A MODULE AND ASSOCIATED METHOD FOR TR-069 OBJECT MANAGEMENT
Field of the Invention
The present invention generally relates to remote management, i.e. Installation, configuration and removal, of application or service software modules - the so called "bundles" - on customer premises equipment (CPE) from a server located anywhere in a network with connectivity to the CPE devices. The server is named the auto configuration server or remote management server throughout this patent application. Examples of CPE or customer devices are a Digital Subscriber Line (DSL) modem, a Set-Top Box (STB), a wireless temriinal such as a mobile telephone, a Personal Digital Assistant (PDA), etc. In the context of the present invention a customer device can also be a device residing in the network whereon remote management services are installed like for instance a DSLAM, a remote unit (RU), a service blade, etc. More particularly, the invention relates to management of a subset of parameters which belong to a particular service or operator.
Background of the Invention
A home network connected to a broadband access network such as a Digital Subscriber Line (xDSL) network typically contains Customer Premises Equipment (CPE). For instance, an xDSL modem is connected on one side to one or more appliances in the home network and on the other side to a node of the xDSL service provider such as a Digital Subscriber Line Access Multiplexer (DSLAM) or other traffic aggregation node in a Central Office. The link between this CPE and the DSLAM is used to transport information, which requires the establishment of a communication session between this CPE and the DSLAM. Establishing a communication session typically involves steps such as synchronization between devices, defining error correction systems, determining transmission speed, etc. To achieve this, the modem needs information related to those steps. For instance, it needs to know which error correction codes are available, which speeds can be used, which encodings are preferred, etc. It is possible to predefine such settings in a CPE by the manufacturer. However, each service provider may use different combinations of settings for his own access network. This means that a manufacturer

would have to produce a CPE for each combination of settings in the CPE which is of course too complex and not feasible.
To overcome that problem, the TR-069 management protocol is used for remote device management. This protocol enables a CPE to be configured from within the service provider network by a remote management server or an Auto-Configuration Server (ACS). Such ACS can provide all the information that is needed by a CPE to establish a communication link between the CPE and the service provider network. The ACS can easily be reconfigured by an operator, and each CPE can be configured if it supports the TR-069 management protocol. This way, each service provider can provide his settings to a CPE of any manufacturer, which is a lot more flexible than preconfigured CPEs.
The TR-069 Management Protocol is based on an Object Model which is stored in
each CPE. The Object Model is made up out of a number of parameters which can
be read or altered by remote procedure calls. These parameters are organized in a
tree-like structure in the Object Model. As a result of the tree model, a parameter can
be addressed explicitly or a subset of parameters can be addressed. Consider the
following example, the root of the tree is called "device", a first subset of parameters
is called "transmission" and within the subset there are two parameters "upstream-
speed" and "downstream-speed". An explicit reference to one of these parameters
would be "device.transmission.upstream-speed" or
"device.transmission.downstream-speed",' However by omitting the last part in the address, all of the parameters in that subset can be addressed via "device.transmission". The ACS can invoke a remote procedure call (RPC) to retrieve the value of one or more parameters using an addressing of that particular parameter or subset as described above. The ACS can also invoke an RPC to alter the value of a parameter or subset of parameters. Furthermore, the ACS is able to invoke RPCs which trigger updates of the software on the CPE, installation or removal of software on the CPE, etc. Thus, the TR-069 management protocol enables an operator to remotely configure and manage a CPE which means that a user can access one or more services with little effort.

The above described automatic configuration works well for a CPE which is used by only a single service provider such as an xDSL modem which is only managed by the service provider of the access network whereto a user belongs. However the TR-069 protocol is also used to remotely manage other CPE which are more service specific or which offer various services. A particular example of this is the Open Service
Gateway initiative (OSGi) service platform, which is a Java-based service platform
I* i
that runs on top of a Java Virtual Machine (JVM) inside the customer device that is remotely managed. Presence of an OSGi service platfomn in the customer device enables remote installation, update and/or removal of bundles, i.e. software modules or components such as for instance a File Transfer Protocol (FTP) application, from an auto configuration server anywhere in the network without disrupting the operation of the customer device. This way, installation of a software application, upgrading the software application to a new version, re-configuring the application, adding or activating new features of the application, and removal of the application from the customer device, is made possible without dispatching a technician to the customer premises and without requiring an intervention by the customer. Thanks to the management platform, the software services or applications running on a single customer device can share their capabilities with each other.
The drawback of a service platform such as OSGi is that the services and applications share everything on the CPE. The entire TR-069 Object Model is available to the services and applications deployed on the CPE and can be retrieved or altered by any of them. As such, each remote management server or ACS is able to modify the TR-069 Object Model and all the parameters stored therein. This means that on a CPE with multiple services running thereon which are related to various service providers, each service provider Is able to modify the services and applications of the other operators. The main drawback is thus that, because the Object Model is a single accessible set of data, service operators are able to gain an advantage over other operators simply by modification of the parameters related to the other operator's services or applications. It is thus obvious that the cun'ent model is not feasible for evolving environments wherein more applications are deployed on a CPE by more and more service providers.

It is an objective of the present invention to avoid malicious use of automatic configuration in a TR-069 Object Model. It is another objective of the present invention to provide a more secure set of parameters for each service provider. It is yet another objective of the present invention to provide such secure parameters automatically.
Summary of the Invention
According to the present invention the drawbacks of the prior art are overcome and the objectives of the present invention are realized by a view selector module for use in management of a TR-069 Object Model, the Object Model comprising a plurality of parameters and the module comprising means for selecting and/or altering one or more of the plurality of parameters based on credentials.
Indeed, by allowing the selection of parameters or the altering of parameters based on credentials, it becomes possible to make only a subset of the TR-069 Object Model available to a particular party such as a service provider, remote management server or ACS. This means that the particular party is only able to retrieve information from specific parameters such as those for applications or bundles installed by that party or parameters available to everyone or all applications or bundles. Similarly, only a number of parameters can be altered by a specific party whereas other parameters cannot be changed for instance because they do not belong to the party, bundle or service. Thus, it becomes impossible for operator A to view and/or modify parameters related to services of operator B. As such, operator A can no longer gain an unfair advantage for his services. over operator B by reducing the capacity or quality of operator B's service.
It is noticed that access control in the Simple Network Management Protocol (SNMP), described in RFC 3415 titled "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", also involves using access credentials to determine whether a party has the right to read, write and/or be notified about a parameter.

Installation of support for the SNMP protocol on a device such as a computer, access point, router, switch, modem, etc. however typically requires human Interaction. An administrator has to ensure that the software is present on the device and that the configuration files are created. One aspect of these configuration files is the access privileges for various users or groups of users to the parameters available on that particular device. Thus, a scenario where SNMP Is used is divided in two parts, one being the installation or configuration of the protocol and support for the protocol by an administrator, the second part being the use of the SNMP protocol to retrieve information and/or modify parameters for a particular device.
Such two-stage scenario is avoided in a TR-069 environment that contains only one part as a consequence of which principles implemented in the SNMP environment cannot be readily transposed to the TR-069 environment without inventive merit. Indeed, the TR-069 protocol is used both to install applications to which the parameters belong and to manage such parameters. As a result, access control can easily be integrated into the installed applications or be determined automatically during the installation or downloading of applications. This means that there is no need for human interaction during the installation of bundles.
Optionally, the view selector module for use in management of a TR-069 Object Model according to the present invention may further comprise means for restricting access based on the credentials to one or more of the following:
- visibility of one or more parameters;
- mutability of one or more parameters; and
- management of one or more parameters.
For some applications it may be beneficial to allow specific access to one or more parameters in the TR-069 Object Model of a CPE. For instance some general configuration parameters which are essential for various applications such as a proxy server address or name resolution server address may be visible to every bundle or service but should only be modified by for instance the Internet service provider. In such case, the credentials of the service provider accessing the parameters can be used to determine their access level to the particular parameter. The above mentioned parameters can have their visibility set in such a way that everyone is able

to see the parameter or retrieve the parameter information and have their mutability set in such a way that only a specific service operator is able to change the values of the parameters. Similarly, the general parameter management may be defined based on credentials as well. For instance a particular service provider may be able to create new parameters in a subset of the Object Model, may be able to delete one or more parameters of such a subset or may even be able to delete an entire subset. Based on the credentials of the service operator, these general parameter management operations may be rejected or performed successfully. In a more specific example, a CPE can be able to verify who requests a particular read, change or management operation on a particular parameter or subset of parameters. The CPE can then determine if the requested operations are allowed or not and make modifications or deliver requested information if needed. Of course, these access restrictions may also apply at a higher level than the parameters or subsets of parameters. The credentials may also be used to change or remove applications or services from a CPE for instance or the access restrictions may also be applied to the remote procedure calls to determine which calls are available to a particular operator.
Optionally, the view selector module for use in management of a TR-069 Object Model according to the present invention may be characterized in that the credentials are one or more of the following:
- Information related to the installer of a bundle whereto one or more of the plurality of parameters are related;
- a manifest file related to a bundle or application whereto one or more of the plurality of parameters are related;
- one or more configuration parameters out of the plurality of parameters; and
- a TR-069 Session View Key;
Credentials of a service operator, which are used to determine the view of the Object Model available to the service operator, can be defined in various ways. A first way is by defining the credentials in relation to the service provider who installed a particular bundle. Such information is already available for each bundle and can be used to detemiine which service provider is able to manage the parameters related to a

particular bundle. It may be used as a default setting meaning that by default a newly installed bundle or service can only be managed by the service provider who installed the bundle or service. Similarly, the manifest file which is used during the installation of a bundle or application may contain additional information relating to access credentials for that particular bundle or application. Access credentials can also be defined in parameters related to a particular bundle or service. Yet another possible way of implementing the credentials is by introducing a TR-069 Session View Key into the TR-069 protocol. Such key can be added to for instance a procedure call by a particular service provider or his remote management server. The protocol can then use this key to identify the service provider and/or configuration server to the bundle, application or CPE which in turn may be able to use the identification to determine the access rights and whether a procedure call is allowed or not.
Of course, these ways of defining credentials can be combined. It may for instance be possible to define a default value based on who installs a bundle by setting parameters or configuring values to the installers identity. A super user for a particular service, application or CPE can then change these settings to add more access rights for other service providers.
Optionally, the view selector module for use in management of a TR-069 Object Model according to the present invention may be adapted to be installed on a Remote Management Server.
A remote management server such as an auto-configuration server (ACS) is used to configure devices remotely. It can be used to configure access to an access network in a CPE or other services made available through the CPE. By incorporating the module into a remote management server, the allowed procedure calls or access to parameters can be defined for each sen/ice provider who uses that remote management server to manage CPE's. This can be useful in scenario's where multiple service providers share a single remote management system, for instance where an ACS is provided to other service operators by the operator of an access network whereto a CPE is connected. It ensures that only valid requests are sent to a CPE to view, alter or manage one or more parameters related to a service or

application. However, tills way may be abused by the owner of the remote management server as he is able to modify credentials for other service providers or give additional access to parameters of other providers.
Optionally, the view selector module for use in management of a TR-069 Object Model according to the present invention may be adapted to be installed on a Customer Premises Equipment (CPE).
By incorporating the view selector module in a CPE, the credentials and related access can be defined independently of a service provider. For instance, the CPE manufacturer may define a default setting, define settings based on requests by users or service providers or even the owners of the CPE may be able to perform credential management on the CPE. If such control is not part of the operator's abilities, there is less chance of malicious use or modification of parameters in a CPE. In addition, it may allow a particular user to tune specific services or parameters to his liking or allow a user to enable modification of particular parameters by other service providers in case they want to give an advantage to a particular service.
Optionally, the view selector module for use in management of a TR-069 Object Model according to the present invention may be integrated into a TR-069 Management Protocol.
The TR-069 Management Protocol is used to communicate between a CPE and a remote management server such as an ACS. This protocol is further also supported by the OSGI platform for Interaction between various applications or services and/or a remote management server or the platform itself. Thus, by incorporating the Object Model view module into the protocol, it can be used in any existing implementation of a TR-069 compatible device by a simple upgrade of the protocol stack. For instance a CPE can be upgraded to link a particular TR-069 Session View Key to a subset of parameters in the TR-069 Object Model and then the TR-069 protocol can be used to communicate the Session View Key which would enable the selection of only particular parameters in the Object Model. Alternatively, the TR-069 protocol may be

adapted to perform certain credential cliecks before remote procedure calls are executed or transported to a CPE or remote management server.
The present invention further relates to a method for use in management of a TR-069 Object Model, the Object Model comprising a plurality of parameters and the method comprising the step of selecting and/or altering one or more of the plurality of parameters based on credentials.
Brief Description of the Drawings
Fig. 1a and 1b illustrate a hierarchical overview of a TR-069 Object Model and
associated rights for various service providers in an embodiment of the present
invention; '
Fig. 2 illustrates an embodiment of the present Invention wherein the View Selection
module is installed on an Automatic Configuration Server (ACS) 201;
Fig. 3 illustrates a software implementation of an OSGi platform 301 which supports
an embodiment of the View Selector Module of the present invention.;
Fig. 4 illustrates a yet another implementation of the View Selector module according
to the present invention wherein the module is incorporated into the TR-069
Management Protocol.
Detailed Description of Embodlment(s)
Fig. la illustrates a hierarchical overview of a TR-069 Object Model 101. This Object Model 101 is made up for a CPE or Device 102 and consists of various subsets of parameters. A first subset of parameters is the Services Subset 103 which contains all the parameters related to the various services supported by the CPE or Device 102. In addition to these parameters, the Object Model 101 also contains a ManagementServer subset 104 which contains parameters related to one or more management servers or ACS. The Services subset 103 is further divided into various groups of parameters or subsets. First, there is subset 105 of the Services subset 103 which consists of parameters or sdbsets related to the OSGi platform and Licensing. Both the parameters or subsets of parameters in 105 and those in the ManagementServer subset 104 are owned by the operator of the access network

whereto the CPE or Device 102 is connected. Further, the Services subset 103 contains a number of subsets, being Services_Name_1 and Services_Name_2, 106 related to the various services owned by Service Provider 1. Similarly there is a subset 107 including Services_Name_3 which is related to the services owned by Service Provider 2 and a subset 108 including Services_Names_N which are related to the sen/ices owned by Service Provider N.
This figure shows the different subsets of parameters on the Device 102 and the respective owners of these subsets. Of course, although they are called subsets in this particular example, one or more of these subsets may actually consist of a single parameter. For instance, what is referred to as ManagementServer subset 104 may be a single parameter in a specific implementation. This figure further illustrates that
making a distinction between the various owners of services may be beneficial to
I?'
avoid abuse of access. For instance, 'if Service Provider 1 could access the parameters in subset 107, he could reduce the perfonnance of Service8_Name_3 and increase the performance of one or more of his own services.
Fig. lb further illustrates access restrictions imposed on various of the above mentioned subsets of parameters. For instance balloon 110 indicates that Service Provider 1 has full access to the parameters under Services_Name_,1 and Services_Name_2. Similarly, balloon 111 indicates that Service Provider 2 has full access to Services_Name_3. Balloon 112 indicates that Service Provider N has full access to Services_Name_N and balloon 113 indicates that Service Provider N Is also able to access parts of Services_Name_1, Services_Name_2 and Services_Name_3. This access may be read-only, modification of the parameters or even full management of some parameters related to any of these services.
The above described figures are meant to illustrate the general concept of the present invention. They show what the effect is of the use of a module according to the present invention in a remote management environment using a TR-069 Management Protocol. The following figures illustrate on a logical level where the module can be located according to the present invention.

Fig. 2 illustrates an embodiment wherein the View Selection module of the present invention Is installed on an Automatic Configuration Server (ACS) 201. The ACS 201 is used to configure CPEs such as CPE 202 over a communication link 203 using the TR-069 Management Protocol. This figure further illustrates two service providers 204 and 205, each with their respective Object Model View 206 and 207. In this particular example, the ACS is aware of the Service Provider who wante to perfomri an action and their access rights. The ACS is then able to present a selection of the Object Model to either Service Operator where the selection Is limited to those parameters or subsets of parameters which are accessible based on the Identity or credentials of the Service Provider.
Fig. 3 illustrates a software implementation of an OSGI platform 301 which supports an embodiment of the View Selector Module of the present invention. The OSGI Platform 301 is running on a Java Virtual Machine 302 which is executed on a CPE. Part of this OSGi platform 301 is the TR-069 Management Agent 303 which is connected to a communication line 304 whereon the TR-069 Management Platform is transported. The Management Agent 305 Is used to manage the OSGi Platform 301 and more in particular the TR-069 aspects of the platform. It is thus in charge of managing TR-069 communication with the OSGi Platform 301 and can pass procedure calls through the view selector 305. View Selector 305 can then determine which of the bundles 306 or 307 are available to a particular service provider and perform the procedure calls on the parameters related to these bundles. Thus, no access is given to parameters related to bundles which are owned by other service providers.
Fig. 4 illustrates yet another implementation wherein an ACS 401 is connected to a CPE 402 over a communication link 403 whereon the TR-069 Management Protocol is used by the ACS 401 to manage CPE 402. However, In this particular embodiment the TR-069 Management Protocol is extended with a TR-069 Session View Key which is used in each procedure call or access to a parameter. The CPE 402 can then use the Session View Key before any access to a particular parameter is granted or before any changes to the parameters are accepted or made.

Although the present invention has been illustrated by reference to specific embodiments, it will be apparent to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied with various changes and modifications without departing from the spirit and scope thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. In other words, it is contemplated to cover any and all modifications, variations or equivalents that fall within the spirit and scope of the basic underlying principles and whose essential attributes are claimed in this patent application. It will furthermore be understood by the reader of this patent application that the words "comprising" or "comprise" do not exclude other elements or steps, that the words "a" or "an" do not exclude a plurality, and that a single element, such as a computer system, a processor, or another integrated unit may fulfil the functions of several means recited in the claims. Any reference signs in the claims shall not be construed as limiting the respective claims concerned. The terms "first", "second", third", and the like, when used in the description or in the claims are introduced to distinguish between similar elements or steps and are not necessarily describing a sequential or chronological order. It is to be understood that the terms so used are interchangeable under appropriate circumstances and embodiments of the invention are capable of operating according to the present invention in other sequences, or in orientations different from the one(s) described or illustrated above.

CLAIMS
1. A view selector module (305) for use In management of a TR-069 Object Model (101), said Object Model (101) comprising a plurality of parameters (102 ... 108), characterized in that said module (305) comprises means for selecting and/or altering one or more of said plurality of parameters (102 ... 108) based on credentials.
2. The view selector module (305) for use In management of a TR-069 Object Model (101) according to claim 1, characterized in that said module (305) further comprises means for restricting access based on said credentials to one or more of the following:

- visibility of one or more parameters out of said plurality of parameters (102 ... 108);
- mutability of one or more parameters out of said plurality of parameters (102... 108); and
- management of one or more parameters out of said plurality of parameters (102... 108).
3. The view selector module (305) for use In management of a TR-069 Object Model
(101) according to claim 1, characterized in that said credentials are one or more of
the following:
- information related to the Installer of a bundle whereto one or more of said plurality of parameters are related;
- a manifest file related to a bundle or application whereto one or more of said plurality of parameters are related;
- one or more configuration parameters out of said plurality of parameters; and
- a TR-069 Session View Key (404).
4. The view selector module (305) for use in management of a TR-069 Object Model
(101) according to claim 1, characterized In that said module (305) Is adapted to be
installed on a Remote Management Server (201; 401).

5. The view selector module (305) for use in management of a TR-069 Object Model (101) according to claim 1, characterized in that said module (305) is adapted to be installed on a Customer Premises Equipment (CPE).
6. The view selector module (305) for use in management of a TR-069 Object Model (101) according to claim 1, characterized in that said module (305) Is adapted to be integrated into the TR-G69 Management Protocol.
7. A method for use in management of a TR-069 Object Model (101), said Object Model (101) comprising a plurality of parameters (102 ... 108),
characterized in that said method comprises the step of selecting and/or altering one or more of said plurality of parameters (102 ... 108) based on credentials.