FEAM

Functional Entity Access Manager

Management
Introduced in Rel-8
The Functional Entity Access Manager is a security function within the IP Multimedia Subsystem (IMS) that manages access control to application servers and services. It acts as a policy enforcement point, authorizing service requests based on user profiles and network policies. The FEAM is a key component for securing IMS-based service delivery and enabling trusted third-party application access.

Description

The Functional Entity Access Manager is a specialized security function defined within the 3GPP IMS architecture, specified primarily in TS 29.078. It operates as a logical entity, often co-located with or integrated into the Serving-Call Session Control Function (S-CSCF). The primary role of the FEAM is to perform access control for service invocation in the IMS network. When a user or an application server (AS) attempts to invoke a service, the request is intercepted and evaluated by the FEAM. It makes authorization decisions based on a set of rules and policies, which may include the user's subscription profile (fetched from the HSS), the identity of the requesting entity, the type of service requested, and other session parameters.

Operationally, the FEAM interacts with the IMS core via the ISC (IMS Service Control) interface. Upon receiving a SIP message (like an INVITE or MESSAGE) destined for an Application Server, the S-CSCF can invoke the FEAM logic. The FEAM evaluates the request against configured policies. If authorized, the request is forwarded to the target AS. If denied, the FEAM can cause the S-CSCF to reject the request with an appropriate SIP error response. The FEAM's decision-making can be based on static policies configured in the network or dynamic policies retrieved from a policy database. It plays a crucial role in scenarios involving third-party ASs, ensuring that only authorized and trusted applications can interact with the IMS core on behalf of a user.

Architecturally, the FEAM enhances the IMS security framework by adding a layer of service-level authorization, complementing the network-level authentication performed by the CSCFs. It is part of the broader IMS Service Authorization framework. While not all IMS deployments implement a distinct FEAM node, its functions are mandatory and are implemented within the S-CSCF logic or a dedicated policy server. Its specification ensures a standardized method for controlling access to IMS services, which is vital for preventing fraud, managing service tiers, and enabling secure open service environments where operators can expose network capabilities to external partners.

Purpose & Motivation

The FEAM was introduced to address the security and control challenges arising from the open, application-centric design of the IP Multimedia Subsystem (IMS). IMS was designed to decouple services from the underlying transport, allowing multiple application servers (both operator-owned and third-party) to provide services. This created a critical need for a robust mechanism to control which entities (users or ASs) could invoke which services, under what conditions. Without the FEAM, the S-CSCF would blindly forward service requests, leaving the network vulnerable to unauthorized service access, spam, and fraud.

Its creation was motivated by the requirement for a standardized, policy-driven access control layer within the IMS service plane. Prior approaches often embedded authorization logic directly into individual application servers, leading to fragmentation and inconsistent security postures. The FEAM centralizes this logic at the network core, providing a unified point of control. This solves several problems: it allows operators to enforce consistent commercial and security policies across all services, enables efficient management of user service profiles from a single point (the HSS), and provides a secure gateway for third-party service providers to access network capabilities as defined in 3GPP's Open Service Access (OSA) and Parlay frameworks. It is a key enabler for trusted and billable multimedia service delivery.

Key Features

  • Performs service-level authorization for IMS service requests
  • Acts as a policy enforcement point integrated with the S-CSCF
  • Makes decisions based on user subscription data, service type, and network policies
  • Intercepts SIP signaling on the ISC interface to/from Application Servers
  • Protects network resources and prevents unauthorized service invocation
  • Enables secure access for third-party application servers to IMS capabilities

Evolution Across Releases

Rel-8 Initial

Introduced as part of the IMS security and service authorization framework for LTE/EPC. The initial specification in TS 29.078 defined the FEAM's role, its functional procedures, and its integration with the S-CSCF and HSS to control access to IMS Application Servers based on user profiles and operator policies.

TS 29.078

Defining Specifications

SpecificationTitle
TS 29.078 3GPP TS 29.078