Patent Application
20100146596
The present invention discloses a method and a device by means of which improved service authorization can be obtained in a wireless access telecommunications system.
At present, in some wireless access telecommunications systems, such as, for example 2G and 3G systems, such as 3G-GPRS, there are functions in the system for allowing or denying users access to services within the system or services outside of the system. In most 2G and 3G systems, the functions for allowing or denying a user such access are designed in the following manner: a user requests access to a service by means of a request to a node in the system, in a GPRS system the so called GGSN, the Gateway GPRS Support Node.
The GGSN has obtained knowledge of the user's rights and which services the user may access by means of another function in the system, usually known as the PCRF, Policy and Charging Rule Function. Usually, when a UE requests a new session, e.g. is turned on initially, the GGSN requests, and receives from the PCRF, a list that defines which services the user may or may not access. This list is then used by the GGSN during the session in question, in order to permit or deny the user access to services which the user requests access to.
If a user requests access to a service to which the GGSN wishes, according to the information from the PCRF, to deny him access to, the request may be redirected to a separate function in the system, which handles denial of service requests. This separate function will send a message to the UE informing the user of the denial, e.g. he will receive a message such as “Access Denied” or “Service not authorized”.
In the context of allowing or denying access to a user, the GGSN assumes a role referred to as Policy Charging Enforcement Function, PCEF. The PCEF accesses the PCRF by means of an interface known as Gx.
Some services that a user is normally allowed to access may temporarily not be authorized, e.g. due to a number of PCRF-defined polices:
Even though it is clear that the reason that one or more services may be denied for a user, the Gx interface only provides information regarding whether or not a user is allowed access to a service or not.
For example, it is impossible for a PCEF/GGSN to know if a user is denied access to a certain service due to the fact that the user's terminal doesn't support the service in question, or if the denial is due to the fact that the user is roaming in another network, in which the service in question is denied. Hence, the only action the PCEF can take in the case of a denial is to redirect service requests issued from the user terminal to a generic redirect address that informs the user that the service is denied for an unspecified reason, as exemplified by the messages above.
As has emerged from the description above, there is thus a need for a method by means of which a node such as, for example a PCEF/GGSN can provide a user who is denied access to a service to which he has requested access more information regarding the reason for the denial than is possible at present.
This need is addressed by the present invention in that it discloses a method for use in a wireless access telecommunication system, in which system there can be a number of user equipments, UE, and a first node to which a UE may send a request for access to a specific service.
The system in which the invention can be applied also comprises a control function which holds information about the access rights to specific services for a plurality of UEs in the system, and the system additionally comprises an interface between said first node and the control function.
The method of the invention comprises the step of letting the first node receive information about a UE's access rights from the control function, and also comprises the step of letting the first node handle access requests to a service from a UE using the access rights information from the control function. The method also comprises the step of letting the access rights information from the control function to the first node comprise a code regarding services to which the UE is denied access.
Thus, by means of the present invention, the first node, e.g. a PCEF/GGSN can use the code obtained from the control function, e.g. a PCRF, in order to provide users with more detailed information regarding the reason that they are denied access to a certain service. In a preferred embodiment of the present invention, the code is used by the first node (PCEF/GGSN) in order to redirect the access request to a second function in the system, and in this embodiment, the method also comprises the step of letting the second function send an explicit message regarding the reason for the denial to the requesting UE. However, it is also entirely possible to let the first node comprise a list of said codes, so that a code may be “decoded” in the first node, in which case a message which corresponds to the code in question may be sent to the UE from the first node.
In addition to the problem of “denial messages” which do not comprise sufficient amounts of information, an additional problem in present systems is that an operator may want to grant certain users access to certain services during a limited interval in time, such as for example, between 08:00 AM to 06:00 PM on weekdays. In order to achieve this with the present standard Gx protocol, the authorization information in the PCEF for all affected sessions will need to be updated essentially at the same time. This will cause massive peaks in Gx signalling, which is highly undesirable.
This problem is also addressed by the present invention, in that the invention in a particular embodiment comprises the step of letting the access rights information from the control function (e.g. PCRF) to the first node (e.g. PCEF/GGSN) comprise information about periods in time when the UE is allowed or denied access to one or more of said services.
Thus, by means of the present invention, it is made possible to inform users who are denied access to a certain service of the reason for the denial, and it is also possible to improve the way in which users may be denied or granted access to services based on time intervals.
These and other advantages of the present invention will become even more apparent from the following detailed description.
The invention also discloses an improved interface for use between the first node (e.g. PCEF/GGSN) and the control function (e.g. PCRF), as well as a node for use as said first node.
The invention will be described in more detail in the following, with reference to the appended drawings, in which
As shown in
It can be pointed out that a GPRS system comprises numerous components which are not shown in
The PCRF 160 has information about which services that the UE 110 should be granted or denied access to. This information is communicated to the PCEF/GGSN, usually at the initial UE bearer service request, although the procedure may take place at other points in time as well. The interface between the PCRF 160 and the PCEF/GGSN 120 is known as the Gx interface.
Thus, the PCRF 160 communicates to the PCEF/GGSN 120 a list of services to which the UE 130 should be denied or granted access to. As an example, all services that are not granted in the list can be considered to be denied. The PCEF/GGSN stores this list, and when a UE 110 sends a request message, shown by the arrow 1 in
In the system 200 of the invention, the control function 160, i.e. the PCRF, may send information to the PCEF/GGSN regarding a UE's access rights to a number of services via the Gx interface. However, in the system 200, as opposed to the system 100 of
Examples of Service Authorization Information Provided Over the Gx Interface From the PCRF to the PCEF/GGSN:
Service “A”: OK
Service “B”: Not OK, “NOK”, Code 2
Service “C”: OK
Service “D”: NOK; Code 4.
Thus, as can be seen, for services to which the user 110 is denied access, the PCRF uses the Gx interface to explicity inform the PCEF/GGSN 120 not only about which services that are authorized, but also which services that are not authorized (NOK), which may be temporary, together with a code coupled to the reason for the denial.
Subsequently, when a UE requests access to a service to which it, according to the information from the PCRF, should be denied access to, the PCEF/GGSN uses the codes comprised in the Gx message as follows:
Since the denied request can be redirected to one of a number of functions 180-182, the contents of the “denial message” to the UE 110 can be tailored in a way which has been impossible hitherto. Preferably, each NOK code is tied to a specified one of the functions 180-182, by means of which each NOK code can be made to correspond to a certain denial message.
Thus, each of the functions 180-182 is prepared with a certain message, example of which might be:
Naturally, the number of “denial message functions” 180-182 shown in
It should also be pointed out that the denial message functions 180-182 are merely one way of utilizing the enhanced Gx messages of the invention. It is also perfectly possible to let the PCEF/GGSN comprise the function of “decoding” the codes from the PCRF itself, so that the denial messages are sent directly from the PCEF/GGSN 120 to the UE 110 by a function for this in the PCEF/GGSN.
In addition, it is also possible to let the denial message function 180-182 be external to the PCEF/GGSN as shown in
As has emerged from the description above, the present invention comprises extending the Gx protocol so that the PCRF may communicate more information to the PCEF regarding reasons for denying a UE access to a service. The extensions to the Gx protocol may be referred to as Attribute Value Pairs, AVPs, a term which may be used below, AVPs being information containers used by the Gx protocol.
The sequence is as follows:
In the following, by way of example only, some examples of AVPs of the present invention will be given.
Charging-Rule-Install AVP
The authorization state for the current and next periods of time is included in the Charging-Rule Install AVP, by inserting the a new AVP: The Charging-Rule-Authorization AVP:
Charging-Rule-Install:=<AVP Header: 1001>
The authorization information provided in the Charging-Rule-Authorization AVP is valid for all Charging-Rule-Names and Charging-Rule-Base-Names provided in that instance of the Charging-Rule-Install AVP provided in a CCA or RAR, Re-Authorization Request.
If no Charging-Rule-Authorization AVP is present in a Charging-Rule-Authorization AVP then this implies that all Charging-Rule-Definitions, Charging-Rule-Names and Charging-Rule-Base-Names are authorized without any restrictions (standard solution).
Charging-Rule-Authorization AVP
The Charging-Rule-Authorization AVP groups the AVPs that are required to define the authorization state for the current and next time period for the associated charging rules and charging rule bases.
The Charging-Rule-Authorization AVP is shared in the same Charging-Rule-Install for those Charging-Rule-Names or Charging-Rule-Base-Names that has the same Authorization-state.
The Charging-Rule-Authorization AVP may look as follows:
Charging-Rule-Authorization::=<AVP Header: 1055, Vendor Id: 193>
Authorization-State AVP
The Authorization-State AVP may be of the type “enumerated”, and specifies the authorization state and reason for non-authorization for the charging rules and charging rule bases provided in the Charging-Rule-Install AVP.
The following values can be defined for the Authorization-State AVP:
As has been seen from the description given above, by means of the invention, a problem associated with “access denial messages” may be addressed. Another problem which may be solved by a particular embodiment of the invention is that an operator of a system may want to authorize some services to a large number of users during a limited period of time, such as a particular interval of a day, such as, for example, between 08:00 AM to 06:00 PM on weekdays. To achieve this with the present Gx protocol which is used between the PCRF and the PCEF, the authorization information in the PCEF of all affected sessions need to be updated more or less at the same time point in time. This causes massive peaks in Gx signalling in the system, which is undesirable.
In order to address this problem, the mentioned embodiment of the present invention comprises the step of letting the access rights information from the control function, i.e. the PCRF, to the first node, i.e. the PCRF/GGSN, comprise information about periods in time when a UE is allowed or denied access to one or more services.
As an example, some services may be authorized for a certain user during a specific period of time only, e.g. for 24 hours from the time when the service is activated, or during re-occurring periods of the day, e.g. between 07:00-18:00 on weekdays.
In order to provide such information to the PCEF, the “authorization code” described above, provided by the PCRF to the PCEF, the so called PCC-rule, can be associated with information regarding a specific point in time when the authorization state changes. The next authorization state that is valid after the authorization state change must also be provided for this kind of services. In this way, it will be possible for the PCEF to determine that e.g. a certain user is to be granted access to a certain service until, in this example, 18:00, and thereafter the user should be denied access to the service, due to calendar time restrictions. The opposite is of course also possible, i.e. the service is first temporarily denied to the user due to calendar time restrictions, but after 18:00, in the present example, the user is granted access to the service.
Another “building block” in the calendar time based authorization embodiment of the invention is a validity timer which schedules the PCEF to request new policy information from the PCRF. The validity timer is provided by the PCRF to the PCEF, and should typically be set longer than the authorization state change time, e.g. longer than 18:00 in the present example, but short enough to catch new policy information before the next consecutive authorization state change time occurs, i.e. in this example at the latest at 07:00 the following morning.
Thus, by means of calendar time based authorization embodiment of the invention, Gx signalling peaks may be avoided.
In order to explain the time based authorization or denial/grant of access to certain services, reference will now be made to
The signaling in
Some examples of AVPs of the invention which may be used with the calendar based grant or denial of access to services are shown below. It should be pointed out that the AVPs below are merely examples, and are in no way to be seen as restrictive for the scope of protection sought for the present invention.
Authorization-State-Change-Time AVP
The Authorization-State-Change-Time is a time-stamp identifying the date and time when the authorization state provided in the Authorization-State AVP will no longer be valid. An example of an authorization-State-Change-Time AVP is that it is of the type “Time” and includes the time in seconds since Jan. 1, 1900, 00:00 UTC.
Next-Authorization-State AVP
An example of the Next-Authorization-State AVP is that it is of the type “enumerated”, and specifies the authorization state and reason for non-authorization after the expiration time, defined in the Authorization-State-Change-Time AVP, has been passed. The following values may be defined for the Next-Authorization-State AVP:
Authorization-Validity-Time AVP
The Authorization-Validity-Time AVP may be included in a Credit Control Answer, CCA, or in a Re-Authorization-Request, RAR. The Authorization-Validity-Time is a time-stamp identifying the date and time when the authorization information, provided in the Charging-Rule-Install AVPs, will no longer be valid. An example of a specific Authorization-Validity-Time AVP is that it is of the type “Time”, and includes the time in seconds since Jan. 1, 1900, 00:00 UTC.
Event-Trigger AVP
The Event-Trigger AVP is suitably of the type “Enumerated”. The Event-Trigger indicates an event that shall cause a re-request of PCC-Rules The following value may be defined for this AVP:
TIME_CHANGE 100
This value is used to indicate that before the given time, specified in the Authorization-Validity-Time AVP, new PCC-rules should be requested.
Note: If the Event-Trigger 100 and the Authorization-Validity-Time AVP are not provided, but the Authorization-State-Change-Time AVP has been provided in a Charging-Rule-Authorization AVP, then the next-authorization state will be a permanent state of authorization, until new PCC-decisions are provided by the PCEF. This is useful for accomplishing time-based subscriptions, e.g. 12 hour access to service “A”.
The invention also comprises as such a node 120 as shown above, said node suitably being a PCEF/GGSN of a 2G or a 3G system such as the 3G GPRS system. Such a node will comprising means for receiving the information about a UE's access rights from the control function 160. These means 145 have been symbolically shown as a processor 145 in
A node of the invention will also comprise means for handling access requests to a service from a UE by using the access rights information from said control function, these means also suitably being the processor 145, which will also be able to handle the access rights information from the control function, the PCRF, including a code, X, Y, Z, regarding services to which the UE is denied access.
Suitably, the processor 145 also handles the redirection of access requests to services which a UE is denied access, as shown above, as well as handling information about periods in time when the UE 110 is allowed or denied access to one or more of said services, so that a UE which requests access to a certain service from the node 120 may be denied or granted access by the node 120 based on the time of day, week, month etc that the request is made.
In conclusion, the enhanced service authorization of the Gx interface as discloses by the present invention enables the PCEF/GGSN to carry out a selective service redirect to a redirect server which can provide detailed information to an end user, i.e. a UE regarding why the UE has been denied access to a certain service to which he has requested access, and to which service the user is normally allowed to access.
The calendar time based authorization information conveyed via the Gx interface as disclosed by the present invention provides the PCEF/GGSN with information that enables it to carry out service based access control for services that are authorized only for a certain period of time, or only during, for example, certain times of the day or the week.
By means of this information, it will be possible to avoid the signalling peaks that present day Gx solutions would imply for this kind of services, when the policy information of large numbers of sessions needs to be updated at the same time.
The invention is not restricted to the examples of embodiments described above and shown in the drawings, but may be varied freely within the scope of the appended claims.
| Filing Document | Filing Date | Country | Kind | 371c Date |
|---|---|---|---|---|
| PCT/SE07/50289 | 4/27/2007 | WO | 00 | 10/27/2009 |
