Delegation paths
In essence, Service Providers need to decide whether a Service Consumer is allowed access to a certain resource. To take the right access decisions, Service Providers need to interpret all relevant evidence to come to a decision: in other words: a 'logical sum' of evidence. This page further elaborates on situations where more than one delegation are issued that have overlapping properties.
Example 1: Single delegation
In the situation of a single delegation, a Service Provider could encounter the following situation:
Example 2: Simple path of delegation
In practice, it can occur that various organisation delegate rights to various other organisation. Combining these delegations, a 'path of delegation' can be established, as is illustrated in the following example:
Example 3: Complex path of delegation
The following example illustrates a more complex delegation situation, where specific rights are delegated in terms of actions, resources and the right to further delegate these rights:
Party Q resides over party A's resources. When evaluating the available delegation evidence, organisation Q can conclude that organisation D has 'read' rights to resources X and Y but is not allowed to delegate these reading rights any further.
What is important to note for this path of delegation, is that the delegation rights do not have to be given in a chronological order. If party C just now delegated rights to D while party D would have requested access earlier than party C would have delegated rights, the delegation path would not exist.
Last updated