iSHARE aims to enable parties to grant other parties or persons access to (parts of) their data or services. Parties within the iSHARE Scheme have greatly varying backgrounds, however. Private and public, large and small, different value chains, different geographies, different modalities, etc. For that reason, iSHARE needs to have a flexible way of expressing authorizations.
Two examples can illustrate different levels of required flexibility:
- Some parties or contexts require management of authorizations on a very detailed level, e.g. Party A's ERP system (machine) is ONLY allowed to request status updates concerning line X of bill of lading Y;
- Some contexts require less detailed authorizations, e.g. Party A's ERP system (machine) is allowed to request ANY information about ANY (part of a) bill of lading.
Both examples are explained under use cases: fine-grained; coarse-grained.
The iSHARE Scheme envisions a world in which (access) authorizations are flexible in three ways:
- Flexible authorization scope;
iSHARE aims to provide a way to add a layer of authorization to any resource or any selection or combination of resources. The authorization scope refers to the objects or resources of a specific party, to which authorizations need to be assigned. The scope can include many or all resources (e.g. all data), or only some resources (e.g. specific data fields or services). Either way, the scope is always governed by a formal agreement and implemented by technical means.
- Granular authorizations, and;
iSHARE aims to provide a granular way to use authorizations for resources. The authorization granularity refers to the characteristics of both the requested resources and the rules (policies, conditions) that apply. Authorizations to resources can be coarse-grained (e.g. someone has access to all data in a certain data scope) or fine-grained (e.g. someone has access to only data with a low sensitivity level). The rules (policies, conditions) that control the authorizations can be fine-grained as well, meaning that many different types of rules can apply, such as time of day, location, organisation, role, and competence level.
- Flexible authorization source.
iSHARE aims to provide flexibility to where authorization rules are stored and can be retrieved. The authorization source refers to the location of the rules (policies, conditions) and the attributes (e.g. subject attributes, object attributes) that govern the authorizations. These can be located near the data, at a dedicated source, or a combination thereof. In the current version of the iSHARE Scheme, the flexibility in authorization source is described as 'Policy Information Point' or PIP in the detailed functional descriptions.