iSHARE Trust Framework
Other resources
Version 2.1 (current version)
Version 2.1 (current version)
  • iSHARE Trust Framework
  • Introduction
    • Goals and scope of the iSHARE Trust Framework
    • Guiding principles
    • Governance
  • Releases
    • Release notes
    • Release planning
    • Version history
  • Main aspects of the iSHARE Trust Framework
    • Key functionality
      • Support Machine to Machine (M2M) interaction
      • Support Human to Machine (H2M) interaction
      • Facilitate portable identity(s) for parties and humans
      • Facilitate flexible authorizations, applicable in any context
      • Enable data exchange based on delegations - even between unknown parties
      • Enable control over own data through management of consent
      • Provide a Trust Framework
    • Technical overview
    • Framework and roles
    • Legal provisions
    • Operational provisions
  • Use cases
    • Use case: M2M interaction (with fine-grained authorization)
    • Use case: H2M interaction (with coarse-grained authorization)
    • Use case: portable identity
    • Use case: delegation (and management of consent)
  • Detailed descriptions
    • Functional
      • Primary use cases
        • 1. M2M service provision
          • 1b. M2M service provision with the EP as the delegation info PIP
          • 1c. M2M service provision with the AR as the delegation info PIP
          • M2M service provision including an app
        • 2. H2M service provision with identity info at the IP
          • Without Identity Broker
          • With Identity Broker
      • Secondary use cases
      • Licenses
      • Delegation paths
      • Functional requirements per role
        • Party identification
        • User interface requirements
    • Technical
      • Technical standards
      • Structure of delegation evidence
        • Example cases
    • Operational
      • Operational processes
        • Admission
        • Withdrawal or Downgrade
        • Warnings, Suspension and Exclusion
        • Incident Management
        • Change Management
        • Management reporting
      • Service levels
        • Service levels for Adhering Parties
        • Service levels for Certified Parties
      • Communication
    • Legal
      • Legal context
        • Dutch Civil Code
        • Regulation on Electronic Identification and Trust Services (eIDAS)
        • Applicable competition law
        • General Data Protection Regulation (GDPR)
  • Glossary and legal notices
    • Glossary
    • Legal notices
    • Assumptions
Powered by GitBook
LogoLogo

  • Cookie Policy

  • Privacy Policy

  • Imprint

  • Contact Us

Copyright © 2024 iSHARE Foundation

On this page
  1. Detailed descriptions
  2. Technical
  3. Structure of delegation evidence

Example cases

PreviousStructure of delegation evidenceNextOperational

Last updated 2 months ago

The main variations in the JSON code for delegationEvidence are the (1-n) policySets, policies and rules arrays. These variations are based on the most efficient way of expressing the rights that an accessSubject has.

Various examples are described in the table below.

Description
Code

Organisation A delegates rights to organisation B. A allows B READ and CREATE access to all ETA and WEIGHT of A's containers of which the data is located at service provider C and can only be accessed with service provider C. However, A does not allow B to CREATE to ETA information and completely denies access to data regarding container ID.00000000000001. Furthermore, all rights of B are allowed under iSHARE licenses 1 and 3, and B has the right to delegate it's right two more times.

The code shows default access to a set of resources, with a few exceptions in terms of actions or specific resources. This results in additional "Deny" rules within the policy.

Code - for visual/reading purposes Bron uitklappen

Organisation A delegates rights to organisation B. A allows B READ access to all ETA of A's containers of which the data is located at service provider C and can only be accessed with service provider C. A also allows B CREATE access to all WEIGHT of A's containers, at any service provider possible. Furthermore, all rights of B are allowed under iSHARE licenses 1 and 3, and B has the right to delegate it's right two more times.

The code shows that the same delegation rights and licenses apply to a resource set, but different actions are allowed to different subsets of these resources. This results in variations in policies within the policySets.

Code - for visual/reading purposes Bron uitklappen

Organisation A delegates rights to organisation B. A allows B READ and CREATE access to all ETA and WEIGHT of A's containers of which the data is located at service provider C, and rights can only be used with service provider C. Furthermore, all rights of B are allowed under iSHARE licenses 1 and 3, and B has the right to delegate it's right two more times. A also provides B READ access to the Container origins, but does not allow delegation for this information and it is only accessible under iSHARE license 2.

The code shows two groups of resources with specific policies, executed under different licenses and delegation rights. This results in variations on the policySets level within the delegationEvidence.

Code - for visual/reading purposes Bron uitklappen

{
    "delegationEvidence": {
        "notBefore": 1509633681,
        "notOnOrAfter": 1509633741,
        "policyIssuer": "did:ishare:EU.NL.NTRNL-10000005",
        "target": {
            "accessSubject": "did:ishare:EU.NL.NTRNL-10000001"
        },
        "policySets": [
            {
                "maxDelegationDepth": 2,
                "target": {
                    "environment": {
                        "licenses": ["ISHARE.0001", "ISHARE.0003"]
                    }
                },
                "policies": [
                    {
                        "target": {
                            "resource": {
                                "type": "GS1.CONTAINER",
                                "identifiers": ["*"],
                                "attributes": ["GS1.CONTAINER.ATTRIBUTE.ETA", "GS1.CONTAINER.ATTRIBUTE.WEIGHT"]
                            },
                            "actions": ["ISHARE.READ", "ISHARE.CREATE"],
                            "environment": {
                                "serviceProviders": ["did:ishare:EU.NL.NTRNL-10000003"]
                            }
                        },
                        "rules": [
                            {
                                "effect": "Permit"
                            },
                            {
                                "effect": "Deny",
                                "target": {
                                    "resource": {
                                        "attributes": ["GS1.CONTAINER.ATTRIBUTE.ETA"]
                                    },
                                    "actions": ["ISHARE.CREATE"]
                                }
                            },
                            {
                                "effect": "Deny"
                            }
                        ]
                    }
                ]
            }
        ]
    }
}
{
    "delegationEvidence": {
        "notBefore": 1509633681,
        "notOnOrAfter": 1509633741,
        "policyIssuer": "did:ishare:EU.NL.NTRNL-10000005",
        "target": {
            "accessSubject": "did:ishare:EU.NL.NTRNL-10000001"
        },
        "policySets": [
            {
                "maxDelegationDepth": 2,
                "target": {
                    "environment": {
                        "licenses": ["ISHARE.0001", "ISHARE.0003"]
                    }
                },
                "policies": [
                    {
                        "target": {
                            "resource": {
                                "type": "GS1.CONTAINER",
                                "identifiers": ["*"],
                                "attributes": ["GS1.CONTAINER.ATTRIBUTE.ETA"]
                            },
                            "actions": ["ISHARE.READ"],
                            "environment": {
                                "serviceProviders": ["did:ishare:EU.NL.NTRNL-10000003"]
                            }
                        },
                        "rules": [
                            {
                                "effect": "Permit"
                            }
                        ]
                    },
                    {
                        "target": {
                            "resource": {
                                "type": "GS1.CONTAINER",
                                "identifiers": ["*"],
                                "attributes": ["GS1.CONTAINER.ATTRIBUTE.WEIGHT"]
                            },
                            "actions": ["ISHARE.CREATE"]
                        },
                        "rules": [
                            {
                                "effect": "Permit"
                            }
                        ]
                    }
                ]
            }
        ]
    }
}
{
    "delegationEvidence": {
        "notBefore": 1509633681,
        "notOnOrAfter": 1509633741,
        "policyIssuer": "did:ishare:EU.NL.NTRNL-10000005",
        "target": {
            "accessSubject": "did:ishare:EU.NL.NTRNL-10000001"
        },
        "policySets": [
            {
                "maxDelegationDepth": 2,
                "target": {
                    "environment": {
                        "licenses": ["ISHARE.0001", "ISHARE.0003"]
                    }
                },
                "policies": [
                    {
                        "target": {
                            "resource": {
                                "type": "GS1.CONTAINER",
                                "identifiers": ["*"],
                                "attributes": ["GS1.CONTAINER.ATTRIBUTE.ETA", "GS1.CONTAINER.ATTRIBUTE.WEIGHT"]
                            },
                            "actions": ["ISHARE.READ", "ISHARE.CREATE"],
                            "environment": {
                                "serviceProviders": ["did:ishare:EU.NL.NTRNL-10000003"]
                            }
                        },
                        "rule": {
                            "effect": "Permit"
                        }
                    }
                ]
            },
            {
                "target": {
                    "environment": {
                        "licenses": ["ISHARE.0002"]
                    }
                },
                "policies": [
                    {
                        "target": {
                            "resource": {
                                "type": "GS1.CONTAINER",
                                "identifiers": ["*"],
                                "attributes": ["GS1.CONTAINER.ATTRIBUTE.ORIGIN"]
                            },
                            "actions": ["ISHARE.READ"]
                            },
                        "rule": {
                            "effect": "Permit"
                        }
                    }
                ]
            }
        ]
    }
}