:
Last modified: Sep 18, 2023

Defining Authorization Policy

In Altinn Studio designer, the application developer can define the policy for the application created

The application developer defines the authorization rules for an application in an XACML policy file placed in the app repository. The XACML Policy contains one or more rules which determine who can perform different actions on different resources. You can edit the XACML file in a text editor of your choice.

Rules from the application template

When you create an app in Altinn studio, it is based on the current asp.net template and will include an autogenerated XACML policy file.

The application developer can change the authorization rules in policy.xml, which lies in App/config/authorization in the application repository. You can find details about configuring the policy file below. You can also find a good amount of example rules here.

Please note that changes to the policy file are at your own risk and that it is always recommended to delegate read permissions to entities with writing permissions.

Resource Attributes

The resource attributes of rules describe which application or part of the rules apply.

AttributeDescription
urn:altinn:orgThe org part of the resource attribute defines which org that owns the app.
urn:altinn:appThe app part that identifies the app itself.
urn:altinn:taskThe task part of the resource makes it possible to have separate rules for the different tasks.
urn:altinn:eventThe event part of the resource makes it possible to have separate rules for reading events.

Example

The below example shows a part of the XACML 3.0 Policy where a resource is defined.

<xacml:AllOf>
  <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
    <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">skd</xacml:AttributeValue>
    <xacml:AttributeDesignator AttributeId="urn:altinn:org" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
  </xacml:Match>
  <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
    <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">taxreport</xacml:AttributeValue>
    <xacml:AttributeDesignator AttributeId="urn:altinn:app" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
  </xacml:Match>
  <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
    <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">instansiate</xacml:AttributeValue>
    <xacml:AttributeDesignator AttributeId="urn:altinn:event" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
  </xacml:Match>
</xacml:AllOf>

Subject Attributes

The subject part of the target for the rule defines who the rule target.

AttributeDescription
urn:altinn:rolecodeThe role code is used for rule that target end users and systems.
urn:altinn:orgThe org code is used for rule that target orgs.

A complete list of role types can be found here.

It is important to read the guidelines before selecting role.

Examples

Example with role code:

<xacml:AllOf>
  <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
    <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">regna</xacml:AttributeValue>
    <xacml:AttributeDesignator AttributeId="urn:altinn:rolecode" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
  </xacml:Match>
</xacml:AllOf>

Example with org:

<xacml:AllOf>
  <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
    <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">skd</xacml:AttributeValue>
    <xacml:AttributeDesignator AttributeId="urn:altinn:org" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
  </xacml:Match>
</xacml:AllOf>

Action Attributes

AttributeDescription
urn:oasis:names:tc:xacml:1.0:action:action-idThe action that rule apply to. In app this can be read, write, instantiate, complete and delete. This will be expanded when new functionality is added

Example with read action:

<xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
    <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml:AttributeValue>
      <xacml:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
    </xacml:Match>
</xacml:AllOf>

Obligation

The obligation part is used to define information that should be used by PEP. The required authentication level is set to 2 by default. This is done as an obligation in the XACML Policy file.

If the required authentication level is set to 4, you must define that the service owner can interact with it through level 3 authentication for Maskinporten. This is because Maskinporten is defined as level 3. See the rule library for examples.

Example with authentication level 2

<xacml:ObligationExpressions>
    <xacml:ObligationExpression FulfillOn="Permit" ObligationId="urn:altinn:obligation:authenticationLevel1">
      <xacml:AttributeAssignmentExpression AttributeId="urn:altinn:obligation1-assignment1" Category="urn:altinn:minimum-authenticationlevel">
        <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">2</xacml:AttributeValue>
      </xacml:AttributeAssignmentExpression>
    </xacml:ObligationExpression>
  </xacml:ObligationExpressions>
  • Guidelines for authorization rules

    Authorization rules must be defined very carefully. These guidelines explain what the application owner must consider before authorization rules are set for an application

  • Rule library

    Library of authorization rules that can be used in an app. Remember to replace tags ([RULE_ID]) with your own ID. [ORG] and [APP] can will be replaced later, so they can remain in the file if you use Local test from january 2023 or newer.