1c. M2M service provision with the AR storing delegation info

In use case 1c, a service is provided by the Service Provider to the Service Consumer. The Service Consumer has been delegated by the Entitled Party, and the evidence is registered at an Authorisation Registry.

Roles

Delegation info PIP

No delegation

Service Provider

Entitled Party

Authorisation Reg

Verifiable Credentials Variant

Use case variation

1

1a

1b

1c

1d

Note that interaction sequences are not described in the table above. In derived use case 1c, two interaction sequences are possible depending on who requests delegation info from the PIP:

  1. The Service Provider can request delegation info after a service request from the Service Consumer.

  2. The Machine Service Consumer can request delegation info and include it in its service request to the Service Provider.

Interaction sequence 1 is detailed below.

Depiction

Legal relations

Note that no prior legal relation exists between the Service Consumer and the Service Provider. Which services can be consumed by the Service Consumer, as delegated by the Entitled Party, is set out in the mandatory relation between this Entitled Party and the Service Provider.

Prerequisite registration

Use case interaction

Description

It is a prerequisite of this use case that:

  • The Service Provider has and manages its own entitlement information indicating what Entitled Parties are entitled to what (parts of) services*;

  • The Service Consumer can authenticate the Service Provider.

  • The Service Provider can authenticate the Service Consumer.

  • The delegation/authorisation responsible at the Entitled Party delegates (part of) the Entitled Party's rights (as registered at the Service Provider) to the Service Consumer. He registers this delegation in an Authorisation Registry.

  • The Service Provider knows/discovers which Authorisation Registry to request the delegation evidence from.

  • The Service Provider can authenticate the Authorisation Registry.

  • The Authorisation Registry can authenticate the Service Provider.

  • It is clear, through scheme agreements, under what conditions an Authorisation Registry can provide delegation information to a Service Provider.

*The Service Provider can outsource this function to a third party

Discovering Authorisation Rules:

The Service Provider discovers the Authorisation Registry for the specific capability in this order; the first condition that applies determines the Authorisation Registry:

  • Entitled Party has registered an Authorisation Registry for the specific capability in its /capabilities endpoint;

  • Else the Entitled Party has registered the Authorisation Registry for the specific capability in the Participation Registry;

  • Else the Entitled Party has registered an Authorisation Registry for a specific data space in the Participant Registry;

  • Else the Entitled Party's has set a default Authorisation Registry in the Participant Registry.

  • Else the Entitled Party and Service Provider have shared an Authorisation Registry bilaterally by other means (e.g., Service Provider has a profile/configuration for each Entitled Party to gather such information).

The use case consists of the following steps:

  1. The Machine Service Consumer requests a service from the Service Provider.

  2. The Service Provider authenticates the Machine Service Consumer and validates the iSHARE adherence of the Service Consumer;

  3. The Service Provider discovers (if not known) the applicable Authorisation Registry as described in Discovering Authorisation Rules.

  4. The Service Provider requests delegation evidence from the Authorisation Registry;

  5. The Authorisation Registry authenticates the Service Provider and validates its iSHARE adherence;

  6. The Authorisation Registry authorises the Service Provider based on the scheme agreements for providing delegation information;

  7. The Authorisation Registry provides the delegation evidence;

  8. The Service Provider validates the received delegation evidence through the following steps:

    1. The Service Provider authenticates the Authorisation Registry and validates its iSHARE certification;

    2. The Service Provider authorises the Entitled Party based on the entitlement information registered with the Service Provider, and validates its iSHARE adherence.

  9. The Service Provider authorises the Machine Service Consumer of the Service Consumer based on the validity of the delegation evidence;

  10. The Service Provider executes the requested service;

  11. The Service Provider provides the service result to the Machine Service Consumer.

Sequence diagram

Previous1b. M2M service provision with the EP storing delegation infoNext1d. M2M service provision with Verifiable Credentials

Last updated