Homogeneous Control of Security Functions via Cross-Domain Delegation

Open Command and Control (OpenC2) was designed to facilitate the orchestration of heterogeneous cyber-defense technologies through a vendor-agnostic language. However, while the standard integrates secure transfer protocols, it lacks a common prescriptive mechanism for Identity and Access Management (IAM). This choice leaves a significant architectural gap, jeopardizing the applicability of Managed Security Service (MSS), where cross-domain delegation is a critical issue. This paper addresses this gap by proposing a robust IAM framework based on the OAuth2 mechanism. Our work addresses the ‘impedance mismatch’ between the browser-centric approach of OAuth2 and automated, non-interactive OpenC2 controllers. To this end, we introduce a novel Headless User Agent component that manages user credentials without requiring human interaction via a browser or other tools. Additionally, we integrate fine-grained access control for the execution of OpenC2 commands, which implements the basic security principle of least privileges. The overall solution is implemented as a modular extension of the otupy OpenC2 library, and supports both HTTP and MQTT transfer bindings. Experimental validation demonstrates the functional correctness of the identity management and access control layers. At the same time, performance analysis quantifies the overhead introduced by per-request token introspection at approximately 14.5 ms, confirming the approach's viability for real-time operational environments.