Policy sets

The second level objects in policySets each contain the following parameters. Other parameters are not allowed. Note that XACML spec is heavily restricted, a.o. for the reason to prevent redundancy (and resulting possible conflicts) with the root policySet element.

  • maxDelegationDepth Integer. Contained in policySets. Optional. Optional element that, if present, indicates that further delegation of the rights, conveyed in the policy elements that are part of this PolicySet, is allowed. The value indicates the delegation steps that are allowed after this step in order to evaluate the entire delegation path to Permit.

  • target

    Object. Contained in policySets.

    Contains environment.

    • environment

      Object. Contained in target.

      Contains licenses.

      • licenses

        Array of Strings. Contained in environment.

        Array which describes which iSHARE licenses apply to this policySet.

  • policies

    Array of Objects. Contained in policySets.

    Used to express the actual rights for which evidence is being requested. Note that policies within one policySets object MUST not restrict each other, but rather offer a mechanism to express additional rights. They will be evaluated in a permit-override manner, allowing a Permit if only one of the policy elements evaluates to Permit.Data model description and examples can be found at Policies section.\

Warning

For Delegation Mask (Delegation Request) only policies are required. All other parameters should be ignored.

Example:

{
  "policySets": [
    {
      "maxDelegationDepth": 5,
      "target": {
        "environment": {
          "licenses": [ "string" ]
        }
      },
      "policies": [ "object" ]
    }
  ]
}

Policies

  • target Object. Contained in policies. Describes the target, in terms of resource and action, this request applies to. It is also the scope that is permitted through the default rule.

    • resource Object. Contained in target. Contains type, identifiers and attributes.

      • type String. Contained in resource. String which describes the type of resource to which the rules apply.

      • identifiers Array of Strings. Contained in resource. Optional. Optional array of strings containing one or more resource identifiers.

      • attributes Array of Strings. Contained in resource. Optional. Optional array of attributes of the resources the delegated rights apply to.

    • actions Array of Strings. Contained in target. Array of actions that apply to this policy.

    • environment Object. Contained in target. _Optional_Optional field that contains serviceProviders.

      • serviceProviders Array of Strings. Contained in environment. Optional. Array which lists the iSHARE client ID’s of serviceProviders which are allowed to provide services to the accessSubject as described within this policy.

  • rules Array of Objects. Contained in policies. The first rule element is the default rule that applies to the target at policies level. Note that additional rule elements within one policies object are intended to restrict each the default rule. All rule elements in a Policy will be evaluated in a deny-override manner, allowing a Permit only if all of the rule elements evaluate to Permit.Data model description and examples can be found at Rules section.

Example:

{
  "policies": [
    {
      "target": {
        "resource": {
          "type": "CONTAINER.DATA",
          "identifiers": [
            "ID.12345"
          ],
          "attributes": [
            "CONTAINER.ETA"
          ]
        },
        "actions": [
          "iSHARE.READ"
        ],
        "environment": {
          "serviceProviders": [
            "EU.EORI.NL567891234"
          ]
        }
      },
      "rules": [ "object" ]
    }
  ]
}

Rules

The default rule element contains the following parameter:

  • effect String. Contained in rules. Value must be equal to Permit.

Additional rule elements contains the following parameters. Although individually not required, at least one type, identifier or attribute MUST be specified to which additional rules apply:

  • effect String. Contained in rules. Value must be equal to Deny.

  • target Object. Contained in policies. Describes the target, in terms of resource and action, this additional rule applies to. Additional rule elements are limitations of the default rule and resource scope.

    • resource Object. Contained in target. Contains type, identifiers and attributes.

      • type String. Contained in resource. Optional. String which describes the type of resource to which the rules apply. Defaults to none if not specified.

      • identifiers Array of Strings. Contained in resource. Optional. Optional array of strings containing one or more resource identifiers. Depending on the type an identifier SHOULD be a URN.

      • attributes Array of Strings. Contained in resource. Optional. Optional array of attributes of the resources the delegated rights apply to. If omitted defaults to all attributes. Depending on the type an attribute SHOULD be a URN.

    • actions Array of Strings. Contained in target. Optional. Array of actions that apply to this policy. If no actions are listed then the default is to all iSHARE actions defined within the policy.

Example:

{
  "rules": [
    {
      "effect": "Permit"
    },
    {
      "effect": "Deny",
      "target": {
        "resource": {
          "type": "CONTAINER.DATA",
          "identifiers": [
            "ID.12378",
            "ID.12379"
          ],
          "attributes": [
            "CONTAINER.WEIGHT"
          ]
        }
      }
    }
  ]
}

Note

This page must be considered part of the iSHARE Trust Framework

PreviousDelegation maskNextDelegation evidence

Last updated