network where the data management network element is located and the network where the user data is processed may not be the same network, the data management network element checks whether the network where the user data is currently processed is a network allowed by the user in the process of providing subscription data to the authorization check network element, and checks whether the network where the user data is currently processed belongs to the network allowed by the user in the process of authorizing the authorization check network element. Therefore, the authorization for processing the user data in the cross-network scene can be realized, and the security and the accuracy of the authorization are doubly ensured.
Based on the method shown in fig. 4, an embodiment of the present application provides a further method for authorizing processing of user data. FIG. 7 is a schematic flow chart of the method, which comprises the following steps:
s501: the data use network element sends a request message for triggering processing of the user data to the authorization check network element, and accordingly the authorization check network element receives the request message from the data use network element.
Wherein,
the request message for triggering processing of the user data may be a data call request message in S201, which request message may contain a user identity and optionally an operation indication and/or an identity of the network in which the data use network element is located, which operation indication may indicate the data processing purpose of the request message. For a detailed description of the request message, reference is made to the description in S201, and a detailed description is omitted here.
S502: the authorization check network element acquires identification information of a network (hereinafter referred to as an allowed network) where the user from the data management network element is allowed to process the user data, a data processing purpose, and a user consent result.
Wherein the data processing purpose is used to indicate the purpose of processing user data, such as data analysis, data model training, or data reading, etc. The user consent result is used to indicate whether the user agrees to process the user data for data processing purposes, which may be consent or disagreement, for example. The identification information about the permitted network may refer to the identification of the network permitted by the user to process the user data in S200, which is not described herein.
In one implementation, the authorization check network element obtains the identification information, the data processing purpose, and the user consent result of the allowed network from the local, which may be obtained by the authorization check network element previously from the data management network element.
In another implementation, the authorization check network element requests user subscription data from the data management network element, the authorization check network element receives the user subscription data from the data management network element, the user subscription data including identification information of the allowed network, data processing purpose, and user consent result.
Illustratively, the data management network element is not in the same network as the authorization check network element, or the data management network element is not in the same network as the data use network element.
S503: the authorization check network element determines whether to authorize processing of the user data according to the identification information of the allowed network.
In one implementation, the authorization check network element determines whether the request message in S501 originates from the allowed network according to the identification information of the allowed network. If the request message originates from the allowed network, determining whether to authorize processing of the user data further based on the user consent result; if the request message does not originate from the allowed network, processing of the user data is not authorized.
Optionally, in this implementation, the data usage network element and the authorization check network element may be located in the same network, and determining whether the request message originates from the allowed network may include: it is determined whether an authorization check network element belongs to the allowed network. If the authorization check network element belongs to the allowed network, determining that the request message originates from the allowed network; if the authorization check network element does not belong to the allowed network, it is determined that the request message does not originate from the allowed network.
Alternatively, in this implementation, the data usage network element and the authorization check network element may be located in different networks, and determining whether the request message originates from the allowed network may include: the authorization check network element obtains the identification of the network where the data use network element is located, and determines whether the data use network element belongs to the allowed network according to the identification of the network where the data use network element is located. If it is determined that the data usage network element belongs to the allowed network, determining that the request message is from the allowed network; if it is determined that the data usage network element does not belong to the allowed network, it is determined that the request message does not originate from the allowed network. In S501, the authorization check network element may acquire the identifier of the network where the data usage network element is located, which is carried by the request message, or acquire the identifier of the network where the data usage network element is located according to the source of the request message.
Reference may also be made to the relevant description in S205 for this implementation, which is not described here in detail.
In another implementation, the authorization check network element determines whether itself belongs to the allowed network according to the identification information of the allowed network. If the network belongs to the allowed network, determining whether to authorize processing of the user data according to the user consent result; if it does not belong to the allowed network, processing of the user data is not authorized.
Reference may also be made to the relevant description in S205 for this implementation, which is not described here in detail. The authorization to process the user data may be understood as authorization of an action of an associated network element to process the user data, or authorization of a request for data call, or authorization of an event to process the data. The expression form can be that the related network element for processing the user data executes the data calling request according to the normal flow. The relevant network elements for processing the user data can comprise authorization check network elements or data use network elements. The action of the related network element for processing the user data can be, for example, that the authorization check network element acquires the user data according to the data call request message, or uses the acquired user data to perform data analysis, or uses the acquired user data to perform model training, etc.; the action of the relevant network element handling the user data may also be, for example, the data use network element obtaining the user data or the data analysis results or the model training results.
Accordingly, unauthorized processing of user data may be understood as unauthorized of the action of the relevant network element processing the user data, or unauthorized of the request for a data call, or authorized of the event of processing the data. The expression form can be that the related network element for processing the user data does not execute the data calling request according to the normal flow.
The authorization check network element determines whether to authorize processing of the user data according to the user consent result, for example, may be: the authorization verification network element determines a user consent result 03 of the data processing destination 05 according to the data processing destination (for example, the data processing destination 05) corresponding to the request message and the data processing destination and user consent result obtained in S502, if the user consent result 03 is consent, the authorization verification network element authorizes to process the user data, and if the user consent result 03 is disapproval, the authorization verification network element does not authorize to process the user data. The authorization check network element can acquire the data processing purpose corresponding to the request message through the name of the request message or the operation instruction in the request message.
Wherein the unauthorized processing of the user data may comprise sending a message to the data use network element refusing to process the user data, the message refusing to process the user data may comprise a reason value for refusing, the reason value indicating that the data use network element is not from a network where the user is permitted to process the user data. Or unauthorized processing of the user data may include recording an event for which processing of the user data is not authorized or recording an event for which the request message is not authorized.
In case the user data is authorized to be processed or the recorded user processing data is not authorized, the authorization check network element requests the user data from the data providing network element and processes, e.g. performs an analysis or a training model, based on the user data. The authorization check network element then feeds back the result of the processing of the user data to the data use network element. The result is for example an analysis result of the data or a trained model, it being understood that the result is also user data.
Regarding the authorized processing user data and the unauthorized processing user data, reference may also be made to the relevant descriptions in S205 to S208, which are not described here in detail.
According to the method shown in fig. 7, in a scenario where the data management network element and the authorization check network element are not in the same network, or where the data management network element and the data usage network element are not in the same network, the authorization check network element obtains the identification information of the allowed network from the data management network element, and checks whether the network element currently processing the user data belongs to the allowed network of the user according to the identification information of the allowed network, so that authorization for processing the user data in a cross-network scenario can be realized.
On the basis of the methods shown in fig. 5 and 6, an embodiment of the present application provides a further method for authorizing processing of user data. FIG. 8 is a schematic flow chart of the method, which comprises the following steps:
S601: the authorization check network element sends the identification information of the user and the identification information of the first network to the data management network element, and correspondingly, the data management network element receives the identification information of the user and the identification information of the first network from the authorization check network element.
The identification information of the first network is used for identifying a network for processing the data of the user, and the network where the data using network element is located and/or the network where the authorization checking network element is located can be used for the data. The identification information of the user may be SUPI or GPSI.
In one implementation, the authorization check network element receives a request message from the data use network element for triggering processing of user data before sending the identification information of the user and the identification information of the first network to the data management network element. For the request message, reference may be made to the description in S501, and a detailed description is omitted here.
In one implementation, the authorization check network element sends a subscription data acquisition request message to the data management network element, the subscription data acquisition request message including identification information of the user and identification information of the first network. Optionally, the subscription data acquisition request message includes indication information for data processing purpose, where the indication information is used to indicate the purpose of processing data, and may also be understood as indicating the data processing purpose corresponding to the request message for triggering processing of user data. For this implementation, reference may be made to the description in S303, which is not repeated here.
In one implementation, the network in which the data management network element is located and the network that processes the data of the user are not the same network.
S602: and the data management network element determines the consent result of the first user according to the identification information of the first network and the identification information of the second network.
Wherein the identification information of the second network is used for identifying a network in which the user is allowed to process the user data, and the first user consent result indicates whether the user agrees to process the data of the first user based on the first data processing purpose in the first network.
If the data management network element determines that the identification information of the second network contains the identification information of the first network, that means that the user allows the first network to process the user data, the data management network element determines one or more data processing purposes corresponding to the identification information of the first network as a first data processing purpose, and determines a user consent result corresponding to the one or more data processing purposes as a first user consent result.
If the data management network element determines that the identification information of the second network does not contain the identification information of the first network, that means that the user does not allow the first network to process the user data, the data management network element may determine that the data processing purpose corresponding to the identification information of the second network or the preconfigured data processing purpose is the first data processing purpose, and the first user agrees that the result is disagreement. Alternatively, the data management network element may determine that the first user agrees to result in disagreement without determining the first data processing purpose.
In one implementation, the subscription data acquisition request message in S601 further includes a first data processing purpose (i.e., a purpose indicated by indication information for data processing purposes). In this implementation manner, if the data management network element determines that the identification information of the second network includes the identification information of the first network, the data management network element determines that the user consent result corresponding to the first data processing purpose is the first user consent result. And if the identification information of the second network does not contain the identification information of the first network, the data management network element determines that the first user agrees to result in disagreement.
Regarding the determination of the first user consent result, reference may be made to the related description in S304 or S404, which is not described herein.
S603: the data management network element sends a first user consent result to the authorization check network element, and correspondingly, the authorization check network element receives the first user consent result from the data management network element.
Wherein optionally, if the data management network element also determines the first processing purpose in S602, the data management network element sends the first data processing purpose and the first user consent result to the authorization check network element.
In one implementation, the data management network element also sends an identification #1 of the allowed network (possibly including networks that the user is allowed to process data or networks that the user is not allowed to process data) to the authorization check network element, where the identification #1 may be structured by the data management network element. The identity #1 of the allowed network is used for the authorization check network element to determine whether the user data is authorized to be processed.
For example, the identification #1 of the allowed network may include identification information of the first network. If the data management network element determines that the identification information of the second network does not contain the identification information of the first network, the data management network element may also send the identification of the first network to the authorization check network element. The authorization check network element determines whether to authorize processing of the user data according to the identification of the first network, so that logic of the authorization check network element for determining whether to authorize processing of the user data according to the identification of the allowed network and the user consent result can not be changed. If the data management network element determines that the identification information of the second network includes the identification information of the first network, the data management network element may send the identification of the first network to the authorization check network element. The authorization check network element determines whether the network where the data use network element and/or the authorization check network element is located belongs to the first network according to the identification of the first network, so that double check can be realized. S604: and the authorization checking network element determines whether to authorize processing of the user data according to the result of the agreement of the first user.
For example, if the authorization check network element receives the first user consent result, the authorization check network element determines whether the first user consent result is disagreeable, if yes, the user data is not authorized to be processed, and if yes, the user data is authorized to be processed; if the authorization checking network element receives the first data processing purpose and the first user agreeing result, the authorization checking network element determines a user agreeing result corresponding to the data processing purpose of the request message according to the first data processing purpose and the first user agreeing result, if the user agreeing result is not agreeing, the user data is not authorized to be processed, and if the user agreeing result is agreeing, the user data is authorized to be processed. Regarding the authorization checking network element determining whether to authorize processing of the user data according to the first user consent result, reference may also be made to the related descriptions in S306 and S406, which are not described herein.
In one implementation, the authorization check network element receives an identification #1 of the allowed network from the data management network element. The authorization check network element may determine whether the identification #1 of the allowed network comprises the network in which the data use network element is located/the network in which the authorization check network element is located before determining whether to authorize processing the user according to the first user consent result. The specific determination may refer to the description of S503, and will not be described herein.
Here, the description of the authorized processing user data and the unauthorized processing user data may be referred to in S503, and will not be repeated here.
According to the method shown in fig. 8, in a cross-network scenario where the network where the data management network element is located and the network that processes the user data are not the same network, the data management network element checks whether the network that processes the user data currently belongs to the network allowed by the user according to the identification information of the allowed network. The data management network element provides a user consent result to the authorization check network element based on the check result, so that the authorization check network element determines whether to authorize processing of the user data according to the user consent result, and therefore authorization of processing of the user data under a cross-network scene can be achieved.
The method provided by the embodiment of the application is described in detail above with reference to fig. 3 to 8. The following describes the device provided in the embodiment of the present application in detail with reference to fig. 9 to 10. It should be understood that the descriptions of the apparatus embodiments and the descriptions of the method embodiments correspond to each other, and thus, descriptions of details not described may be referred to the above method embodiments, which are not repeated herein for brevity.
As shown in fig. 9, the communication apparatus 900 includes a processing unit 910 and a transceiving unit 920. The communication device 900 is configured to implement the functions of the authorization check network element, the data management network element, or the data usage network element in the above method embodiments, and may also be a module (e.g. a chip) applied to the authorization check network element, the data management network element, or the data usage network element.
In a first embodiment, the communication device is configured to perform the function of an authorization check network element, and the transceiver unit 920 is configured to receive a request message from a data usage network element for triggering processing of user data; the processing unit 910 is configured to obtain, from a data management network element, identification information of a network in which a user is permitted to process the user data, a data processing purpose for indicating a purpose of processing the user data, and a user consent result for indicating whether the user consents to process the user data based on the data processing purpose; and determining whether to authorize processing of the user data based on the identification information of the network. .
In a possible implementation method, the processing unit 910 is further configured to determine, according to the identification information of the network, whether the request message is from the network indicated by the identification information of the network; if the request message comes from the network indicated by the identification information of the network, determining whether to authorize processing of the user data according to the user consent result; if the request message is not from a network indicated by the identification information of the network, processing of the user data is not authorized.
In one possible implementation, if the communication device belongs to a network indicated by the identification information of the network, the processing unit 910 is further configured to determine that the request message is from the network indicated by the identification information of the network; if the authorization check network element does not belong to the network indicated by the identification information of the network, the processing unit 910 is further configured to determine that the request message is not from the network indicated by the identification information of the network.
In one possible implementation, the data is located in the same network using the network element and the communication device.
In a possible implementation manner, the processing unit 910 is further configured to obtain an identifier of a network where the data uses the network element; if the network indicated by the identification information of the network to which the data using network element belongs is determined according to the identification of the network to which the data using network element belongs, determining that the request message comes from the network indicated by the identification information of the network; if the network indicated by the identification information of the network where the data using network element is located is determined according to the identification of the network where the data using network element is located, the request message is determined not to be from the network indicated by the identification information of the network.
In one possible implementation, the request message includes an identification of the network in which the data usage network element is located.
In a possible implementation, the transceiver unit 920 is further configured to send a rejection message to the data use network element, where the rejection message includes a rejection cause value, and the rejection cause value is used to indicate that the data use network element is not from a network that the user allows to process the user data.
In one possible implementation, the processing unit 910 is further configured to record events that are unauthorized to process the user data.
In a possible implementation, the transceiver unit 920 is further configured to request the user data from the data providing network element; and receiving the user data from the data providing network element.
In one possible implementation, the data usage network element and the data management network element are located in different networks.
In a possible implementation manner, the transceiver unit 920 is further configured to request the user subscription data from the data management network element; and receiving user subscription data from the data management network element, wherein the user subscription data comprises the identification information of the network, the data processing purpose and the user consent result.
In one possible implementation, the identification information of the network is an identification ID of a public land mobile network PLMN.
In a second embodiment, the communication device is configured to perform a function of a data management network element, and the transceiver unit 920 is configured to receive identification information of a user from an authorization check network element and identification information of a first network, where the identification information of the first network is configured to identify a network that processes data of the user; the processing unit 910 is configured to determine a first user consent result according to identification information of the first network and identification information of a second network, where the identification information of the second network is used to identify a network where the user is allowed to process data of the user, and the first user consent result indicates whether the user agrees to process the data of the user based on a first data processing purpose in the first network; the transceiver unit 920 is further configured to send the first user consent result to the authorization check network element.
In a possible implementation method, if the identification information of the second network includes the identification information of the first network, the processing unit 910 is further configured to determine one or more data processing purposes corresponding to the identification information of the first network as the first data processing purpose, and determine a user consent result corresponding to the one or more data processing purposes as the first user consent result; if the identification information of the second network does not include the identification information of the first network, the processing unit 910 is further configured to determine that the data processing purpose corresponding to the identification information of the second network is the first data processing purpose, and determine that the first user agrees to result in disagreement.
In a possible implementation, the transceiver unit 920 is further configured to send the first data processing objective and the first user consent result to the authorization check network element.
In a possible implementation method, the transceiver unit 920 is further configured to receive a message from the authorization check network element, where the message includes the identification information of the user, the identification information of the first network, and the first data processing purpose; if the identification information of the second network includes the identification information of the first network, the processing unit 910 is further configured to determine that the user consent result corresponding to the first data processing objective is the first user consent result; if the identification information of the second network does not include the identification information of the first network, the processing unit 910 is further configured to determine that the first user agrees to be disagreeable.
In a possible implementation, the transceiver unit 920 is further configured to send identification information of a network for determining whether to authorize processing of the data of the user to the authorization check network element.
In one possible implementation, the identification information of the second network is an identification ID of a public land mobile network PLMN the user is allowed to process data of the user.
In one possible implementation, the identification information of the first network is an identification ID of a public land mobile network PLMN where the authorization check network element is located or an identification ID of a public land mobile network PLMN where a network element triggering processing the first data is located.
The more detailed description of the processing unit 910 and the transceiver unit 920 may be directly obtained by referring to the related description in the above method embodiment, which is not repeated herein.
As shown in fig. 10, the communication device 1000 includes a processor 1010 and an interface circuit 1020. The processor 1010 and the interface circuit 1020 are coupled to each other. It is understood that interface circuit 1020 may be a transceiver or an input-output interface. Optionally, the communication device 1000 may further comprise a memory 1030 for storing instructions to be executed by the processor 1010 or for storing input data required by the processor 1010 to execute instructions or for storing data generated after the processor 1010 executes instructions.
When the communication device 1000 is used to implement the above-mentioned method embodiments, the processor 1010 is used to implement the functions of the above-mentioned processing unit 910, and the interface circuit 1020 is used to implement the functions of the above-mentioned transceiver unit 920.
It is to be appreciated that the processor in embodiments of the application may be a central processing unit (central processing unit, CPU), other general purpose processor, digital signal processor (digital signal processor, DSP), application specific integrated circuit (application specific integrated circuit, ASIC), field programmable gate array (field programmable gate array, FPGA) or other programmable logic device, transistor logic device, hardware components, or any combination thereof. The general purpose processor may be a microprocessor, but in the alternative, it may be any conventional processor.
The method steps in the embodiments of the present application may be implemented by hardware, or may be implemented by executing software instructions by a processor. The software instructions may be comprised of corresponding software modules that may be stored in random access memory, flash memory, read only memory, programmable read only memory, erasable programmable read only memory, electrically erasable programmable read only memory, registers, hard disk, removable disk, CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC. In addition, the ASIC may reside in a base station or terminal. The processor and the storage medium may reside as discrete components in a base station or terminal.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer programs or instructions. When the computer program or instructions are loaded and executed on a computer, the processes or functions described in the embodiments of the present application are performed in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, a base station, a user equipment, or other programmable apparatus. The computer program or instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer program or instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center by wired or wireless means. The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that integrates one or more available media. The usable medium may be a magnetic medium, e.g., floppy disk, hard disk, tape; but also optical media such as digital video discs; but also semiconductor media such as solid state disks. The computer readable storage medium may be volatile or nonvolatile storage medium, or may include both volatile and nonvolatile types of storage medium.
In various embodiments of the application, where no special description or logic conflict exists, terms and/or descriptions between the various embodiments are consistent and may reference each other, and features of the various embodiments may be combined to form new embodiments based on their inherent logic.
Claims (26)
1. A method of authorization, comprising:
the authorization check network element receives a request message from the data use network element for triggering processing of user data;
the authorization checking network element obtains identification information of a network, which is allowed by a user to process the user data, from a data management network element, a data processing purpose and a user consent result, wherein the data processing purpose is used for indicating the purpose of processing the user data, and the user consent result is used for indicating whether the user consents to process the user data based on the data processing purpose, wherein the data management network element and the authorization checking network element are not in the same network, or the data management network element and the data using network element are not in the same network;
and the authorization checking network element determines whether the user data is authorized to be processed according to the identification information of the network.
2. The method of claim 1, wherein the authorization check network element determining whether to authorize processing of the user data based on the identification information of the network comprises:
the authorization check network element determines whether the request message comes from a network indicated by the identification information of the network according to the identification information of the network;
if the request message comes from the network indicated by the identification information of the network, the authorization check network element determines whether to authorize processing of the user data according to the user consent result;
if the request message is not from the network indicated by the identification information of the network, the authorization check network element does not authorize processing of the user data.
3. The method according to claim 2, wherein the authorization check network element determining whether the request message is from a network indicated by the identification information of the network based on the identification information of the network comprises:
if the authorization checking network element belongs to the network indicated by the identification information of the network, the authorization checking network element determines that the request message comes from the network indicated by the identification information of the network;
and if the authorization check network element does not belong to the network indicated by the identification information of the network, the authorization check network element determines that the request message is not from the network indicated by the identification information of the network.
4. A method according to claim 3, characterized in that the data usage network element and the authorization check network element are located in the same network.
5. The method according to claim 2, wherein the method further comprises:
the authorization check network element obtains the identification of the network where the data use network element is located;
the authorization check network element determining whether the request message comes from the network indicated by the identification information of the network according to the identification of the network comprises:
if the network indicated by the identification information of the network to which the data using network element belongs is determined according to the identification of the network to which the data using network element belongs, the authorization checking network element determines that the request message comes from the network indicated by the identification information of the network;
if the network indicated by the identification information of the network where the data using network element is located is determined according to the identification of the network where the data using network element is located, the authorization check network element determines that the request message is not the network indicated by the identification information of the network.
6. The method of claim 5, wherein the request message includes an identification of a network in which the data usage network element is located.
7. The method according to any of claims 2 to 6, wherein the authorization check network element not authorizing processing of the user data comprises:
the authorization check network element sends a rejection message to the data use network element, the rejection message containing a rejection cause value for indicating that the data use network element is not from a network where the user is allowed to process the user data.
8. The method according to any of claims 2 to 7, wherein the authorization check network element not authorizing processing of the user data comprises:
and the authorization check network element records and processes the event that the user data is not authorized.
9. The method of claim 8, wherein the method further comprises:
the authorization check network element requests the user data from a data providing network element;
the authorization check network element receives the user data from the data providing network element.
10. The method according to any of claims 1 to 9, wherein the obtaining, by the authorization check network element, the identification information of the network from the data management network element, the data processing purpose, and the user consent result comprises:
The authorization check network element requests the user subscription data from the data management network element;
the authorization check network element receives user subscription data from the data management network element, wherein the user subscription data comprises identification information of the network, the data processing purpose and the user consent result.
11. The method according to any of the claims 1 to 10, characterized in that the identification information of the network is an identification ID of a public land mobile network, PLMN.
12. A method of authorization, comprising:
the method comprises the steps that a data management network element receives identification information of a user from an authorization checking network element and identification information of a first network, wherein the identification information of the first network is used for identifying a network for processing data of the user, and the network where the data management network element is located and the network for processing the data of the user are not the same network;
the data management network element determines a first user consent result according to the identification information of the first network and the identification information of a second network, wherein the identification information of the second network is used for identifying a network which allows the user to process the data of the user, and the first user consent result indicates whether the user agrees to process the data of the user based on a first data processing purpose in the first network;
And the data management network element sends the first user consent result to the authorization check network element.
13. The method of claim 12, wherein the data management network element determining the first user consent result based on the identification information of the first network and the identification information of the second network comprises:
if the identification information of the second network contains the identification information of the first network, the data management network element determines that one or more data processing purposes corresponding to the identification information of the first network are the first data processing purposes, and determines that user consent results corresponding to the one or more data processing purposes are the first user consent results;
if the identification information of the second network does not contain the identification information of the first network, the data management network element determines that the data processing purpose corresponding to the identification information of the second network is the first data processing purpose, and determines that the first user agrees that the result is disagreement.
14. The method of claim 13, wherein the data management network element sending the first user consent result to the authorization check network element comprises:
The data management network element sends the first data processing purpose and the first user consent result to the authorization check network element.
15. The method of claim 12, wherein the step of determining the position of the probe is performed,
the data management network element receiving the identification information of the user from the authorization check network element and the identification information of the first network comprises: the data management network element receives a message from the authorization check network element, wherein the message comprises the identification information of the user, the identification information of the first network and the first data processing purpose;
the data management network element determines the first user consent result according to the identification information of the first network and the identification information of the second network, and the first user consent result comprises: if the identification information of the second network contains the identification information of the first network, the data management network element determines that the user consent result corresponding to the first data processing purpose is the first user consent result;
and if the identification information of the second network does not contain the identification information of the first network, the data management network element determines that the first user agrees to result in disagreement.
16. The method according to any one of claims 12 to 15, further comprising:
the data management network element sends identification information of a network for determining whether to authorize processing of the user's data to the authorization check network element.
17. The method according to any of the claims 12 to 16, characterized in that the identification information of the second network is an identification ID of a public land mobile network, PLMN, the user is allowed to process data of the user.
18. The method according to any of the claims 12 to 17, wherein the identification information of the first network is an identification ID of a public land mobile network PLMN where the authorization check network element is located or an identification ID of a public land mobile network PLMN where a network element triggering processing the first data is located.
19. A communication device comprising means for performing the method of any of claims 1 to 11.
20. A communication device comprising means for performing the method of any of claims 12 to 18.
21. A communication device comprising a processor and interface circuitry for receiving signals from other communication devices than the communication device and transmitting signals from the processor to the processor or sending signals from the processor to other communication devices than the communication device, the processor being configured to implement the method of any one of claims 1 to 11 by logic circuitry or executing code instructions.
22. A communication device comprising a processor and interface circuitry for receiving signals from other communication devices than the communication device and transmitting signals from the processor to the processor or sending signals from the processor to other communication devices than the communication device, the processor being configured to implement the method of any one of claims 12 to 18 by logic circuitry or executing code instructions.
23. A computer program product comprising a computer program which, when executed by a communication device, implements the method of any of claims 1 to 18.
24. A computer readable storage medium, characterized in that the storage medium has stored therein a computer program or instructions which, when executed by a communication device, implement the method of any of claims 1 to 18.
25. A communication system comprising an authorization check network element as claimed in any one of claims 1 to 11 and a data management network element for providing the authorization check network element with identification information of a network the user is allowed to process the user data, the data processing purpose and the user consent result.
26. A communication system comprising a data management network element and an authorization check network element according to any of claims 12 to 18, the authorization check network element being configured to send identification information of the user and identification information of the first network to the data management network element, and to receive the first user consent result from the data management network element.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210489905.4A CN117061093A (en) | 2022-05-06 | 2022-05-06 | Authorization method and device |
| PCT/CN2023/091313 WO2023213226A1 (en) | 2022-05-06 | 2023-04-27 | Authorization method and apparatus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210489905.4A CN117061093A (en) | 2022-05-06 | 2022-05-06 | Authorization method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117061093A true CN117061093A (en) | 2023-11-14 |
Family
ID=88646264
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210489905.4A Pending CN117061093A (en) | 2022-05-06 | 2022-05-06 | Authorization method and device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN117061093A (en) |
| WO (1) | WO2023213226A1 (en) |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102932856B (en) * | 2011-08-08 | 2015-09-09 | 华为技术有限公司 | Across the access control processing method of PLMN, equipment and system |
| CN111464934B (en) * | 2019-01-21 | 2021-10-15 | 华为技术有限公司 | Data transmission system, method and device |
| AU2020462414A1 (en) * | 2020-08-06 | 2023-03-16 | Huawei Technologies Co., Ltd. | Communication method, device and system |
-
2022
- 2022-05-06 CN CN202210489905.4A patent/CN117061093A/en active Pending
-
2023
- 2023-04-27 WO PCT/CN2023/091313 patent/WO2023213226A1/en unknown
Also Published As
| Publication number | Publication date |
|---|---|
| WO2023213226A1 (en) | 2023-11-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11012328B2 (en) | Managing a 5G network using extension information | |
| US11026074B2 (en) | Rolling out updated network functions and services to a subset of network users | |
| US20230179967A1 (en) | Wireless network policy manager for a service mesh | |
| CN111901135B (en) | Data analysis method and device | |
| US11770444B2 (en) | Edge computing for internet of things security with blockchain authentication | |
| WO2021027177A1 (en) | Method and apparatus for network function service discovery | |
| KR20180134685A (en) | Method for establishing protocol data unit in communication system | |
| US20220159606A1 (en) | Policy Control Function Network Element Selection Method, Apparatus, System, and Storage Medium | |
| CN107925957A (en) | Power cellular network is waited to connect by cell | |
| US11722867B2 (en) | Systems and methods to determine mobile edge deployment of microservices | |
| WO2017125025A1 (en) | Call method, device, system, and storage medium | |
| US20230070712A1 (en) | Communication method, apparatus, and system | |
| WO2020199868A1 (en) | Network access method and apparatus | |
| US11129092B2 (en) | Application specific location discovery | |
| US11388602B2 (en) | Network slicing with a radio access network node | |
| CN112954768B (en) | Communication method, device and system | |
| KR102447806B1 (en) | Apparatus and method for network automation in wireless communication system | |
| US11825331B2 (en) | Systems and methods for quality-of-service framework for enterprise applications in mobile wireless networks | |
| US10813037B2 (en) | Operator-ID based restriction for a cellular network | |
| US20220225463A1 (en) | Communications method, apparatus, and system | |
| US20230057651A1 (en) | Systems and methods for regional segmentation and selection of charging function | |
| US20230137283A1 (en) | Systems and methods to optimize registration and session establishment in a wireless network | |
| CN117061093A (en) | Authorization method and device | |
| CN112449377B (en) | Network data reporting method and device | |
| WO2023051631A1 (en) | Data call method and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |