You’re both correct: there’s no “implicit access” (that is, access without an 
explicit Access Control Entry granting it) for anyone* once the device is 
onboarded and in “Ready for Normal Operation” state.

*The exception (which only applies if you’re writing a device mgmt application) 
is that some of the Security Virtual Resources (e.g. /oic/sec/doxm, etc.) can 
be accessed by the Device that connects as the rowneruuid for that SVR (e.g. 
/oic/sec/doxm.rowneruuid can access /oic/sec/doxm with an explicit ACE granting 
access).

The next version of the OCF Specification (Bangkok) contains further cleanup to 
(I hope!) make this clearer.

Thanks,
Nathan

From: iotivity-dev-boun...@lists.iotivity.org 
[mailto:iotivity-dev-boun...@lists.iotivity.org] On Behalf Of Tonny Tzeng
Sent: Sunday, January 21, 2018 10:37 PM
To: Gregg Reynolds <d...@mobileink.com>
Cc: iotivity-dev <iotivity-dev@lists.iotivity.org>; derek....@ite.com.tw
Subject: Re: [dev] FW: Android SECURED mode

I'm pretty sure, from my experiments, the device owner can't access to an 
application resource if it does not have proper ACE setup. Our smart home 
companion 
app<https://github.com/intel/SmartHome-Demo/tree/master/smarthome-companion> 
has two roles -- a resource client, and a provisioning client, if a device does 
not have ACE for the application resource, it can't be accessed even from the 
device owner.

Regards,
Tonny

On 22 January 2018 at 04:50, Gregg Reynolds 
<d...@mobileink.com<mailto:d...@mobileink.com>> wrote:


On Jan 20, 2018 11:59 PM, <chiayu...@ite.com.tw<mailto:chiayu...@ite.com.tw>> 
wrote:
Dear Gregg,

According to https://wiki.iotivity.org/security_resource_manager
|Requests from DevOwner are allowed without checking ACL.

I believe that is only half-true. It's true for (some?) SVRs, but (only?) 
during onboarding. I think it is never true for application-defined resources, 
at least not post-onboarding. Can somebody clarify this?

G

_______________________________________________
iotivity-dev mailing list
iotivity-dev@lists.iotivity.org<mailto:iotivity-dev@lists.iotivity.org>
https://lists.iotivity.org/mailman/listinfo/iotivity-dev

_______________________________________________
iotivity-dev mailing list
iotivity-dev@lists.iotivity.org
https://lists.iotivity.org/mailman/listinfo/iotivity-dev

Reply via email to