Defining Authorization Policy
In Altinn Studio designer, the application developer can define the policy for the application created
The application developer defines the authorization rules for an application in an XACML policy file placed in the app repository. The XACML Policy contains one or more rules which determine who can perform different actions on different resources. You can edit the XACML file in a text editor of your choice.
Rules from the application template
When you create an app in Altinn studio, it is based on the current asp.net template and will include an autogenerated XACML policy file.
The application developer can change the authorization rules in policy.xml, which lies in App/config/authorization in the application repository.
You can find details about configuring the policy file below.
You can also find a good amount of example rules here.
Resource Attributes
The resource attributes of rules describe which application or part of the rules apply.
| Attribute | Description |
|---|---|
| urn:altinn:org | The org part of the resource attribute defines which org that owns the app. |
| urn:altinn:app | The app part that identifies the app itself. |
| urn:altinn:task | The task part of the resource makes it possible to have separate rules for the different tasks. |
| urn:altinn:event | The event part of the resource makes it possible to have separate rules for reading events. |
Example
The below example shows a part of the XACML 3.0 Policy where a resource is defined.
<xacml:AllOf>
<xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">skd</xacml:AttributeValue>
<xacml:AttributeDesignator AttributeId="urn:altinn:org" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml:Match>
<xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">taxreport</xacml:AttributeValue>
<xacml:AttributeDesignator AttributeId="urn:altinn:app" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml:Match>
<xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">instansiate</xacml:AttributeValue>
<xacml:AttributeDesignator AttributeId="urn:altinn:event" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml:Match>
</xacml:AllOf>
Subject Attributes
The subject part of the target for the rule defines who the rule target.
| Attribute | Description |
|---|---|
| urn:altinn:rolecode | The role code is used for rule that target end users and systems. |
| urn:altinn:org | The org code is used for rule that target orgs. |
A complete list of role types can be found here.
It is important to read the guidelines before selecting role.
Examples
Example with role code:
<xacml:AllOf>
<xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">regna</xacml:AttributeValue>
<xacml:AttributeDesignator AttributeId="urn:altinn:rolecode" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml:Match>
</xacml:AllOf>
Example with org:
<xacml:AllOf>
<xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">skd</xacml:AttributeValue>
<xacml:AttributeDesignator AttributeId="urn:altinn:org" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml:Match>
</xacml:AllOf>
Action Attributes
| Attribute | Description |
|---|---|
| urn:oasis:names:tc:xacml:1.0:action:action-id | The action that rule apply to. In app this can be read, write, instantiate, complete and delete. This will be expanded when new functionality is added |
Example with read action:
<xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml:AttributeValue>
<xacml:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml:Match>
</xacml:AllOf>
Obligation
The obligation part is used to define information that should be used by PEP. The required authentication level is set to 2 by default. This is done as an obligation in the XACML Policy file.
If the required authentication level is set to 4, you must define that the service owner can interact with it through level 3 authentication for Maskinporten. This is because Maskinporten is defined as level 3. See the rule library for examples.
Example with authentication level 2
<xacml:ObligationExpressions>
<xacml:ObligationExpression FulfillOn="Permit" ObligationId="urn:altinn:obligation:authenticationLevel1">
<xacml:AttributeAssignmentExpression AttributeId="urn:altinn:obligation1-assignment1" Category="urn:altinn:minimum-authenticationlevel">
<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">2</xacml:AttributeValue>
</xacml:AttributeAssignmentExpression>
</xacml:ObligationExpression>
</xacml:ObligationExpressions>
- Guidelines for authorization rules
Authorization rules must be defined very carefully. These guidelines explain what the application owner must consider before authorization rules are set for an application
- Rule library
Library of authorization rules that can be used in an app. Remember to replace tags ([RULE_ID]) with your own ID. [ORG] and [APP] can will be replaced later, so they can remain in the file if you use Local test from january 2023 or newer.