Delegation conditions
In some cases, a delegation may depend on conditions that are not yet known at the moment the delegation policy is defined (also called dynamic policy evaluation). Examples of such conditions include:
A truck arriving to pick up goods must have license plate X.
The driver arriving to pick up goods must hold certificate Y.
A service requesting data must be located within Europe.
The status of a transport order must be “booked”.
All conditions that require trust and legal assurances in line with the iSHARE principles must be implemented using this specification. Service Providers and Authorisation Registries may also apply additional business rules, which are outside the scope of this specification.
The iSHARE Framework does not specify how an Authorisation Registry must store these conditions (for example in policies). It only specifies how the conditions must be provided to Service Providers / Service Consumers by Authorisation Registries and how context information must be provided to Authorisation Registries by Service Providers / Service Consumers.
Supported condition types
Two types of conditions / dynamic policy evaluation are covered in these specifications:
Type 1: conditions evaluated by an Authorisation Registry
The Entitled Party provides these conditions to the Authorisation Registry
The Service Provider or the Service Consumer (depending on which party requests delegation evidence) provides the required context information while requesting delegation evidence
The Authorisation Registry evaluates the provided context information with the provided conditions, as part of the decision process to (not) provide delegation evidence
The Service Provider decides (not) to deliver the requested service based on the delegation evidence provided by the Authorisation Registry
The context information SHALL be provided in the following attribute (see Request model):
delegationRequest -> policySets -> policies -> target -> context
The information SHALL be provided in the form of key-value pairs. There is a reserved keyword for specifying the Service Provider at which the service will be consumed: serviceProvider.
Example:
{
...
"context": {
"serviceProvider": "did:ishare:EU.NL.NTRNL-10000003",
"licensePlate": "XYZ",
"orderStatus": "to_be_picked_up"
}
}Type 2: evaluate conditions by the Service Provider
The Entitled Party provides conditions to the Authorisation Registry
The Authorisation Registry does not evaluate the conditions itself, but returns the conditions as rules (part of the returned delegation evidence after a delegation evidence request)
The Service Provider evaluates the conditions that are presented in the rules and decides based on the evaluation to (not)provide the requested service
The conditions SHALL be provided in the following attribute (see Response model):
delegationEvidence -> policySets -> policies -> rules -> conditions
The conditions object SHALL represent a logical tree structure. It SHALL use nested anyOf and allOf constructs to express Boolean logic. Each leaf node in the tree SHALL contain a leftOperand, an operator, and a rightOperand.
There is a reserved keyword for specifying the Service Provider at which the service may be consumed: serviceProvider.
Example:
{
...
"conditions": {
"anyOf": [
{
"leftOperand": "serviceProvider",
"operator": "equal",
"rightOperand": "did:ishare:EU.NL.NTRNL-10000003"
},
{
"leftOperand": "serviceProvider",
"operator": "equal",
"rightOperand": "did:ishare:EU.NL.NTRNL-10000002"
}
]
}
}Last updated