Page Comparison

notBefore

Required

Integer

Timestamp indicating the start of the validity period of this delegation evidence, MUST be according to ISO 8601, following the timestamp conventions. SHOULD equal the time of issuing of the evidence unless historic evidence is requested.

notOnOrAfter

Required

Integer

Timestamp indicating the end of the validity period of this delegation evidence, MUST be according to ISO 8601, following the timestamp conventions. The issuer of the evidence (data entitled party or autorisation register) determines the time. Note that a reasonable amount of time SHOULD be allowed for processing of longer delegation paths. Also note that evidence cannot be revoked, so setting very long validity periods SHOULD be avoided. 

policyIssuer

Required

String

MUST contain a valid Organisation ID (an EORI or KvK number) of the delegator (data entitled party).

target

Required

Object

Object MUST contain an accessSubject. No other elements are allowed. It makes the entire delegation evidence applicable only to this accessSubject.

accessSubject

Required

String in target

MUST contain a valid Organisation ID (an EORI or KvK number) oof the delegate (the data service consumer that receives the delegated rights).

policySets

Required

Array

MUST contain one or more policySet objects with an indication for further delegation. Note that multiple policySet objects within one delegationEvidence MUST not restrict each other, but rather offer a mechanism to express additional rights. They MUST be evaluated in a permit-override manner, allowing a Permit if only one of the policySet objects evaluates to Permit.

target

Required

String

Object MUST contain a resource object, actions and environment, which describes the target, in terms of resource and action, this policy applies to. It is also the scope that is permitted through the default rule. Additional rule elements can be described to exclude resources and actions from the default policy rights

resource

Required

Object in target

Object MUST contain thetype, identifiers and attributes.

type

Required

String in resource

MUST contain a string which describes the type of resource to which the rules apply.

identifiers

Required

Array in resource

MUST contain an array of strings with one or more resource identifiers. Depending on the delegated rights, the identifier could be a data service id. Depending on the type an identifier SHOULD be an urn according to RFC 8141.

attributes

Optional

Array in resource

Optional array describing the attributes of the resources the delegated rights apply to. If omitted defaults to all attributes. MUST contain an array of attributes of the resources the delegated rights apply to. Depending on the type an attribute SHOULD be an urn according to RFC 8141.

actions

Required

Array in target

MUST contain an array describing the action for which the delegated rights apply.

environment

Optional

Object in target

Object MUST contain a serviceProviders. No other elements are allowed.

serviceProviders

Required

Array in environment

MUST contain an array of (one or more) valid Organisation ID, containing an EORI or KvK number, of the data service provider which are allowed to provide services to the accessSubject as described within this policy.

rules

Required

Array

MUST contain one or more rule objects describing the obtained rights within the resource. The first rule is the default rule that applies to the target at policy level. Note that additional rule elements within one policy object are intended to restrict each the default rule. All rule elements in a policy MUST be evaluated in a deny-override manner, allowing a Permitonly if all of the rule elements evaluate to Permit.