Last modified: Jul 15, 2026

System architecture

System context, responsibilities and overall construction of Altinn Authorization.

Altinn Authorization is not a single application. It is a set of services that establish identity and representation, describe protected resources, administer rights, evaluate policy and record security-relevant events.

Altinn Authorization system overview
Altinn Authorization system overview

The trust chain

  1. Identity: Who, or which system, is acting?
  2. Party and representation: On behalf of which person or organisation?
  3. Resource: What is the actor trying to use?
  4. Right: Which rules, roles, delegations or consents apply?
  5. Decision: Is this action permitted in the current context?
  6. Traceability: Can the event and decision basis be examined later?

System context

AreaMain responsibilityCore components
IdentityEstablish authenticated identity contextAuthentication
Party and representationDescribe persons, organisations, roles and representationRegister
ResourceIdentify and describe services and protected objectsResource Registry
Rights administrationCreate, read and change delegations and access relationshipsAccess Management
Machine representationAllow a system to act on behalf of an organisationSystem User
Purpose-specific authorityCreate and validate consentsConsent
Access controlEvaluate policy, rights and contextAuthorization/PDP
TraceabilityProcess and store authentication and authorization eventsAudit Log

Important system boundaries

The team owns the authentication service and the authorization components described here. It does not own ID-porten or Maskinporten. Altinn Access Token is owned by Team Platform and is a dependency. Maskinporten client administration is an integration, not part of the team’s system responsibility.

A PEP enforces a decision close to the protected service and may therefore be outside the team’s components. The decision basis and PDP capability belong to the authorization system.

Architecture principles

  • Resources are explicitly identified; rights are not granted to undefined objects.
  • Identity and representation are separate concepts.
  • Administration of rights is separated from evaluation of rights.
  • PDP returns a decision; the calling PEP enforces it.
  • External tokens are evidence that is validated and translated into internal identity context.
  • Events should be correlatable across component boundaries.

The existing architecture reference remains for now. It focuses on the XACML roles PDP, PAP, PRP, PIP, Context Handler and PEP. This page is the new system-oriented entry point.