iSHARE Developer Portal
Other resources
Version 2.2 (current version)
Version 2.2 (current version)
  • Welcome to the iSHARE Developer Portal
  • Introduction
    • Getting started
      • Test certificates
      • Test participants
      • OpenAPI Descriptions
      • Postman collections
    • Release info
    • Help & support
    • Specific technical standards
      • JSON Web Token (JWT)
      • OAuth 2.0
      • OpenID Connect 1.0
      • PKI
      • TLS
      • XACML 3.0
      • Caching
      • DID
      • UTC
      • X.509
      • HTTP response codes
    • UI Guidelines
    • Conformance test tool
  • Roles
    • Roles
  • All roles (common endpoints)
    • Access token (M2M)
    • Capabilities
  • Authorisation Registry Role
    • Getting started
    • Access token (M2M)
    • Capabilities
    • Delegation
    • Delegation Policy
  • Entitled Party
    • Getting started
  • Identity Provider
    • Getting started
    • Authorize
    • Login
    • Access token
    • User info
    • Capabilities
  • Participant Registry role
    • Getting started
    • Access token (M2M)
    • Capabilities
    • Parties [GET]
    • Parties [OPTIONS]
    • Parties [POST]
    • Parties (single party) [GET]
    • Parties (single party) [OPTIONS]
    • Parties (single party) [PUT]
    • Trusted list
    • Versions
    • Data Spaces
    • Create Entitled Party / Service Consumer
  • Service Consumer Role
    • Getting started
  • Service Provider Role
    • Getting started
      • Service
    • Access token (M2M)
    • Capabilities
    • Return
  • Reference
    • iSHARE JWT
      • Client Assertion
    • Authentication
    • Authorization
    • Authorisation rules
  • Licenses model
Powered by GitBook
LogoLogo

  • Cookie Policy

  • Privacy Policy

  • Imprint

  • Contact Us

Copyright © 2024 iSHARE Foundation

On this page
  1. Authorisation Registry Role

Delegation Policy

PreviousDelegationNextGetting started

Last updated 5 hours ago

Request

Headers

  • Authorization String. (Required) OAuth 2.0 authorization based on bearer token. MUST contain “Bearer “ + access token value. How to retrieve the access token can be found at Access Token Endpoint section.

  • Content-Type String. Defines request body content type. MUST be equal to application/json.

Parameters

The body of the request contains iSHARE Compliant JWT delegationPolicyRequestToken. Besides the default attributes (iss, sub, aud, etc.), it contains the following attributes. The model of the delegationPolicyRequestToken is available on the iSHARE OpenAPI documentation. For convenience the model is also described below.

  • delegationPolicyRequest Object. Root level. (Required) Contains information about the delegation policy that is requested to create.

    • notBefore Integer. Contained in delegationPolicyRequest. (Required) Unix timestamp in UTC indicating the start of validity period of the requested delegation policy.

    • notOnOrAfter Integer. Contained in delegationPolicyRequest. Unix timestamp in UTC indicating the end of validity period of the requested delegation policy.

    • policyRequestor String. Contained in delegationPolicyRequest. (Required) Identifier of the the party to which the right is delegated.

    • policyIssuer String. Contained in delegationPolicyRequest. (Required) Identifier of the delegator, also know as the delegating entity.

    • target Object. Contained in delegationPolicyRequest. (Required) MUST for the root level contain an accessSubject. No other elements are allowed. It makes the entire requested delegation policy applicable only to this accessSubject.

      • accessSubject Object. Contained in target. (Required) Identifier of the delegate, also known as the entity that receives the delegated rights. It should be a party identifier for M2M cases or human pseudonym for H2M cases. This would usually hold the same value as policyRequestor.

    • policySets Array of Objects. Contained in delegationPolicyRequest. (Required) Container for one or more objects containing policy elements with an indication for further delegation. Note that policySet elements within one delegationPolicyRequest MUST not restrict each other, but rather offer a mechanism to express additional rights. They will be evaluated by the Authorization Registry in a permit-override manner, allowing a Permit if only one of the policySet elements evaluates to Permit.

      • maxDelegationDepth Integer. Contained in policySets. Optional. Optional element that, if present, indicates that further delegation of the rights, conveyed in the policy elements that are part of this PolicySet, is allowed. The value indicates the delegation steps that are allowed after this step in order to evaluate the entire delegation path to Permit.

      • target

        Object. Contained in policySets.

        Contains environment.

        • environment

          Object. Contained in target.

          Contains licenses.

          • licenses

            Array of Strings and Objects. Contained in environment.

            Array which describes which iSHARE licenses apply to this policySet. Please refer to the Licenses model for more information about structuring this array.

      • policies

        Array of Objects. Contained in policySets. (Required)

        Used to express the actual rights for which evidence is being provided. Note that policies within one policySets object MUST not restrict each other, but rather offer a mechanism to express additional rights. They will be evaluated in a permit-override manner, allowing a Permit if only one of the policy elements evaluates to Permit.

        • target Object. Contained in policies. (Required) Describes the target, in terms of resource and action, this request applies to. It is also the scope that is permitted through the default rule.

          • resource Object. Contained in target. (Required) Contains type, identifiers and attributes.

            • type String. Contained in resource. (Required) String which describes the type of resource to which the rules apply.

            • identifiers Array of Strings. Contained in resource. Optional. Optional array of strings containing one or more resource identifiers.

            • attributes Array of Strings. Contained in resource. Optional. Optional array of attributes of the resources the delegated rights apply to.

          • actions Array of Strings. Contained in target. (Required) Array of actions that apply to this policy.

          • environment Object. Contained in target. Optional field that contains serviceProviders.

            • serviceProviders Array of Strings. Contained in environment. Optional. Array which lists the iSHARE client ID’s of serviceProviders which are allowed to provide services to the accessSubject as described within this policy.

        • rules Array of Objects. Contained in policies. (Required)

          • effect String. Contained in rules. Value must be equal to Permit or Deny. (Required)

Response

HTTP status codes

  • 200 OK

    When the creation of the delegation policy was succesfull, OK result should be returned.

  • POSTRequest creation of a delegation policy
  • Request
  • Response

Request creation of a delegation policy

post

The Delegation policy request endpoint is an API endpoint that receives policy creation requests. The POST body accepts a JWT token: the Policy Creation Request Token.

Authorizations
Body
delegationPolicyRequestTokenstring · application/jwtRequired
Responses
200
OK: The requested policy is created.
401
Unauthorized: When Authorization header is either missing, invalid or token has already expired.
403
Forbidden: This error message is return when a policy creation request could not be processed after rules evaluation. The requested policy does not comply with the rules as set by the Entitled Party.
500
Server Error: When the Authorization Registry was unable to process the request
post
POST /delegationPolicy HTTP/1.1
Host: isharetest.net
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 39

{
  "delegationPolicyRequestToken": "text"
}
No content