You’re both correct: there’s no “implicit access” (that is, access without an explicit Access Control Entry granting it) for anyone* once the device is onboarded and in “Ready for Normal Operation” state.
*The exception (which only applies if you’re writing a device mgmt application) is that some of the Security Virtual Resources (e.g. /oic/sec/doxm, etc.) can be accessed by the Device that connects as the rowneruuid for that SVR (e.g. /oic/sec/doxm.rowneruuid can access /oic/sec/doxm with an explicit ACE granting access). The next version of the OCF Specification (Bangkok) contains further cleanup to (I hope!) make this clearer. Thanks, Nathan From: iotivity-dev-boun...@lists.iotivity.org [mailto:iotivity-dev-boun...@lists.iotivity.org] On Behalf Of Tonny Tzeng Sent: Sunday, January 21, 2018 10:37 PM To: Gregg Reynolds <d...@mobileink.com> Cc: iotivity-dev <iotivity-dev@lists.iotivity.org>; derek....@ite.com.tw Subject: Re: [dev] FW: Android SECURED mode I'm pretty sure, from my experiments, the device owner can't access to an application resource if it does not have proper ACE setup. Our smart home companion app<https://github.com/intel/SmartHome-Demo/tree/master/smarthome-companion> has two roles -- a resource client, and a provisioning client, if a device does not have ACE for the application resource, it can't be accessed even from the device owner. Regards, Tonny On 22 January 2018 at 04:50, Gregg Reynolds <d...@mobileink.com<mailto:d...@mobileink.com>> wrote: On Jan 20, 2018 11:59 PM, <chiayu...@ite.com.tw<mailto:chiayu...@ite.com.tw>> wrote: Dear Gregg, According to https://wiki.iotivity.org/security_resource_manager |Requests from DevOwner are allowed without checking ACL. I believe that is only half-true. It's true for (some?) SVRs, but (only?) during onboarding. I think it is never true for application-defined resources, at least not post-onboarding. Can somebody clarify this? G _______________________________________________ iotivity-dev mailing list iotivity-dev@lists.iotivity.org<mailto:iotivity-dev@lists.iotivity.org> https://lists.iotivity.org/mailman/listinfo/iotivity-dev
_______________________________________________ iotivity-dev mailing list iotivity-dev@lists.iotivity.org https://lists.iotivity.org/mailman/listinfo/iotivity-dev