Versions Compared

Old Version 33

changes.mady.by.user Christian van Ramshorst

Saved on

compared with

New Version 34

changes.mady.by.user Pieter Nijs

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This part of the iSHARE scheme is considered normative and is therefore compliant with RFC 2119.


This page describes (and prescribes) how, in iSHARE, delegation is communicated between different parties.


In iSHARE iSHAR,E delegation evidence expresses the delegation of rights from a delegator (the policyIssuer) to the delegate (the accessSubject). Rights are expressed in rules in terms of allowed actions to be performed on resources, under the license(s) as defined in policySets.

...

ParameterContained inTypeRequiredDescription
effectrulesstringYesMUST contain 'Deny'
targetrules{ }YesDescribe the target, in terms of resource and action, this additional rule applies to. Additional rule elements are limitations of the default rule and resource scope.
resourcetarget{ }Yes
typeresourcestringNo*Optional string which describes the type of resource to which the rule applies. Defaults to none if not specified.
identifiersresource[ ]No*Optional array of strings containing one or more resource identifiers. Depending on the type an identifier SHOULD be a urn.
attributesresource[ ]No*Optional array of attributes of the resources the delegated rights apply to. If omitted defaults to all attributes. Depending on the type an attribute SHOULD be a urn.
actionstarget[ ]NoOptional array of actions, the additional rule applies to the actions listed. If no actions are listed then the default is to all iSHARE actions defined within the policy.

*Note Note: Although not individually required, at least one of the parameters within the resource object needs to be specified to which the additional rules apply.

...

Code Block
titleexample code - for copying purposes
{"delegationEvidence":{"notBefore":1509633681,"notOnOrAfter":1509633741,"policyIssuer":"EU.EORI.NL123456789","target":{"accessSubject":"EU.EORI.NL012345678"},"policySets":[{"maxDelegationDepth":2,"target":{"environment":{"licenses":["ISHARE.0001","ISHARE.0003"]}},"policies":[{"target":{"resource":{"type":"GS1.CONTAINER","identifiers":["*"],"attributes":["GS1.CONTAINER.ATTRIBUTE.ETA","GS1.CONTAINER.ATTRIBUTE.WEIGHT"]},"actions":["ISHARE.READ","ISHARE.CREATE"],"environment":{"serviceProviders":["EU.EORI.NL123412345"]}},"rules":[{"effect":"Permit"},{"effect":"Deny","target":{"resource":{"attributes":["GS1.CONTAINER.ATTRIBUTE.ETA"]},"actions":["ISHARE.CREATE"]}},{"effect":"Deny","target":{"resource":{"identifiers":["GS1.CONTAINER.ID.00000000001"]}}}]}]}]}}


Note: Please note that although in XACML the attributes PolicySetId, Version and PolicyCombiningAlgId are mandatory in XACML they are not ported to the iSHARE JSON structure. iSHARE follows the "deny-override" Policy Combining Algorithm. This implies that if at least one policy is evaluated as “deny”, the integrated output must also be “deny”.