An encrypted data transfer protocol shall be employed at reference point R2 to protect the secrecy and integrity of collected UE data in transit between the Direct Data Collection Client and the Data Collection AF.
The Provisioning AF restricts the exposure of UE data over reference points R5 and R6 by configuring a set of Data Access Profiles for each Event ID to be exposed. A Data Access Profile specifies a set of data processing operations that need to be performed by the Data Collection AF on the collected UE data in order to synthesize the event data that will be exposed to the NWDAF and/or Event Consumer AF.
When subscribing to event exposure notifications for a particular Event ID, an NWDAF or Event Consumer AF goes through an authorisation procedure (see clause 5.8) with an Authorisation AS that determines the level of access the event subscriber is allowed to have by selecting one of the provisioned Data Access Profiles for the Event ID in question. If successful, the Authorisation AS supplies an access token to the subscriber which is presented to and validated by the Data Collection AF as part of the event subscription procedure.
Figure 4.5.2-1 depicts the static data model for the data collection provisioning with Data Access Profiles to restrict data exposure access.
The Data Access Profile defines restrictions along the time, user, and location dimensions:
Restrictions along the time dimension determine the granularity of access to UE data along the time axis. The finest granularity allows access to events as they take place in time. The coarsest level of access aggregates all event data along the time axis to produce a single aggregated value.
Restrictions along the user dimension allow the Provisioning AF to restrict access to UE data related events based on groups. The finest granularity allows the event consumer to access events related to single users. Coarse granularity access exposes aggregated collected event data based on user groups. The coarsest granularity access exposes the data being aggregated for all users.
Restrictions along the location dimension allow the Provisioning AF to restrict access to UE data related events based on the geographical location of the data collection client during the event. The finest granularity allows the event consumer to access events individually, irrespective of the location. Coarse granularity access exposes aggregated collected event data based on a geographical area. The coarsest level of access aggregates all event data along the location axis to produce a single aggregated value for all locations.
The baseline set of aggregation functions is listed in Table 4.5.2-1:
No aggregation is applied, and all reported data records are exposed as individual events.
The number of reported data records is exposed to event consumers.
The mean average of the values in reported data records is exposed to event consumers.
The maximal observed value in reported data records is exposed to event consumers.
The minimal observed value in reported data records is exposed to event consumers.
The sum of the values in reported data records is exposed to event consumers.
The authorization URL, if present in the data exposure restrictions, is used to redirect subscription requests without a valid access token to an authorization server, which will perform the authorization for the requested Data Access Profile.
Upon successful authorization, the consumer entity obtains an access token, which contains an identifier of the Data Access Profile that is allowed for the event consumer. Upon successful subscription, the Data Collection AF shall apply the indicated aggregation functions of the corresponding Data Access Profile along the time and user dimensions on the collected data prior to exposing it to the event consumer.
The Provisioning AF provisions zero or more sets of provisioning information in the Data Collection AF at reference point R1. The baseline set of information provisioned is described in clause 4.6.2. Each set of provisioning information pertains to one application, identified by its external application identifier, and one type of exposed event, uniquely identified in the 5G System by its Event ID, as defined in clause 4.15.1 of TS 23.502. There may be more than one set of provisioning information for a particular external application identifier, but the combination of the external application identifier and Event ID shall be unique for a given Data Collection AF instance.
The data processing instructions and data exposure restrictions are expressed as a set of Data Access Profiles (see clause 4.5.2). The data exposure restrictions limit the types of event consumer that are authorised to subscribe to the Event ID provisioned for the application and the data processing instructions specify aggregation functions that are applied to UE data prior to exposure to those event consumers.
Each set of provisioning information is manifested as a data collection client configuration that the Data Collection AF makes available to Direct Data Collection Client instances at reference point R2, to Indirect Data Collection Client instances at R3 and to AS instances at R4.
Once configured, these data collection clients then send data reports to the Data Collection AF associated with the data collection client configuration. Each data report provides the external application identifier associated with the UE Application and also includes a non-empty list of data reporting records containing the parameters collected by the data collection client. These parameters typically include a sampling timestamp.
An event consumer (the NWDAF and/or Event Consumer AF) subscribes to a type of event exposed by the Data Collection AF using the procedures defined in clause 18.104.22.168.3 of TS 23.288. The event consumer may additionally specify user-, location- and/or application-based filters in its subscription request in order to further limit the events exposed to a subset of those permitted by the relevant provisioned data exposure restriction(s). Attempts by an event consumer to subscribe to event types that are not provisioned at the Data Collection AF instance are permitted, but will yield no event notifications until such event types have been successfully provisioned.
Depending on the data processing instructions provisioned in the Data Collection AF, a data reporting record contributes to zero or more events exposed to subscribers at reference points R5 and/or R6. Conversely, an exposed event arises from one or more data reporting records. In the case of events synthesised by the Data Collection AF from multiple data reporting records, the timestamp of the event shall indicate when it was synthesised. Otherwise, the timestamp of the event shall be identical to the timestamp of the data reporting record from which it arose.
The Data Collection AF exposes a batch of recent events to consumers (the NWDAF and/or Event Consumer AF) as an event exposure notification.
A separate set of provisioning information shall be provided to the Data Collection AF at reference point R1 for each Event ID it is to expose. This provisioning information embodies the Service Level Agreement between the network operator and the Application Service Provider envisaged in clause 22.214.171.124 of TS 23.288. The provisioning information shall include at least the parameters defined in Table 4.6.2-1 below:
The identifier to be used in reports sent to the Data Collection AF by data collection clients. (This needs to be mapped to the Internal Application Identifier when exposing events to the NWDAF.)
Internal Application Identifier
The identifier to be used by event consumers (including the NWDAF and the Event Consumer AF) when subscribing to events in the Data Collection AF.
The identifier of an AF event that will be exposed to event consumers as a result of the provisioning.
Data collection client type
The type of data collection client that will submit data reports to the Data Collection AF.
A parameter to control whether event consumers are permitted to filter events by External UE identifier or External Group Identifier when subscribing, instead of receiving events relating to all UEs.
Parameters to be reported
The subset of domain-specific parameters associated with the specified Event ID to be reported to the Data Collection AF (subject to user consent).
Data processing instructions
A set of operations to be performed by the Data Collection AF on the parameters reported according to clause 4.6.4 prior to exposure as an event at a particular access level.
The set of supported operations shall include at least those listed in Table 4.5.2-1.
Data exposure restrictions
A set of restrictions on the exposure of the collected data after any data processing, each corresponding to a different access level.
All clients of the Data Collection AF wishing to report data shall first obtain a data collection and reporting configuration from the Data Collection AF at reference point R2, R3 or R4 (as appropriate). For each Event ID, the data collection and reporting configuration shall include at least the parameters defined in Table 4.6.3-1 below:
The following services provided by a Data Collection AF deployed inside the trusted domain shall be exposed northbound by the NEF to an Application Service Provider outside the trusted domain, as depicted in clauses A.3 and A.4:
the Data Collection AF shall support the CAPIF API provider domain functions as part of a distributed CAPIF deployment, i.e. Ndcaf and Naf via CAPIF-2/2e; and CAPIF-3, CAPIF-4 and CAPIF-5, as specified in clause 7.3 of TS 23.222;
the Data Collection AF shall support the CAPIF Core Function and API provider domain functions as part of a centralised CAPIF deployment, i.e. Ndcaf and Naf via CAPIF-2/2e, as specified in clause 7.2 of TS 23.222.
The CAPIF and associated API provider domain functions are specified in TS 23.222.