Content for  TS 26.531  Word version:  17.1.0

An encrypted data transfer protocol shall be employed at reference point R2 to protect the secrecy and integrity of collected UE data in transit between the Direct Data Collection Client and the Data Collection AF.

The Provisioning AF restricts the exposure of UE data over reference points R5 and R6 by configuring a set of Data Access Profiles for each Event ID to be exposed. A Data Access Profile specifies a set of data processing operations that need to be performed by the Data Collection AF on the collected UE data in order to synthesize the event data that will be exposed to the NWDAF and/or Event Consumer AF. When subscribing to event exposure notifications for a particular Event ID, an NWDAF or Event Consumer AF goes through an authorisation procedure (see clause 5.8) with an Authorisation AS that determines the level of access the event subscriber is allowed to have by selecting one of the provisioned Data Access Profiles for the Event ID in question. If successful, the Authorisation AS supplies an access token to the subscriber which is presented to and validated by the Data Collection AF as part of the event subscription procedure. Figure 4.5.2-1 depicts the static data model for the data collection provisioning with Data Access Profiles to restrict data exposure access.

The Data Access Profile defines restrictions along the time, user, and location dimensions:

• Restrictions along the time dimension determine the granularity of access to UE data along the time axis. The finest granularity allows access to events as they take place in time. The coarsest level of access aggregates all event data along the time axis to produce a single aggregated value.
• Restrictions along the user dimension allow the Provisioning AF to restrict access to UE data related events based on groups. The finest granularity allows the event consumer to access events related to single users. Coarse granularity access exposes aggregated collected event data based on user groups. The coarsest granularity access exposes the data being aggregated for all users.
• Restrictions along the location dimension allow the Provisioning AF to restrict access to UE data related events based on the geographical location of the data collection client during the event. The finest granularity allows the event consumer to access events individually, irrespective of the location. Coarse granularity access exposes aggregated collected event data based on a geographical area. The coarsest level of access aggregates all event data along the location axis to produce a single aggregated value for all locations.

The baseline set of aggregation functions is listed in Table 4.5.2-1:

The authorization URL, if present in the data exposure restrictions, is used to redirect subscription requests without a valid access token to an authorization server, which will perform the authorization for the requested Data Access Profile. Upon successful authorization, the consumer entity obtains an access token, which contains an identifier of the Data Access Profile that is allowed for the event consumer. Upon successful subscription, the Data Collection AF shall apply the indicated aggregation functions of the corresponding Data Access Profile along the time and user dimensions on the collected data prior to exposing it to the event consumer.

To satisfy the requirements in clause 6.2.8.1 of TS 23.288, a data collection client shall supply authentication information to the Data Collection AF:

1. When the data collection client requests its data collection and reporting configuration from the Data Collection AF; and
2. When the data collection client reports UE data to the Data Collection AF.

For reasons of efficiency, the authentication information may be provided once at the start of a long-lived UE data reporting session.

Figure 4.6.1-1 depicts the static data model for the data collection and reporting domain. It is further described below.

The Provisioning AF provisions zero or more sets of provisioning information in the Data Collection AF at reference point R1. The baseline set of information provisioned is described in clause 4.6.2. Each set of provisioning information pertains to one application, identified by its external application identifier, and one type of exposed event, uniquely identified in the 5G System by its Event ID, as defined in clause 4.15.1 of TS 23.502. There may be more than one set of provisioning information for a particular external application identifier, but the combination of the external application identifier and Event ID shall be unique for a given Data Collection AF instance. The data processing instructions and data exposure restrictions are expressed as a set of Data Access Profiles (see clause 4.5.2). The data exposure restrictions limit the types of event consumer that are authorised to subscribe to the Event ID provisioned for the application and the data processing instructions specify aggregation functions that are applied to UE data prior to exposure to those event consumers. Each set of provisioning information is manifested as a data collection client configuration that the Data Collection AF makes available to Direct Data Collection Client instances at reference point R2, to Indirect Data Collection Client instances at R3 and to AS instances at R4. Once configured, these data collection clients then send data reports to the Data Collection AF associated with the data collection client configuration. Each data report provides the external application identifier associated with the UE Application and also includes a non-empty list of data reporting records containing the parameters collected by the data collection client. These parameters typically include a sampling timestamp. An event consumer (the NWDAF and/or Event Consumer AF) subscribes to a type of event exposed by the Data Collection AF using the procedures defined in clause 6.2.8.2.3 of TS 23.288. The event consumer may additionally specify user-, location- and/or application-based filters in its subscription request in order to further limit the events exposed to a subset of those permitted by the relevant provisioned data exposure restriction(s). Attempts by an event consumer to subscribe to event types that are not provisioned at the Data Collection AF instance are permitted, but will yield no event notifications until such event types have been successfully provisioned. Depending on the data processing instructions provisioned in the Data Collection AF, a data reporting record contributes to zero or more events exposed to subscribers at reference points R5 and/or R6. Conversely, an exposed event arises from one or more data reporting records. In the case of events synthesised by the Data Collection AF from multiple data reporting records, the timestamp of the event shall indicate when it was synthesised. Otherwise, the timestamp of the event shall be identical to the timestamp of the data reporting record from which it arose. The Data Collection AF exposes a batch of recent events to consumers (the NWDAF and/or Event Consumer AF) as an event exposure notification.

A separate set of provisioning information shall be provided to the Data Collection AF at reference point R1 for each Event ID it is to expose. This provisioning information embodies the Service Level Agreement between the network operator and the Application Service Provider envisaged in clause 6.2.8.1 of TS 23.288. The provisioning information shall include at least the parameters defined in Table 4.6.2-1 below:

All clients of the Data Collection AF wishing to report data shall first obtain a data collection and reporting configuration from the Data Collection AF at reference point R2, R3 or R4 (as appropriate). For each Event ID, the data collection and reporting configuration shall include at least the parameters defined in Table 4.6.3-1 below:

For each Event ID, the data report shall include at least the parameters as defined in Table 4.6.4-1 below:

The following services provided by a Data Collection AF deployed inside the trusted domain shall be exposed northbound by the NEF to an Application Service Provider outside the trusted domain, as depicted in clauses A.3 and A.4:

• The Ndcaf_DataReportingProvisioning service shall be exposed to Provisioning AF instances deployed outside the trusted domain as Nnef_DataReportingProvisioning. See clause 6 of TS 26.532 and clause 5.24 of TS 29.522.
• The Ndcaf_DataReporting service shall be exposed to Indirect Data Collection Clients and Application Servers deployed outside the trusted domain as Nnef_DataReporting. See clause 7 of TS 26.532 and clause 5.23 of TS 29.522.
• The Naf_EventExposure service shall be exposed to Event Consumer AF instances deployed outside the trusted domain as Nnef_EventExposure. See TS 29.517 and TS 29.522.

The following services provided by an externally deployed Data Collection AF shall be exposed southbound by the NEF to Network Functions deployed inside the trusted domain, as depicted in clauses A.5:

• The Naf_EventExposure service shall be exposed to Event Consumer AF instances deployed inside the trusted domain as Nnef_EventExposure. See TS 29.517 and TS 29.591.

When CAPIF is supported, then:

• the Data Collection AF shall support the CAPIF API provider domain functions as part of a distributed CAPIF deployment, i.e. Ndcaf and Naf via CAPIF-2/2e; and CAPIF-3, CAPIF-4 and CAPIF-5, as specified in clause 7.3 of TS 23.222;
• the Data Collection AF shall support the CAPIF Core Function and API provider domain functions as part of a centralised CAPIF deployment, i.e. Ndcaf and Naf via CAPIF-2/2e, as specified in clause 7.2 of TS 23.222.

The CAPIF and associated API provider domain functions are specified in TS 23.222.

The use of the SEAL framework for exposure of the Ndcaf_DataReportingProvisioning, Ndcaf_DataReporting and Naf_EventExposure services is for future study.