Authorisation rules
Last updated
Last updated
iSHARE certified Authorization Registries should support the creation of authorisation rules if they choose to implement the policy request endpoint. Authorisation Rules are created by an Entitled Party and contain rules based upon which incoming delegation requests (using the ) are evaluated and automatically created or refused.
There are no technical specifications on how the Entitled Party should be provided with the possibility of managing authorisation rules. However the following principles should be followed:
The authorisation rules must use a data license (9998 + additional licenses as applicable) to limit liability on automatically created policies.
The authorisation rules may use ISHARE.DELEGATION as a resource type.
The authorisation rules may implement the iSHARE concept of actions that can be performed on the delegations. Action names here are not prescribed, but as a best practice we suggest to use HTTP methods such as "POST", "GET", "PUT" and "DELETE" to improve interoperability between Authorization Registries.
The authorisation rules must be limited with rules that work the same as described in . An extra requirement for these authorisation rules is that at least one rule limiting the scope of kind of delegation to be created via this mechanism should be present, preventing “*” authorisation rules.
The Authorization Registry should provide clear information on how the authorisation rules are processed if they overlap. Refer to the guidance section below for further information.