This part of the iSHARE scheme is considered normative and is therefore compliant with RFC 2119.
This page describes (and prescribes) how, in iSHARE, delegation is communicated between different parties.
In iSHARE iSHAR,E delegation evidence expresses the delegation of rights from a delegator (the policyIssuer
) to the delegate (the accessSubject
). Rights are expressed in rules
in terms of allowed actions
to be performed on resources, under the license(s)
as defined in policySets
.
...
Parameter | Contained in | Type | Required | Description |
---|---|---|---|---|
effect | rules | string | Yes | MUST contain 'Deny' |
target | rules | { } | Yes | Describe the target, in terms of resource and action, this additional rule applies to. Additional rule elements are limitations of the default rule and resource scope. |
resource | target | { } | Yes | |
type | resource | string | No* | Optional string which describes the type of resource to which the rule applies. Defaults to none if not specified. |
identifiers | resource | [ ] | No* | Optional array of strings containing one or more resource identifiers. Depending on the type an identifier SHOULD be a urn. |
attributes | resource | [ ] | No* | Optional array of attributes of the resources the delegated rights apply to. If omitted defaults to all attributes. Depending on the type an attribute SHOULD be a urn. |
actions | target | [ ] | No | Optional array of actions , the additional rule applies to the actions listed. If no actions are listed then the default is to all iSHARE actions defined within the policy . |
*Note Note: Although not individually required, at least one of the parameters within the resource
object needs to be specified to which the additional rules
apply.
...
Code Block | ||
---|---|---|
| ||
{"delegationEvidence":{"notBefore":1509633681,"notOnOrAfter":1509633741,"policyIssuer":"EU.EORI.NL123456789","target":{"accessSubject":"EU.EORI.NL012345678"},"policySets":[{"maxDelegationDepth":2,"target":{"environment":{"licenses":["ISHARE.0001","ISHARE.0003"]}},"policies":[{"target":{"resource":{"type":"GS1.CONTAINER","identifiers":["*"],"attributes":["GS1.CONTAINER.ATTRIBUTE.ETA","GS1.CONTAINER.ATTRIBUTE.WEIGHT"]},"actions":["ISHARE.READ","ISHARE.CREATE"],"environment":{"serviceProviders":["EU.EORI.NL123412345"]}},"rules":[{"effect":"Permit"},{"effect":"Deny","target":{"resource":{"attributes":["GS1.CONTAINER.ATTRIBUTE.ETA"]},"actions":["ISHARE.CREATE"]}},{"effect":"Deny","target":{"resource":{"identifiers":["GS1.CONTAINER.ID.00000000001"]}}}]}]}]}} |
Note: Please note that although in XACML the attributes PolicySetId, Version and PolicyCombiningAlgId are mandatory in XACML they are not ported to the iSHARE JSON structure. iSHARE follows the "deny-override" Policy Combining Algorithm. This implies that if at least one policy is evaluated as “deny”, the integrated output must also be “deny”.