Resource Rights Registry
The Resource Rights Registry gives the administrator of a Resource in Resource Registry the capability to administrate which organizations and persons can access their resources.
Concept
Generally, digital services are available for all persons or all organizations of a given type. When a resource has enabled resource rights registry requirement, a reportee must be given a resource right.
The resource rights register allows defining who can use a digital service.
Used in UI
A resource that has enabled RRR will require that reportee have at least one right in the registry for the given service.
If not the resource would be hidden
Used in PDP
To use this in decision point the XACML Policy can add attributes to rules that is set by resource rights registry
<xacml:AllOf>
<xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">innehaver</xacml:AttributeValue>
<xacml:AttributeDesignator AttributeId="urn:altinn:accessgroup" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml:Match>
<xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
<xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml:AttributeValue>
<xacml:AttributeDesignator AttributeId="urn:resourceright:action" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</xacml:Match>
</xacml:AllOf>
Model
The following
- ResourceID - the resource itself
- PartyID - the internal Altinn ID the reference a given organization or person
- PartyNumber - orgnumber or ssn for the given party
- PerformedBy - A specific user/person in an organization that can perform opertion (ssn? Lookup)
- RightsType - A value indicating the specic type of right. Example urn:resourceright:action
- RightsValue - A value indicating the specific value example Example urn:read
- ValidTo - Date for how long it last
- ValidFrom - When rights is valid from
API
As part of the component there will be exposed API
API for admin
This APi allows resource owners to add, update and delete resource rights
List API
The list API will be used to find resource rights for a given resource/party