Subscriber Authorization

MATRIXX Engine supports service authorization and cut-offs to ensure subscriber usage is valid and revenue loss does not occur.

Authorization is the process of verifying the subscriber's balance has the amount required to allow usage.

The Charging Server authorizes mobile devices using IMSI (International Mobile Subscriber Identity) and MSISDN and login devices using NAI, SIP_URI, and PrivateId. For login devices, you must configure selective updates to map NAI, SIP_URI, and PrivateId values to the LoginId or AccessId in MtxDiamSubscriberMsg. During MATRIXX Engine configuration, you can specify if a device is located by its Imsi or AccessNumber (MSISDN) for mobile devices and by its LoginId or AccessId for login devices. For more information about selective updates for login devices, see the discussion about selective updates for login devices in Subscriber Management.

When a subscriber accesses a service and the network application providing the service sends an authorization request, the device IMSI, MSISDN, login ID, or access ID is compared to those stored with the subscriber in the MATRIXX database. If the values match, a session is created and the Session ID is returned to the network, informing the requesting application that the subscriber is authorized. If the field values do not match, a session is not created and instead MATRIXX Engine returns a denial in the response to the network application.

For example, services that use the Diameter protocol have a Diameter Client that sends a ../_glossary/ccr.html packet to the Diameter Gateway so service usage requests can be processed. When a device is used to access a data service, the packet is converted in MATRIXX Engine into an MDC (MATRIXX data container) and uses one of the Imsi, AccessNumber, LoginId, or AccessId field values to look up the subscriber. If the value matches the value stored in the Subscriber database, a new session object is created, the approval and Session-Id value are added to the response message and sent to the Diameter client. At this point, the authorization request is sent by the Diameter Client to the Diameter Gateway, which uses the session-Id value to look up the subscriber and to identify the service type requested for usage. It then verifies that the balances valid for usage contain the minimum amount required to authorize the usage. The amount to authorize is received from the network. If authorization is allowed, the approval and authorized amount is included in the response message to the Diameter Client.
Important: MATRIXX Engine does not perform subscriber authentication. Authentication of subscriber credentials must be processed independently of MATRIXX Engine.
During authorization, the following operations are performed:
  • The service type being requested is determined.
  • The subscriber requesting the service usage is determined. If the device or subscriber is suspended or inactive, no usage quantity is authorized.
  • If any beats are defined, the authorized amount is rounded up to the integral number of beats.
  • With session-based credit control, the network client sends a series of messages that reserve a balance quantity before delivering service and then reports the amount of service to be charged against that reservation. In such cases, MATRIXX Charging Application checks the subscriber's balance amount to make sure it is large enough to handle the authorized usage amount. If so, the amount is reserved and an approval message is returned to the requesting network application. If not, the transaction is rejected and a message is sent back to the network to disallow usage. This form of credit authorization requires the session state to be maintained. For more information about balance reservations, see the discussion about balance reservations and session management in Pricing and Rating.
    Note: The auth_full_request rating option, which is applied on a per-MSCC basis, indicates whether rating can partially succeed or whether the total requested balance quantity must be available to authorize usage. When set to true and the full requested quantity is not available, MATRIXX Charging Application rejects the authorization and returns a CREDIT_LIMIT_REACHED in the CCA message so the network application can disallow usage. For example, if the authorization request is for 1MB and a data balance is only 800KB, 0 bytes is authorized. If the auth_full_request option is set to false, the partial amount (800KB) is authorized. This rating option is part of the service type configuration. If it is disabled (the default), MATRIXX Charging Application reserves a balance amount and reports that credit is available.
  • With one-time event rating, a single transaction is created where MATRIXX Charging Application deducts a specific amount from the subscriber's balance immediately after completing the credit authorization. After receiving the authorization, the network client delivers services. This form of credit authorization is a one-time event in which no session state is maintained. The usage is only authorized when the entire amount can be charged.

Pricing administrators can also configure a minimum authorization amount (min_auth) for a service type as part of pricing configuration. This amount dictates the minimum usage amount for the session to be authorized. For an authorization request, if the amount authorized is less than the minimum authorization amount configured for the service type, no amount is authorized. In such cases, a session is not created and an amount is not reserved from the balance. An authorized quantity of 0 (zero) is sent back in the network response. For a re-authorization request, if the incremental new amount authorized is less than the minimum defined for the service type, no additional amount is authorized. In such cases, neither the session nor the reserved balance amount is updated and an authorized quantity of 0 (zero) is sent back in the network response. The balance updates in the EDR do not include any amount for authorizations that are less than the minimum. If there is no balance amount available, a denial message is returned to the network.

Sessions that are pre-rated, and those that update balances that do not have associated credit limits, are not required by the MATRIXX Charging Application to have authorizations; however, the network application should require them to prevent subscribers from usage they cannot pay for. For meters that do not have credit limits, usage is calculated throughout the duration of the session without reserving an amount from the balance.

When authorizing or re-authorizing against an on-demand periodic balance, any future periods that must be created to handle the authorized quantity are created in a pending state. When there is actual reported usage, the period is changed to a created state and the time period for the period is set according to the time of the usage that actually charges it. If the actual used amount did not require the period to be created during authorization, it is reset to an "un-created" state so usage cannot occur against it.

For information about configuring the auth_full_request option, which is part of a service type definition, see Pricing and Rating.