Example cases

The main variations in the JSON code for delegationEvidence are the (1-n) policySets, policies and rules arrays. These variations are based on the most efficient way of expressing the rights that an accessSubject has.

Various examples are described in the table below.

Description

Code

Organisation A delegates rights to organisation B. A allows B READ and CREATE access to all ETA and WEIGHT of A's containers, of which the data is located at service provider C and can only be accessed with service provider C. However, A does not allow B to CREATE to ETA information and completely denies access to data regarding container ID.00000000000001. Furthermore, all rights of B are allowed under the iSHARE license https://licenses.ishare.eu/general/resharing-with-adhering-parties/1.0, and B has the right to delegate its rights two more times.

The code shows default access to a set of resources, with a few exceptions in terms of actions or specific resources. This results in additional "Deny" rules within the policy.

Code - for visual/reading purposes Bron uitklappen

{
    "delegationEvidence": {
        "notBefore": 1509633681,
        "notOnOrAfter": 1509633741,
        "policyIssuer": "did:ishare:EU.NL.NTRNL-10000005",
        "target": {
            "accessSubject": "did:ishare:EU.NL.NTRNL-10000001"
        },
        "policySets": [
            {
                "maxDelegationDepth": 2,
                "target": {
                    "environment": {
                        "licenses": ["https://licenses.ishare.eu/general/resharing-with-adhering-parties/1.0"]
                    }
                },
                "policies": [
                    {
                        "target": {
                            "resource": {
                                "type": "GS1.CONTAINER",
                                "identifiers": ["*"],
                                "attributes": ["GS1.CONTAINER.ATTRIBUTE.ETA", "GS1.CONTAINER.ATTRIBUTE.WEIGHT"]
                            },
                            "actions": ["ISHARE.READ", "ISHARE.CREATE"],
                            "environment": {
                                "serviceProviders": ["did:ishare:EU.NL.NTRNL-10000003"]
                            }
                        },
                        "rules": [
                            {
                                "effect": "Permit"
                            },
                            {
                                "effect": "Deny",
                                "target": {
                                    "resource": {
                                        "attributes": ["GS1.CONTAINER.ATTRIBUTE.ETA"]
                                    },
                                    "actions": ["ISHARE.CREATE"]
                                }
                            },
                            {
                                "effect": "Deny"
                            }
                        ]
                    }
                ]
            }
        ]
    }
}

Organisation A delegates rights to organisation B. A allows B READ access to all ETA of A's containers, of which the data is located at service provider C and can only be accessed with service provider C. A also allows B CREATE access to all WEIGHT of A's containers, at any service provider possible. Furthermore, all rights of B are allowed under the iSHARE license https://licenses.ishare.eu/general/resharing-with-adhering-parties/1.0, and B has the right to delegate its rights two more times.

The code shows that the same delegation rights and licenses apply to a resource set, but different actions are allowed to different subsets of these resources. This results in variations in policies within the policy sets.

Code - for visual/reading purposes Bron uitklappen

{
    "delegationEvidence": {
        "notBefore": 1509633681,
        "notOnOrAfter": 1509633741,
        "policyIssuer": "did:ishare:EU.NL.NTRNL-10000005",
        "target": {
            "accessSubject": "did:ishare:EU.NL.NTRNL-10000001"
        },
        "policySets": [
            {
                "maxDelegationDepth": 2,
                "target": {
                    "environment": {
                        "licenses": ["https://licenses.ishare.eu/general/resharing-with-adhering-parties/1.0"]
                    }
                },
                "policies": [
                    {
                        "target": {
                            "resource": {
                                "type": "GS1.CONTAINER",
                                "identifiers": ["*"],
                                "attributes": ["GS1.CONTAINER.ATTRIBUTE.ETA"]
                            },
                            "actions": ["ISHARE.READ"],
                            "environment": {
                                "serviceProviders": ["did:ishare:EU.NL.NTRNL-10000003"]
                            }
                        },
                        "rules": [
                            {
                                "effect": "Permit"
                            }
                        ]
                    },
                    {
                        "target": {
                            "resource": {
                                "type": "GS1.CONTAINER",
                                "identifiers": ["*"],
                                "attributes": ["GS1.CONTAINER.ATTRIBUTE.WEIGHT"]
                            },
                            "actions": ["ISHARE.CREATE"]
                        },
                        "rules": [
                            {
                                "effect": "Permit"
                            }
                        ]
                    }
                ]
            }
        ]
    }
}

Organisation A delegates rights to organisation B. A allows B READ and CREATE access to all ETA and WEIGHT of A's containers, of which the data is located at service provider C, and rights can only be used with service provider C. Furthermore, all rights of B are allowed under the iSHARE license https://licenses.ishare.eu/general/resharing-with-adhering-parties/1.0, and B has the right to delegate its rights two more times. A also provides B READ access to the Container origins, but does not allow delegation for this information, and it is only accessible under the iSHARE license https://licenses.ishare.eu/general-non-commercial-use.

The code shows two groups of resources with specific policies, executed under different licenses and delegation rights. This results in variations on the policySets level within the delegationEvidence.

Code - for visual/reading purposes Bron uitklappen

{
    "delegationEvidence": {
        "notBefore": 1509633681,
        "notOnOrAfter": 1509633741,
        "policyIssuer": "did:ishare:EU.NL.NTRNL-10000005",
        "target": {
            "accessSubject": "did:ishare:EU.NL.NTRNL-10000001"
        },
        "policySets": [
            {
                "maxDelegationDepth": 2,
                "target": {
                    "environment": {
                        "licenses": ["https://licenses.ishare.eu/general/resharing-with-adhering-parties/1.0"]
                    }
                },
                "policies": [
                    {
                        "target": {
                            "resource": {
                                "type": "GS1.CONTAINER",
                                "identifiers": ["*"],
                                "attributes": ["GS1.CONTAINER.ATTRIBUTE.ETA", "GS1.CONTAINER.ATTRIBUTE.WEIGHT"]
                            },
                            "actions": ["ISHARE.READ", "ISHARE.CREATE"],
                            "environment": {
                                "serviceProviders": ["did:ishare:EU.NL.NTRNL-10000003"]
                            }
                        },
                        "rule": {
                            "effect": "Permit"
                        }
                    }
                ]
            },
            {
                "target": {
                    "environment": {
                        "licenses": ["https://licenses.ishare.eu/general-non-commercial-use/1.0"]
                    }
                },
                "policies": [
                    {
                        "target": {
                            "resource": {
                                "type": "GS1.CONTAINER",
                                "identifiers": ["*"],
                                "attributes": ["GS1.CONTAINER.ATTRIBUTE.ORIGIN"]
                            },
                            "actions": ["ISHARE.READ"]
                            },
                        "rule": {
                            "effect": "Permit"
                        }
                    }
                ]
            }
        ]
    }
}

PreviousStructure of delegation evidence NextData Rights Credential (VC)

Last updated 2 months ago