Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support RRR through Policies #442

Open
TheTechArch opened this issue Jun 25, 2024 · 0 comments
Open

Support RRR through Policies #442

TheTechArch opened this issue Jun 25, 2024 · 0 comments
Labels
kind/analysis status/draft Status: When you create an issue before you have enough info to properly describe the issue.

Comments

@TheTechArch
Copy link
Member

TheTechArch commented Jun 25, 2024
edited
Loading

Description

The current plan has been to solve access for resources in RRR through concept connections.

This analysis introduces a new concept

Terms

  • Resource Party - Avgiver, part ++++

Concept

The main concept of this approach is connecting the AccessList to the Resource through an XACML Policy. We introduce a new XACML policy we use for this authorization for the resource party.

AccessList

The accesslist will have a ID and have a set of organization members. Added a reference to a list will effectly give access to members of this list

Policy Example

The below policy shows the resource party policy for the

<xacml:Policy xmlns:xsl="http://www.w3.org/2001/XMLSchema-instance" xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="urn:altinn:example:policyid:1" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
  <xacml:Target/>
  <xacml:Rule RuleId="urn:altinn:example:ruleid:1" Effect="Permit">
    <xacml:Description>A rule giving resource party that is part of the accelisst kv/approved brokers the right to perform read/write on the service kv_eiendomssalg</xacml:Description>
    <xacml:Target>
      <xacml:AnyOf>
        <xacml:AllOf>
                   <xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">kv/approved_brokers</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:altinn:accesslistmember:part" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
        </xacml:AllOf>
      </xacml:AnyOf>
      <xacml:AnyOf>
        <xacml:AllOf>
          <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">kv_eiendomssalg</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:altinn:serviceresource" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
        </xacml:AllOf>
      </xacml:AnyOf>
      <xacml:AnyOf>
        <xacml:AllOf>
          <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
        </xacml:AllOf>
         <xacml:AllOf>
          <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
        </xacml:AllOf>
     </xacml:AnyOf>
    </xacml:Target>
  </xacml:Rule>
  <xacml:ObligationExpressions>
    <xacml:ObligationExpression FulfillOn="Permit" ObligationId="urn:altinn:obligation:authenticationLevel1">
      <xacml:AttributeAssignmentExpression AttributeId="urn:altinn:obligation1-assignment1" Category="urn:altinn:minimum-authenticationlevel">
        <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">3</xacml:AttributeValue>
      </xacml:AttributeAssignmentExpression>
    </xacml:ObligationExpression>
  </xacml:ObligationExpressions>
</xacml:Policy>

Enabling Party authorization

The resource will have a boolean value telling PDP if party authorization is enabled.

If enabled, the PDP will load party policy from policy store

Task

  • Update Policy editor to support party authorization
  • Update policy editor to list access lists
  • Add policy store for party authorization policies
  • Update policy migration
  • Update PDP handling
  • Remove connections

To be decided

  • How to allow for party only authorization

In scope

No response

Out of scope

No response

Additional Information

No response

Analysis

No response

Conclusion

No response
@TheTechArch TheTechArch added status/draft Status: When you create an issue before you have enough info to properly describe the issue. kind/analysis labels Jun 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/analysis status/draft Status: When you create an issue before you have enough info to properly describe the issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@TheTechArch