delegationRequest

Required

Object

Object MUST contain policyIssuer, target and policySets objects, and may contain the delegation_path and previous_steps arrays as described below

policyIssuer

Required

String in delegationRequest

MUST contain a valid Organisation ID of the delegator (data entitled party), containing an EORI or KvK number.

target

Required

Object in delegationRequest

Object MUST contain an accessSubject. No other elements are allowed. It makes the entire delegation evidence applicable only to this accessSubject.

accessSubject

Required

String in target

MUST contain a valid Organisation ID of the delegate (the data service consumer that receives the delegated rights), containing an EORI or KvK number.

policySets

Required

Array in delegationRequest

MUST contain one or more policySet objects with an indication for further delegation (see /delegation for more information). Note that multiple policySet objects within one delegationEvidence MUST not restrict each other, but rather offer a mechanism to express additional rights. They MUST be evaluated in a permit-override manner, allowing a Permit if only one of the policySet objects evaluates to Permit.

delegation_path

Optional

Array in delegationRequest

Optional array used in a situation where multiple delegation policies need to be linked together. MUST contain one or more valid Organisation ID, containing an EORI or KvK number

previous_steps

Optional

Array in delegationRequest

Optional array used for one or more pieces of evidence such that the client has legitimate reason to request delegation evidence. MUST contain a previous delegationEvidence object or client_assertion for a single step. May contain an array for multiple steps. The minimum is a client_assertion value of the accessSubject, for example if the data service provider requests delegationEvidence for an authorization in which he is neither the policyIssuer nor the accessSubject.