Is User Consent needed

[FabrizioMoggio]

the IoT-NO API gets as input a list of devices. A general CAMARA rule is that if a Device is used as input of the API, user consent is required. The scenario for this API is anyway related to IoT devices not owned by customers. User consent doesn't apply for this API so I suggest to use 2Legs authentication.

Unless we think that the API can also be used with IoT device owned by specific person.

[FabrizioMoggio]

the IoT Device Management API also consider IoT devices owned by customers but, in their scenario, the API manages just one device while the IoT-NO API is intended for a fleet of IoT devices optimizing the network for all of them.

[FabrizioMoggio]

Discussion in ICM: camaraproject/IdentityAndConsentManagement#299

[FabrizioMoggio]

According to the discussion in ICM, I suggest to focus the IoT NO API to M2M SIM so we can use 2Legs

• the list of MSISDNs, input of the API, must be with a specific profile, such as M2M.
• This must be checked by the Transformation Function, managed by the API with a specific error return code
• this must be well described in the API documentation.

[FabrizioMoggio]

proposal: add this feature in the Sync26 release