iSHARE aims to enable parties to grant other parties or persons access to (parts of) their data or services. Parties within the iSHARE Scheme have greatly varying backgrounds, however. Private and public, large and small, different value chains, different geographies, different modalities, etc. For that reason, iSHARE needs to have a flexible way of expressing authorisationsauthorizations.
Two examples can illustrate different levels of required flexibility:
- Some parties or contexts require management of authorisations authorizations on a very detailed level, e.g. Party A's ERP system (machine) is ONLY allowed to request status updates concerning line X of bill of lading Y;
- Some contexts require less detailed authorisationsauthorizations, e.g. Party A's ERP system (machine) is allowed to request ANY information about ANY (part of a) bill of lading.
Both examples are explained under use cases: fine-grained; coarse-grained.
The iSHARE Scheme envisions a world in which (access) authorisations authorizations are flexible in three ways:
- Flexible authorisation authorization scope;
iSHARE aims to provide a way to add a layer of authorisation authorization to any resource or any selection or combination of resources. The authorisation authorization scope refers to the objects or resources of a specific party, to which authorisations authorizations need to be assigned. The scope can include many or all resources (e.g. all data), or only some resources (e.g. specific data fields or services). Either way, the scope is always governed by a formal agreement and implemented by technical means. - Granular authorisationsauthorizations, and;
iSHARE aims to provide a granular way to use authorisations authorizations for resources. The authorisation authorization granularity refers to the characteristics of both the requested resources and the rules (policies, conditions) that apply. Authorisations Authorizations to resources can be coarse-grained (e.g. someone has access to all data in a certain data scope) or fine-grained (e.g. someone has access to only data with a low sensitivity level). The rules (policies, conditions) that control the authorisations authorizations can be fine-grained as well, meaning that many different types of rules can apply, such as time of day, location, organisation, role, and competence level. - Flexible authorisation authorization source.
iSHARE aims to provide flexibility to where authorisation authorization rules are stored and can be retrieved. The authorisation authorization source refers to the location of the rules (policies, conditions) and the attributes (e.g. subject attributes, object attributes) that govern the authorisationsauthorizations. These can be located near the data, at a dedicated source, or a combination thereof. In the current version of the iSHARE Scheme, the flexibility in authorisation authorization source is described as 'Policy Information Point' or PIP in the detailed functional descriptions.