Structure of delegation evidence
This page describes (and prescribes) how participants can communicate about authorisations irrespective of the policy languages used by them. This way it allows interoperability between participants to exchange authorisations
In iSHARE based the data spaces delegation evidence expresses the delegation of rights from a delegator (the party that delegates rights; the policyIssuer) to the delegate (the party that receives the delegated rights; i.e. the accessSubject). Rights are expressed in rules in terms of allowed actions to be performed on resources, under the license(s) as defined in policySets.
Delegation evidence is modelled as a JSON object inspired by the XACML 3.0 specifications and structured as follows:
The JSON object consists of a root delegationEvidence element (modelled after an XACML PolicySet element) containing one or more policySet objects in the policySets array. The root element is only meant as a container element and extends the XACML specifications to cater for some iSHARE required metadata, such as timestamps. Each of the second level policySet elements only act as a container for the actual policy elements with an indication of the rights in this policySet can be further delegated (with maxDelegationDepth) and what license(s) do apply. No other delegation logic is conveyed at the second level policySet. Each policy An element is used to express the actual rights being delegated.
The root delegationEvidence The element contains the following parameters.
delegationEvidence
{ }
Yes
The root of any delegation evidence
notBefore
delegationEvidence
int
Yes
Unix timestamp in UTC indicating the start of validity period of this delegation evidence. SHOULD equal the time of issuing of the evidence unless historic evidence is requested.
notOnOrAfter
delegationEvidence
int
Yes
Unix timestamp in UTC indicating the end of validity period of this delegation evidence. It is up to the issuer off the evidence to set this time. Note that a reasonable amount of time SHOULD be allowed for processing of longer delegation paths. Also note that evidence cannot be revoked, so setting very long validity periods SHOULD be avoided.
target
delegationEvidence
{ }
Yes
Root level MUST contain an accessSubject attribute. No other elements are allowed. It makes the entire delegation evidence applicable only to this accessSubject.
accessSubject
target
string
Yes
Party Identifier of the delegate (the entity that receives the delegated rights)
policySets
delegationEvidence
[ ]
Yes (1..n)
Container for one or more objects containing policy elements with an indication for further delegation. Note that policySet elements within one delegationEvidence MUST not restrict each other, but rather offer a mechanism to express additional rights. They MUST be evaluated in a "permit-override" manner, allowing a "Permit" if only one of the policySet elements evaluates to "Permit".
The second-level objects in policySets each contains the following parameters. Other parameters are not allowed. Note that the XACML spec is heavily restricted, a.o., for the reason to prevent redundancy (and resulting possible conflicts) with the root policySet element.
maxDelegationDepth
policySets
int
No
Optional element that, if present, indicates that further delegation of the rights, conveyed in the policy elements that are part of this PolicySet, is allowed. The value indicates the delegation steps that are allowed after this step in order to evaluate the entire delegation path to "Permit"
target
policySet
{ }
Yes
environment
target
{ }
Yes
licenses
environment
[ ]
Yes
Defines which iSHARE licenses apply to this policySet. Defined as an array, licenses is now a structured object that supports logical composition of URIs (e.g., allOf, anyOf) to express multiple applicable licenses and their relationships. This allows for complex licensing scenarios such as conditional usage, combinations of geographical constraints, or certification requirements. For more information on licences .
policies
policySets
[ ]
Yes (1..n)
Used to express the actual rights being delegated. Note that policies within one policySets object MUST not restrict each other, but rather offer a mechanism to express additional rights. They MUST be evaluated in a "permit-override" manner, allowing a "Permit" if only one of the policy elements evaluates to "Permit".
A Policy element contains the following parameters.
target
policies
string
Yes
Describes the target, in terms of resource and action, this policy applies to. It is also the scope that is permitted through the default Rule. Additional conditions that may be passed on along with the default rule
resource
target
{ }
Yes
Defines the data or asset to which the delegated rights apply, including its type, unique identifiers, and optional attributes describing specific elements of that resource
type
resource
string
Yes
String which describes the type of resource to which the rules apply. The use of the type "iSHARE.DELEGATION" is reserved for authorisation rules.
identifiers
resource
[ ]
Yes
Array of strings containing one or more resource identifiers. Depending on the Type an identifier SHOULD be a urn.
attributes
resource
[ ]
No
Optional array of attributes of the resources the delegated rights apply to. If omitted defaults to all attributes. Depending on the Type an attribute SHOULD be a URN.
actions
target
[ ]
Yes
Array specifying the operations (e.g., ISHARE.READ) that the delegate is permitted to perform on the defined resources.
rules
policies
[ ]
Yes (1..1)
Contains one Rule element.
The Rule element contains the following parameters.
effect
rules
string
Yes
Contain 'Permit' or 'Deny', as the outcome of Authorization Registry logic.
conditions
rules
{}
No
Optional conditions which must be evaluated. For guidance on how to interoperably define conditions, refer to the page about delegation evidence conditions (When SC requests the delegation token, then AR can include this condition so that the delegation token is only applicable at that specific SP. Alternatively, when SP is requesting token that condition is not sent in rules but is part of enviornment conditions under resource which AR must process and apply). The following keywords in conditions are reseved:
serviceProviders: reserved keyword for a condition that contains a list of party identifiers of serviceProviders which are allowed to provide services to the accessSubject
Example delegation JSON:
// Organisation A delegates rights to organisation B. A allows B
// READ and CREATE access to all ETA and WEIGHT of A's containers
// of which the data is located at service provider C and can only
// be accessed with service provider C. Furthermore, all
// rights of B are allowed under the iSHARE license
// https://licenses.ishare.eu/general-non-commercial-use/1.0,
// in France and Belgium only, and B has the right to delegate its
// right two more times.
{
"delegationEvidence": {
"notBefore": 1509633681,
"notOnOrAfter": 1509633741,
"policyIssuer": "did:ishare:EU.NL.NTRLNL-10000005",
"target": {
"accessSubject": "did:ishare:EU.NL.NTRLNL-10000001"
},
"policySets": [
{
"maxDelegationDepth": 2,
"target": {
"environment": {
"licenses": [
{
"allOf": [
"https://licenses.ishare.eu/general-non-commercial-use/1.0",
{
"anyOf": [
"https://licenses.ishare.eu/country/be/1.0",
"https://licenses.ishare.eu/country/fr/1.0"
]
}
]
}
]
}
},
"policies": [
{
"target": {
"resource": {
"type": "GS1.CONTAINER",
"identifiers": ["*"],
"attributes": ["GS1.CONTAINER.ATTRIBUTE.ETA", "GS1.CONTAINER.ATTRIBUTE.WEIGHT"]
},
"actions": ["ISHARE.READ", "ISHARE.CREATE"]
},
"rules": [
{
"effect": "Permit",
"conditions": {
"anyof": [
{
"leftOperand": "serviceProvider",
"operator": "equal",
"rightOperand": "did:ishare:EU.NL.NTRNL-10000003"
}
]
}
}
]
}
]
}
]
}
}Last updated