Delegation paths

A key functionality of iSHARE is delegating rights to another party, authorising them to act on your behalf. A single delegation was described in the delegation use case.

In essence, Service Providers need to decide whether a Service Consumer is allowed access to a certain resource. To take the right access decisions, Service Providers need to interpret all relevant evidence to come to a decision: in other words: a 'logical sum' of evidence. This page further elaborates on situations where more than one delegation are issued that have overlapping properties. 

Example 1: Single delegation

In the situation of a single delegation, a Service Provider could encounter the following situation:

Example 2: Simple path of delegation

In practice, it can occur that various organisation delegate rights to various other organisation. Combining these delegations, a 'path of delegation' can be established, as is illustrated in the following example:

Example 3: Complex path of delegation

The following example illustrates a more complex delegation situation, where specific rights are delegated in terms of actions, resources and the right to further delegate these rights:

Party Q resides over party A's resources. When evaluating the available delegation evidence, organisation Q can conclude that organisation D has 'read' rights to resources X and Y but is not allowed to delegate these reading rights any further.

What is important to note for this path of delegation, is that the delegation rights do not have to be given in a chronological order. If party C just now delegated rights to D while party D would have requested access earlier than party C would have delegated rights, the delegation path would not exist.

Within iSHARE, it is possible to define more detailed rights to resources - as described in the key functionality section in the introduction. For a detailed technical explanation of delegations, please refer to the 'structure of delegation evidence' chapter.