Structure of delegation evidence

This part of the iSHARE Trust Framework is considered normative and is therefore compliant with RFC 2119.

This page describes (and prescribes) how, in data spaces/iSHARE network, delegation is communicated between different parties.

In data spaces/iSHARE network, delegation evidence expresses the delegation of rights from a delegator (the party that delegates rights; the policyIssuer) to the delegate (the party that receives the delegated rights; i.e. the accessSubject). Rights are expressed in rules in terms of allowed actions to be performed on resources, under the license(s) as defined in policySets.

Delegation evidence is modelled as a JSON object inspired by the XACML 3.0 specifications and structured as follows:

The JSON object consists of a root delegationEvidence element (modeled after an XACML PolicySet element) containing one or more policySet objects in the policySets array. The root element is only meant as a container element and extends the XACML specifications to cater for some iSHARE required metadata such as timestamps. Each of the second level policySet elements only acts as a container for actual policy elements with an indication of the rights in this policySet can be further delegated (with maxDelegationDepth) and what license(s) do apply. No other delegation logic is conveyed a second level policySet. Each policy element is used to express the actual rights being delegated. \

The root delegationEvidence element contains the following parameters.

The second level objects in policySets each contain the following parameters. Other parameters are not allowed. Note that XACML spec is heavily restricted, a.o. for the reason to prevent redundancy (and resulting possible conflicts) with the root policySet element.

A Policy element contains the following parameters.

The default Rule element contains the following parameters.

Additional Rule elements contains the following parameters.

* Note: Although not individually required, at least one of the parameters within the resource object needs to be specified to which the additional rules apply.

Example delegation JSON:

//Organisation A delegates rights to organisation B. A allows B READ and CREATE access to all ETA and WEIGHT of A's containers of which the data is located at service provider C and can only be accessed with service provider C. However, A does not allow B to CREATE to ETA information and completely denies access to data regarding container ID.00000000000001. Furthermore, all rights of B are allowed under iSHARE licenses 1 and 3, and B has the right to delegate it's right two more times.

{
    "delegationEvidence": {
        "notBefore": 1509633681,
        "notOnOrAfter": 1509633741,
        "policyIssuer": "EU.EORI.NL123456789",
        "target": {
            "accessSubject": "EU.EORI.NL012345678"
        },
        "policySets": [
            {
                "maxDelegationDepth": 2,
                "target": {
                    "environment": {
                        "licenses": ["ISHARE.0001", "ISHARE.0003"]
                    }
                },
                "policies": [
                    {
                        "target": {
                            "resource": {
                                "type": "GS1.CONTAINER",
                                "identifiers": ["*"],
                                "attributes": ["GS1.CONTAINER.ATTRIBUTE.ETA", "GS1.CONTAINER.ATTRIBUTE.WEIGHT"]
                            },
                            "actions": ["ISHARE.READ", "ISHARE.CREATE"],
                            "environment": {
                                "serviceProviders": ["EU.EORI.NL123412345"]
                            }
                        },
                        "rules": [
                            {
                                "effect": "Permit"
                            },
                            {
                                "effect": "Deny",
                                "target": {
                                    "resource": {
                                        "attributes": ["GS1.CONTAINER.ATTRIBUTE.ETA"]
                                    },
                                    "actions": ["ISHARE.CREATE"]
                                }
                            },
                            {
                                "effect": "Deny",
                                "target": {
                                    "resource": {
                                        "identifiers": ["GS1.CONTAINER.ID.00000000001"]
                                    }
                                }
                            }
                        ]
                    }
                ]
            }
        ]
    }
}

example code - for copying purposes

{"delegationEvidence":{"notBefore":1509633681,"notOnOrAfter":1509633741,"policyIssuer":"EU.EORI.NL123456789","target":{"accessSubject":"EU.EORI.NL012345678"},"policySets":[{"maxDelegationDepth":2,"target":{"environment":{"licenses":["ISHARE.0001","ISHARE.0003"]}},"policies":[{"target":{"resource":{"type":"GS1.CONTAINER","identifiers":["*"],"attributes":["GS1.CONTAINER.ATTRIBUTE.ETA","GS1.CONTAINER.ATTRIBUTE.WEIGHT"]},"actions":["ISHARE.READ","ISHARE.CREATE"],"environment":{"serviceProviders":["EU.EORI.NL123412345"]}},"rules":[{"effect":"Permit"},{"effect":"Deny","target":{"resource":{"attributes":["GS1.CONTAINER.ATTRIBUTE.ETA"]},"actions":["ISHARE.CREATE"]}},{"effect":"Deny","target":{"resource":{"identifiers":["GS1.CONTAINER.ID.00000000001"]}}}]}]}]}}

Please note that although in XACML the attributes PolicySetId, Version and PolicyCombiningAlgId are mandatory in XACML they are not ported to the iSHARE JSON structure. iSHARE Trust Framework follows the "deny-override" Policy Combining Algorithm. This implies that if at least one policy is evaluated as “deny”, the integrated output must also be “deny”.

Last updated

Logo

Copyright © 2024 iSHARE Foundation