RNAA

Resource owner-aware Northbound API Access

Management
Introduced in Rel-18
A 3GPP framework for secure and authorized access to network APIs (e.g., NEF APIs) by third-party applications, where the API invocations are aware of and respect the policies of the end-user (resource owner) whose data or network resources are being accessed.

Description

Resource owner-aware Northbound API Access (RNAA) is a security and authorization framework defined in 3GPP Release 18 for the 5G Service-Based Architecture (SBA). It specifically governs how third-party Application Providers (APs) or verticals access network exposure functions, primarily the Network Exposure Function (NEF), to invoke services or query information about a User Equipment (UE) or network resource. The core innovation of RNAA is that the authorization for such API access is not solely based on the agreement between the AP and the network operator, but also incorporates the consent and policies of the end-user (the "resource owner") whose data or network capabilities are the subject of the request.

Architecturally, RNAA involves several key Network Functions (NFs). The NEF acts as the entry point, receiving API requests from the AP. The framework introduces or leverages functions like the Resource Owner-aware Authorization Server (RO-AS), which may be integrated within the operator's domain or be a trusted external entity. When an AP requests an API that involves a user's resource (e.g., "get location of UE-123"), the NEF, in conjunction with the RO-AS, must verify a multi-layered authorization policy. This includes checking the AP's credentials and the service-level agreement, but also validating that the resource owner (the user of UE-123) has granted consent for this specific type of access to this specific AP, potentially with constraints on time, location, or data usage.

The technical workflow involves the use of OAuth 2.0 and OpenID Connect standards, adapted for the 3GPP ecosystem. The resource owner (user) grants consent via a user-facing consent management interface, which results in the issuance of an access token bound to specific scopes (API permissions). The AP presents this token when invoking the NEF API. The NEF or a dedicated policy enforcement point validates the token's authenticity, its associated scopes, and the binding to the target resource. This ensures that API invocations are not just technically permitted but are also privacy-compliant and aligned with user sovereignty over their personal data and network service permissions. RNAA thus embeds the principle of "user-in-the-loop" into the network's northbound interface.

Purpose & Motivation

RNAA was created to address critical privacy, security, and regulatory shortcomings in earlier network exposure paradigms. Initial northbound APIs, while opening network capabilities, primarily relied on a binary trust model between the operator and the third-party application provider. This model did not adequately involve the end-user, whose personal data (location, connectivity status) or network resources (QoS modification) were being accessed or manipulated. This gap raised significant concerns under regulations like the GDPR, which mandate user consent for data processing, and limited the adoption of network APIs for sensitive use cases.

The motivation for RNAA stems from the need to enable innovative vertical applications (e.g., in healthcare, automotive, or smart cities) that require user-specific network information or control, while simultaneously ensuring user privacy and regulatory compliance. It solves the problem of "blind" API access by introducing a standardized, secure, and user-centric authorization layer. Before RNAA, operators might implement proprietary consent mechanisms, creating fragmentation. RNAA provides a unified 3GPP framework that gives users control over how their network data is shared, builds trust, and unlocks new business models where users can dynamically grant or revoke access to applications, fostering a more open and ethical digital ecosystem.

Key Features

  • Enforces user (resource owner) consent as a prerequisite for northbound API access
  • Integrates with OAuth 2.0/OpenID Connect frameworks for standardized authorization
  • Provides fine-grained, scope-based access control for network APIs (e.g., location, QoS)
  • Enables dynamic consent management and revocation by the end-user
  • Works with the Network Exposure Function (NEF) as the primary API gateway
  • Supports compliance with data privacy regulations (e.g., GDPR) in network service exposure

Evolution Across Releases

Rel-18 Initial

Initial standardization of the RNAA framework. Defined the architecture, roles (Resource Owner, Client, Authorization Server, Resource Server), and procedures based on OAuth 2.0 for authorizing access to NEF APIs. Specified how user consent is obtained, represented, and validated for API calls involving UE-related resources.

TS 23.222TS 28.849TS 29.222TS 33.122TS 33.700

Defining Specifications

SpecificationTitle
TS 23.222 3GPP TS 23.222
TS 28.849 3GPP TS 28.849
TS 29.222 3GPP TS 29.222
TS 33.122 3GPP TR 33.122
TS 33.700 3GPP TR 33.700