Authentication, authorization and digital identity management are core features required by secure digital systems. Therein, authorization is the key component for regulating the detailed access credentials to required service resources. Authorization, therefore, plays a significant role in the trust management of autonomous devices and services. Due to the heterogeneous nature of Cyber-Physical Systems and the Internet of Things, several authorization techniques using different access control models, accounts, groups, tokens, and delegations have both strengths and weaknesses. There exists many literature studies on other main security requirements such as authentication, identity management and confidentiality. However, there is a need for a comprehensive review on different authorization techniques in Cyber Physical systems and Internet of Things. A specific target of this paper is authorization in the Cyber Physical system and Internet of Things networks with non-constrained devices in industrial context with mobility, subcontractors, and autonomous machines that are able to carry out advanced tasks on behalf of others. We study the different authorization techniques using our three-dimensional classification including access control models, sub-granting models and authorization governance. We focus on the state of the art on authorization sub-granting, including delegation techniques by access control/authorization server and self-contained authorization using a new concept of Power of Attorney. Comparison is performed on several parameters such as type of communication, method of authorization, control of expiration, and use of techniques such as public-key certificate, encryption techniques, and tokens. The results show the differences and similarities of server-based and Power of Attorney based authorization sub-granting. The most common standards are also analyzed in light of those classifications.
INDEX TERMSAuthorization, access control models, Cyber Physical Systems (CPS), Internet of Things (IoT), sub-granting, delegation, Power of Attorney (PoA), OAuth I. INTRODUCTION T HE wider implementation of connected devices makes a significant increase in business revenue. Nowadays, enterprises invest in machine to machine (M2M) communication, Internet of Things (IoT) and Cyber Physical Systems (CPS) to increase competitiveness in different domain areas such as vehicular communication [1] [2], healthcare [3], smart homes [4] [5] and smart grids [6]. The IoT technology connects things and smart objects, that can sense and monitor the surrounding environments, process and transmit the collected sensor data. Currently, the number of connected things have reached to billions or trillions in the world. Industrial IoT (IIoT) is a subset of IoT, which is used in automated M2M and industrial communications to connect all industrial assets. A CPS system integrates internet technology and advanced electronic/mechanic devices so that they can communicate with each other through data 17 exchanges. The CPS uses computer-b...