Access control in the Internet of Things: a survey of existing approaches and open research questions


The Internet of Things operates in a personal-data-rich sector, which makes security and privacy an increasing concern for consumers. Access control is thus a vital issue to ensure trust in the IoT. Several access control models are today available, each of them coming with various features, making them more or less suitable for the IoT. This article provides a comprehensive survey of these different models, focused both on access control models (e.g., DAC, MAC, RBAC, ABAC) and on access control architectures and protocols (e.g., SAML and XACML, OAuth 2.0, ACE, UMA, LMW2M, AllJoyn). The suitability of each model or framework for IoT is discussed. In conclusion, we provide future directions for research on access control for the IoT: scalability, heterogeneity, openness and flexibility, identity of objects, personal data handling, dynamic access control policies, and usable security.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8


  1. 1.

    Shang C, Zhou MC, Chen C (Mar. 2014) Cellphone data and applications. Int J Intell Control Syst 19(1):35–45

    Google Scholar 

  2. 2.

    TRUSTe (2015) Majority of consumers want to own the personal data collected from their smart devices, availabile online: Accessed 28 Feb 2019

  3. 3.

    Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) "An introduction to privacy engineering and risk management in federal systems," National Institute of Standards and Technology Internal Report 8062

  4. 4.

    Hugo Teufel III CPO (2008) Fair Information Practice Principles: framework for privacy, Privacy Policy Guidance Memorandum

  5. 5.

    International Organization for Standardization (ISO), ISO/IEC 29100 (2011) Information technology, security techniques, privacy framework, Dec. 2011

  6. 6.

    Cavoukian A (2012) Privacy by Design and the emerging personal data ecosystem, accessible online: Accessed 28 Feb 2019

  7. 7.

    General Data Protection Regulation (GDPR) (2018) General data protection regulation (GDPR) [online]. Available at: Accessed 28 Feb 2019

  8. 8.

    Cerf VG (2015) Access control and the Internet of Things. IEEE Internet Comput 19(5):96

    Article  Google Scholar 

  9. 9.

    Sicari S, Rizzardi A, Grieco LA, Coen-Porisini A (2015) Security privacy and trust in Internet of Things: the road ahead. Comput Netw 76:146–164

    Article  Google Scholar 

  10. 10.

    Fagin R (1978) On an authorization mechanism. ACM Trans Database Syst 3, 3(September 1978):310–319

    Article  Google Scholar 

  11. 11.

    Abadi M, Burrows M, Lampson B, Gordon P (1993) A calculus for access control in distributed systems. ACM Trans Program Lang Syst 15, 4(September 1993):706–734

    Article  Google Scholar 

  12. 12.

    Gusmeroli S, Piccione S, Rotondi D (2013) A capability-based security approach to manage access control in the Internet of Things. Math Comput Model 58(5):1189–1205

    Article  Google Scholar 

  13. 13.

    Cirani S, Davoli L, Ferrari G, Léone R, Medagliani P, Picone M, Veltri L (2014) A scalable and self-configuring architecture for service discovery in the Internet of Things. IEEE Internet Things J 1(5):508–521

    Article  Google Scholar 

  14. 14.

    Roman R, Zhou J, Lopez J (2013) On the features and challenges of security and privacy in distributed Internet of Things. Comput Netw 57(10):2266–2279

    Article  Google Scholar 

  15. 15.

    Tschofenig H, Arkko J, Thaler D, McPherson DR (2015) Architectural considerations in smart object networking. In: RFC 7452, IETF

    Google Scholar 

  16. 16.

    Ouaddah A, Mousannif H, Abou El Kalam A, Ouahman AAIT (2017) Access control in the Internet of Things: big challenges and new opportunities. Comput Netw 112:237–262

  17. 17.

    Bui DT, Douville R, Boussard M (2016) "Supporting multicast and broadcast traffic for groups of connected devices," 2016 IEEE NetSoft Conference and Workshops (NetSoft), Seoul, 2016, pp. 48–52

  18. 18.

    Bell DE, La Padula LJ (1975) Secure computer system: unified exposition and Multics interpretation. In: Technical report, Technical Report MTIS AD-A023588. MITRE Corporation, McLean

    Google Scholar 

  19. 19.

    Denning DE (1976) A lattice model of secure information flow. Commun ACM 19(2):236–243

    MathSciNet  Article  MATH  Google Scholar 

  20. 20.

    Sandhu RS, Samarati P (1994) Access control: principle and practice. IEEE Commun Mag 32(9):40–48

    Article  Google Scholar 

  21. 21.

    Sandhu RS (1998) Role-based access control. Adv Comput 46:237–286

    Article  Google Scholar 

  22. 22.

    Samarati P, Di Vimercati SDC (2001) Access control: policies, models, and mechanisms. Found Secur Anal Des 2171:137–196

    Article  MATH  Google Scholar 

  23. 23.

    Kalam A, Baida R, Balbiani P, Benferhat S, Cuppens F, Deswarte Y, Miege A, Saurel C, Trouessin G (2003) Organization based access control. In: Proc. POLICY 2003. IEEE 4th Int. Work. Policies Distrib. Syst. Networks, IEEE Comput. Soc, pp 120–131

    Google Scholar 

  24. 24.

    Zhang G, Tian J (2010) An extended role based access control model for the Internet of Things, 2010 International Conference on Information, Networking and Automation (ICINA), 1, IEEE, pp. V1–319

  25. 25.

    Jindou J, Xiaofeng Q, Cheng C (2012) Access control method for Web of Things based on role and SNS, in: 2012 IEEE 12th Int. Conf. Comput. Inf. Technol.,IEEE, pp. 316–321

  26. 26.

    Barka E, Mathew SS, Atif Y (2015) Securing the Web of Things with role-based access control. Springer International Publishing, New York City, pp 14–26

    Google Scholar 

  27. 27.

    Liu J, Xiao Y, Chen CP (2012) Authentication and access control in the Internet of Things, in: 2012 32nd Int. Conf. Distrib. Comput. Syst. Work., IEEE, pp. 588–592

  28. 28.

    I. Bouij - Pasquier, A. Ait Ouahman, A. Abou El Kalam and M. Ouabiba de Montfort, SmartOrBAC security and privacy in the Internet of Things, 2015 IEEE/ACS 12th International Conference of Computer Systems and Applications (AICCSA), Marrakech, 2015, pp. 1–8

    Google Scholar 

  29. 29.

    E. Yuan, J. Tong, Attributed based access control (ABAC) for Web services, in: IEEE Int. Conf Web Serv, IEEE, 2005

    Google Scholar 

  30. 30.

    Ye N, Zhu Y, Wang R-C, Malekian R, Qiao-min L (2014) An efficient authentication and access control scheme for perception layer of Internet of Things. Appl Math Inf Sci An Int J 1624(4):1617–1624

    Article  Google Scholar 

  31. 31.

    Hemdi M, Deters R (2016) Using REST-based protocol to enable ABAC within IoT systems. In: 2016 IEEE 7th Annual Information Technology. Electronics and Mobile Communication Conference (IEMCON), Vancouver, BC, pp 1–7

    Google Scholar 

  32. 32.

    Sciancalepore S et al (2017) Attribute-based access control scheme in federated IoT platforms. In: Podnar Žarko I, Broering A, Soursos S, Serrano M (eds) Interoperability and open-source solutions for the Internet of Things. InterOSS-IoT 2016. Lecture Notes in Computer Science, vol 10218. Springer, Cham

    Google Scholar 

  33. 33.

    Ouechtati H, Ben Azzouna N, Ben Said L (2018) "Towards a self-adaptive access control middleware for the Internet of Things," 2018 International Conference on Information Networking (ICOIN), Chiang Mai, Thailand, pp 545–550

    Google Scholar 

  34. 34.

    Hussein D, Bertin E, Frey V (2017) "Access control in IoT: from requirements to a candidate vision," 2017 20th Conference on Innovations in Clouds. Internet and Networks (ICIN), Paris, pp 328–330

    Google Scholar 

  35. 35.

    Salama U, Yao L, Wang X, Paik HY, Beheshti A (2017) "Multi-level privacy-preserving access control as a service for personal healthcare monitoring," 2017 IEEE International Conference on Web Services (ICWS), Honolulu, HI, pp 878–881

    Google Scholar 

  36. 36.

    Sandhu R (1992) The typed access matrix model. In: Proc. 1992 IEEE Comput. Soc. Symp. Res. Secur. Priv., IEEE Comput. Soc. Press, pp 122–136

    Google Scholar 

  37. 37.

    Lampson B (1974) Protection, ACM SIGOPS. Oper Syst Rev 8:18–24

    Article  Google Scholar 

  38. 38.

    Oh SW, Kim HS (2014) Decentralized access permission control using resource-oriented architecture for the Web of Things, 16th International Conference on Advanced Communication Technology, Pyeongchang, pp 749–753

    Google Scholar 

  39. 39.

    Dennis JB, Van Horn EC (1966) Programming semantics for multiprogrammed computations. Commun ACM 9(3):143–155

    Article  MATH  Google Scholar 

  40. 40.

    Anggorojati B, Prasad NR, Prasad R (2012) Capability-based access control delegation model on the federated IoT network, 2012 15th Int’l. Symp. Wireless Personal Multimedia Commun, pp 604–608

    Google Scholar 

  41. 41.

    Mahalle P (2013) Identity authentication and capability-based access control (IACAC) for the Internet of Things. J Cyber Secur Mobility 1:309–348

    Google Scholar 

  42. 42.

    Hernández-Ramos JL et al (2013) Distributed capability-based access control for the Internet of Things. J Internet Serv Info Secur 3(3/4):1–16

    Google Scholar 

  43. 43.

    Hernández-Ramos JL, Jara AJ, Marín L, Gómez AFS (2016) DCapBac: embedding authorization logic into smart things through ECC optimizations. Int J Comput Math 93(2):345–366.

  44. 44.

    Gusmeroli S, Piccione S, Rotondi D (2012) IoT access control issues: a capability-based approach, 2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, Palermo, pp. 787–792

  45. 45.

    Lynch L (2011) Inside the identity management game. IEEE Internet Comput 15(5):78–82

    Article  Google Scholar 

  46. 46.

    Beltran V, Bertin E, Crespi N (2014) User identity for WebRTC services: a matter of trust. IEEE Internet Comput 18(6):18–25

    Article  Google Scholar 

  47. 47.

    Hussein D, Han SN, Lee GM, Crespi N, Bertin E (2017) Towards a dynamic discovery of smart services in the social Internet of Things. Comput Electr Eng 58, C(February 2017):429–443

    Article  Google Scholar 

  48. 48.

    Armando A, Carbone R, Compagna L, Cuellar J, Tobarra L (2008) Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for Google apps. In: Proceedings of the 6th ACM workshop on Formal methods in security engineering. ACM, New York City, pp 1–10

    Google Scholar 

  49. 49.

    Hardt D (2012) The OAuth 2.0 authorization framework, IETF RFC 6749, Oct. 2012, IETF. [online] Accessed 28 Feb 2019

  50. 50.

    Home - WG – User-Managed Access - Kantara Initiative, [online] Available at Accessed 28 Feb 2019

  51. 51.

    Zhang G, Liu J (2011) A model of workflow-oriented attributed based access control. Int J Comput Netw Inf Secur 1(February):47–53

    Google Scholar 

  52. 52.

    Hughes J, Maler E (2005) Security Assertion Markup Language (SAML) v2.0 technical overview. OASIS SSTC Working Group, Clovis

    Google Scholar 

  53. 53.

    Hughes J, Cantor S, Hodges J, Hirsch F, Mishra P, Philpott R, Maler E (2005) Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, Burlington

    Google Scholar 

  54. 54.

    Moses T (2005) eXtensible Access Control Markup Language (XACML), version 2.0. OASIS Standard, Burlington

    Google Scholar 

  55. 55.

    Zhang G, Liu J (2012) The study of access control for service-oriented computing in Internet of Things. Int J Wireless Microwave Technol (IJWMT) 2(3):62–68

    Article  Google Scholar 

  56. 56.

    Seitz L, Selander G, Gehrmann C (2013) Authorization framework for the Internet of Things, 2013 IEEE 14th International Symposium on “A World of Wireless, Mobile and Multimedia Networks” (WoWMoM), Madrid, pp. 1–6

  57. 57.

    Hussein D, Bertin E, Frey V (March 2017) A community-driven access control approach in distributed IoT environments. IEEE Commun Mag 55(3):146–153

    Article  Google Scholar 

  58. 58.

    Jones M, Hildebrand J (2015) JSON Web Encryption (JWE). RFC 7516, IETF, available at Accessed 28 Feb 2019

  59. 59.

    Hammer-Lahav E (2010) The OAuth 1.0 protocol. RFC 5849, IETF, available at Accessed 28 Feb 2019

  60. 60.

    Leiba B (2012) OAuth web authorization protocol. IEEE Internet Comput 16(1):74–77

    Article  Google Scholar 

  61. 61.

    Fremantle P, Aziz B, Kopecký J, Scott P (2014) Federated identity and access management for the Internet of Things, 2014 International Workshop on Secure Internet of Things, Wroclaw, pp 10–17

  62. 62.

    Denniss W, Bradley J, Jones M, Tschofenig H OAuth 2.0 device flow for browserless and input constrained devices, Internet-draft, IETF, draft-ietf-oauth-device-flow-09

  63. 63.

    Seitz L, Gerdes S, Selander G, Mani M, Kumar S (2016) Use cases for authentication and authorization in constrained environments, RFC 7744, January 2016, IETF

  64. 64.

    Jones M, Wahlstroem E, Erdtman S, Tschofenig H (2018) CBOR Web Token (CWT), RFC 8392, May 2018. IETF, Fremont

    Google Scholar 

  65. 65.

    Beltran V, Skarmeta AF (2016) An overview on delegated authorization for CoAP: authentication and authorization for constrained environments (ACE). In: 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT), pp 706–710

    Google Scholar 

  66. 66.

    Su X et al (2016) Privacy as a service: protecting the individual in healthcare data processing. In: Computer, vol. 49, no. 11, pp 49–59

    Google Scholar 

  67. 67.

    OMA (2017) Lightweight machine to machine requirements, Candidate Version 1.1 – 08 Dec 2017, Open Mobile Alliance

  68. 68.

    Costa D, Mingozzi E, Tanganelli G, Vallati C (2016) An AllJoyn to CoAP bridge, 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT), Reston, VA, pp. 395–400

  69. 69.

    Fernandes E, Rahmati A, Jung J, Prakash A (2017) Security implications of permission models in smart-home application frameworks. IEEE Secur Priv 15(2):24–30

    Article  Google Scholar 

  70. 70.

    Zorzi M, Gluhak A, Lange S, Bassi A (2010) From today’s INTRAnet of things to a future INTERnet of things: a wireless- and mobility-related view. IEEE Wirel Commun 17(6):44–51

    Article  Google Scholar 

  71. 71.

    Dillet R (2017) Netatmo is trying really hard to make the smart home happen. January 3, 2017, Techcrunch. Available at: Accessed 28 Feb 2019

  72. 72.

    Bertin E, Crespi N (2009) Service business processes for the next generation of services: a required step to achieve service convergence. Ann Telecommun 64(3–4):187–196

    Article  Google Scholar 

  73. 73.

    Sloan RH, Warner R (2014) Beyond notice and choice: privacy, norms, and consent. Suffolk Univ J High Technol 14(2):370–412

    Google Scholar 

  74. 74.

    Rastogi V, Welbourne E, Khoussainova N, Kriplean T, Balazinska M, Borriello G, Kohno T, Suciu D (2007) “Expressing privacy policies using authorisation views,” in Proc. of the 5th International Workshop on Privacy in UbiComp (UbiPriv’07)

  75. 75.

    Kolias C, Kambourakis G, Stavrou A, Voas J (2017) DDoS in the IoT: Mirai and other botnets. IEEE Comput 50(7):80–84

    Article  Google Scholar 

  76. 76.

    Kovacs E (2016) Hosting provider OVH hit by 1 Tbps DDoS attack. Retrieved from Accessed 28 Feb 2019

  77. 77.

    Tian Y, Zhang N, Lin Y-H, Wang XF, Ur B, Guo XZ, Tague P (2017) SmartAuth: user-centered authorization for the Internet of Things. In: USENIX security conference

    Google Scholar 

Download references

Author information



Corresponding author

Correspondence to Emmanuel Bertin.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Bertin, E., Hussein, D., Sengul, C. et al. Access control in the Internet of Things: a survey of existing approaches and open research questions. Ann. Telecommun. 74, 375–388 (2019).

Download citation


  • Access control (AC)
  • Internet of Things (IoT)
  • Identity management
  • Security