diff --git a/LibOneM2M/OneM2M_Functions.ttcn b/LibOneM2M/OneM2M_Functions.ttcn
index 911de385850c66a072e4ae3e110b2d80f0a52c67..f142472958a71e0da9d90aaf9e7674bec23bf18f 100644
--- a/LibOneM2M/OneM2M_Functions.ttcn
+++ b/LibOneM2M/OneM2M_Functions.ttcn
@@ -1754,17 +1754,19 @@ module OneM2M_Functions {
 			}// end f_cse_retrieveResource	
 			
 			/**
-			 * @desc Message exchange for the retrieval of a resource protected by role based access control
+			 * @desc Message exchange for the retrieval of a resource protected by role/token based access control
 			 * @param p_resourceIndex Resource index of the resource to be retrieved
-			 * @param p_roleId Applicable Role ID for the originator
+			 * @param p_roleResourceID Applicable Role ID for the originator
+			 * @param p_tokenResourceID Applicable Token ID for the originator
 			 * @return PrimitiveContent parameter of the RETRIEVE response
 			 * @verdict 
 			 */
-			function f_cse_retrieveResourceWithRole(integer p_resourceIndex, XSD.ID p_roleResourceID) runs on AeSimu return PrimitiveContent{
+			function f_cse_retrieveResourceWithRoleToken(integer p_resourceIndex, XSD.ID p_roleResourceID, XSD.ID p_tokenResourceID) runs on AeSimu return PrimitiveContent{
 
 				var RequestPrimitive v_retrieveRequest;
 				v_retrieveRequest := m_retrieve(f_getResourceAddress(p_resourceIndex), f_getOriginator(p_resourceIndex));
-				v_retrieveRequest.roleIDs := {p_roleResourceID};
+				if (p_roleResourceID!= null) {v_retrieveRequest.roleIDs := {p_roleResourceID};}
+				if (p_tokenResourceID!= null) {v_retrieveRequest.tokenIDs := {p_tokenResourceID};}
 				f_send(e_mca_port, m_request(v_retrieveRequest));
 				
 				tc_ac.start;
diff --git a/OneM2M_Testcases_CSE_Release_3.ttcn b/OneM2M_Testcases_CSE_Release_3.ttcn
index 2982752491092ba55144ecfda8e004af679e3f1a..5f6a24866023defc02764ca0c42231b6e3bb323d 100644
--- a/OneM2M_Testcases_CSE_Release_3.ttcn
+++ b/OneM2M_Testcases_CSE_Release_3.ttcn
@@ -7715,7 +7715,7 @@ module OneM2M_Testcases_CSE_Release_3 {
 						v_roleResourceID := fx_assign_originatorRole(); // external function, may require additional paremeters
 
 						//Test Body
-						vc_ae1.start(f_cse_retrieveResourceWithRole(v_resourceIndex, v_roleResourceID)); 
+						vc_ae1.start(f_cse_retrieveResourceWithRoleToken(v_resourceIndex, v_roleResourceID, null)); 
 											
 						tc_ac.start;
 						alt{
@@ -7741,7 +7741,74 @@ module OneM2M_Testcases_CSE_Release_3 {
 						// Tear down
 						f_cf02DownCseSimuMaster();
 						
-					} // end f_CSE_SEC_ROL_RET_003							
+					} // end f_CSE_SEC_ROL_RET_003	
+					
+					
+					/**
+					 * @desc Check that the IUT sends a <token> Retrieve request to the Token Repository (CSE) after receiving a request on a resource protected by role based access control
+					 * 
+					 */						
+					testcase TC_CSE_SEC_ROL_RET_004() runs on Tester system CseSystem {
+						//Local variables
+						var CseSimu v_cse1 := CseSimu.create("CSE1") alive;
+							
+						v_cse1.start(f_CSE_SEC_ROL_RET_004());
+						v_cse1.done;																		
+					}
+					
+					function f_CSE_SEC_ROL_RET_004() runs on CseSimu system CseSystem {
+						 // Local variables
+						 var MsgIn v_response;
+						 var integer v_aeIndex := -1;
+						 var XSD.ID v_tokenResourceID;
+						 var integer v_resourceIndex := -1;
+						 var MsgIn v_request;
+	
+						 // Test control
+						 if(not(PICS_ROL_SUPPORT)) {
+							 setverdict(inconc, __SCOPE__ & ": Role Based Access Control Procedure support is required to run this test case");
+							 stop;
+						 }
+						
+						 // Test component configuration
+						 f_cf02UpCseSimuMaster();
+	
+						 // Test adapter configuration
+						
+						 // Preamble
+						 vc_remoteCseIndex := f_cse_registerRemoteCse(m_createRemoteCSEBase); // Role Repository
+						 vc_ae1.start(f_cse_createResource(int3, m_createContainerBase));
+						 v_resourceIndex := f_getLatestResourceIndex(vc_ae1);
+						 v_tokenResourceID := fx_assign_originatorToken(); // external function, may require additional paremeters
+
+						 //Test Body
+						 vc_ae1.start(f_cse_retrieveResourceWithRoleToken(v_resourceIndex, null, v_tokenResourceID)); 
+											
+						 tc_ac.start;
+						 alt{
+							 [] mccPortIn.receive(mw_request(mw_retrieve(f_getResourceAddress(v_resourceIndex)))) -> value v_request {
+							 tc_ac.stop;
+							 setverdict(pass, __SCOPE__ & ": Originator Token retrieve request received.");
+							 }
+							 [] mccPortIn.receive(mw_request(?)) -> value v_request {
+								 tc_ac.stop;
+								 setverdict(fail, __SCOPE__ & ": Other operation received");
+								 f_cse_sendResponse_cseSimu(v_request);
+							 }
+							 [] tc_ac.timeout {
+								 setverdict(fail, __SCOPE__ & ": No request received");
+							 }
+						 }
+					
+						 f_cseSimu_checkComponentDoneAndGetVerdict(vc_ae1);
+							
+						 // Postamble
+						 f_cse_postamble_deleteResourcesCSE();
+						
+						 // Tear down
+						 f_cf02DownCseSimuMaster();
+						
+					 } // end f_CSE_SEC_ROL_RET_003													
 	
 				}// end of group Retrieve