...
Used to obtain delegation evidence from a data entitled party or authorisation register. Delegation evidence can be used in future data service requests to data service providers if delegation is enabled in their data service. In the DSGO delegation evidence expresses the delegation of rights from a data entitled party to a delegated data service consumer. For more information about delegation in the DSGO, see Delegaties.
Excerpt | ||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||
|
Information about delegation is provided in delegationEvidence
object. The delegationEvidence
object is based on iSHARE v2.0, which in turn is inspired by the XACML 3.0 specifications, see Structure of delegation evidence.
delegationEvidence object
...
Parameters
...
Type
...
Description
...
notBefore
...
Required
...
Integer
...
Timestamp indicating the start of the validity period of this delegation evidence, MUST be a UNIX timestamp, following the timestamp conventions. SHOULD equal the time of issuing of the evidence unless historic evidence is requested.
...
notOnOrAfter
...
Required
...
Integer
...
Timestamp indicating the end of the validity period of this delegation evidence, MUST be a UNIX timestamp, following the timestamp conventions. The issuer of the evidence (data entitled party or autorisation register) determines the time. Note that a reasonable amount of time SHOULD be allowed for processing of longer delegation paths. Also note that evidence cannot be revoked, so setting very long validity periods SHOULD be avoided.
...
policyIssuer
...
Required
...
String
...
MUST contain a valid Organisation ID (an EORI or KvK number) of the delegator (data entitled party).
...
target
...
Required
...
Object
...
Object MUST contain an accessSubject
. No other elements are allowed. It makes the entire delegation evidence applicable only to this accessSubject
.
...
accessSubject
...
Required
...
String in target
...
MUST contain a valid Organisation ID (an EORI or KvK number) oof the delegate (the data service consumer that receives the delegated rights).
...
policySets
...
Required
...
Array
...
MUST contain one or more policySet
objects with an indication for further delegation. Note that multiple policySet
objects within one delegationEvidence
MUST not restrict each other, but rather offer a mechanism to express additional rights. They MUST be evaluated in a permit-override
manner, allowing a Permit
if only one of the policySet
objects evaluates to Permit
.
policySet Object
The second level objects in policySets
each contain the parameters in the table below. Other parameters are not allowed. Note that XACML spec is heavily restricted, a.o. for the reason to prevent redundancy (and resulting possible conflicts) with the root policySet
element.
...
Parameters
...
Type
...
Description
...
maxDelegationDepth
...
Optional
...
Integer
...
Optional element which indicates whether further delegation of rights are allowed as part of this policySet, as conveyed in policies
. MUST contain an integer value indicating the amount of delegation steps that are allowed after this step in order to evaluate the entire delegation path to Permit
.
...
target
...
Required
...
Object
...
Object MUST contain an environment
object. No other elements are allowed.
...
environment
...
Required
...
Object in target
...
Object MUST contain a licences
. No other elements are allowed.
...
licences
...
Required
...
Array in environment
...
MUST be equal to one or more of the licence codes, prepended with a “DSGO.
" prefix, which describes which DSGO licences apply to the object this policySet
applies to.
...
policies
...
Required
...
Array
...
MUST contain one or more policy
objects, used to express the actual rights being delegated. Note that policies
within one policySet
object MUST not restrict each other, but rather offer a mechanism to express additional rights. They MUST be evaluated in a permit-override
manner, allowing a Permit
if only one of the policy
elements evaluates to Permit
.
policy Object
A policy
element contains the parameters in the table below.
...
Parameters
...
Type
...
Description
...
target
...
Required
...
String
...
Object MUST contain a resource
object, actions
and environment
, which describes the target, in terms of resource and action, this policy applies to. It is also the scope that is permitted through the default rule
. Additional rule
elements can be described to exclude resources and actions from the default policy
rights
...
resource
...
Required
...
Object in target
...
Object MUST contain thetype
, identifiers
and attributes
.
...
type
...
Required
...
String in resource
...
MUST contain a string which describes the type of resource to which the rules apply.
...
identifiers
...
Required
...
Array in resource
...
MUST contain an array of strings with one or more resource identifiers. Depending on the delegated rights, the identifier could be a data service id
. Depending on the type
an identifier
SHOULD be an urn according to RFC 8141.
...
attributes
...
Optional
...
Array in resource
...
Optional array describing the attributes of the resources the delegated rights apply to. If omitted defaults to all attributes. MUST contain an array of attributes of the resources the delegated rights apply to. Depending on the type
an attribute
SHOULD be an urn according to RFC 8141.
...
actions
...
Required
...
Array in target
...
MUST contain an array describing the action for which the delegated rights apply.
...
environment
...
Optional
...
Object in target
...
Object MUST contain a serviceProviders
. No other elements are allowed.
...
serviceProviders
...
Required
...
Array in environment
...
MUST contain an array of (one or more) valid Organisation ID, containing an EORI or KvK number, of the data service provider which are allowed to provide services to the accessSubject
as described within this policy
.
...
rules
...
Required
...
Array
...
MUST contain one or more rule
objects describing the obtained rights within the resource
. The first rule
is the default rule
that applies to the target
at policy
level. Note that additional rule
elements within one policy
object are intended to restrict each the default rule
. All rule
elements in a policy
MUST be evaluated in a deny-override
manner, allowing a Permit
only if all of the rule
elements evaluate to Permit
.
Default Rule
the default rule
element contains the parameters in the table below.
...
Parameters
...
Type
...
Description
...
effect
...
Required
...
String
...
MUST contain Permit
Additional rules
Additional rule
elements contains the parameters in the table below.
...
Parameters
...
Type
...
Description
...
effect
...
Required
...
String
...
MUST contain Deny
...
target
...
Required
...
Object
...
Object MUST contain a resource
object, which describes the resource and action which this rule
applies to. Additional rule
elements are limitations of the default rule
and resource
scope.
...
resource
...
Required
...
Object in target
...
Object MUST contain the type
, identifiers
and attributes
.
...
type
...
Optional*
...
String in resource
...
MUST contain a string which describes the type of resource to which the rules apply.
...
identifiers
...
Optional*
...
Array in resource
...
MUST contain an array of strings with one or more resource identifiers. Depending on the type
an identifier
SHOULD be an urn according to RFC 8141.
...
attributes
...
Optional*
...
Array in resource
...
Optional array describing the attributes of the resources the delegated rights apply to. If omitted defaults to all attributes. MUST contain an array of attributes of the resources the delegated rights apply to. Depending on the type
an attribute
SHOULD be a urn according to RFC 8141.
...
actions
...
Required
...
Array
...
Optional array of actions
, the additional rule
applies to the actions
listed. MUST contain an array describing the specific action for which this rule
applies. If no actions
are listed then the default is to all actions defined within the policy
.
* Note: Although not individually required, at least one of the parameters within the resource
object MUST be specified to which the additional rules
apply.
See below for an example delegationEvidence object (based on iSHARE v2.0, see link)
Expand | |||||
---|---|---|---|---|---|
| |||||
|
Endpoint
the /parties
The /delegation
endpoint follows the generic technical requirements, as well as the requirements specified for specific methods. The figure below gives an overview of the HTTP methods that are supported by the /partiesdelegation
endpoint. These methods are further detailed and specified in the pages below:
...