Last modified: Jun 13, 2024

Architecture

About Authorization

The typical scenario is that some event will be triggered, or data will be read, updated, or created by a digital or analog service. A service owner owns this service and has defined some business rules for who is allowed to use the service. This service needs to control who can access and modify data. Altinn Authorization provides the capability to verify and enforce this. User scenario Users and organizations get rights to access a service from defined rules and policies. »

Access Management component

This is work in progress The access management will provide functionality to manage different aspects of authorization in Altinn. Delegate and revoke Altinn 2 roles Add and remove membership for Access Groups Delegate App and instance rights Manage Delegatable Maskinporten API resources List access groups members List resources that is linked to access groups Delegation & Administration of Delegated API Access This functionality allows users to delegate access throug API with help of delegating access in maskinporten. »

Authorization

Find out more Read more about Altinn Authorization About Altinn Authorization About Altinn Authorization What do you get? Get started Create your first resource Create your first resource »

Context Handler

As an example, a decision request could contain only userId and instanceId together with the action requested. <?xml version="1.0" encoding="utf-8"?> <Request xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd" ReturnPolicyIdList="false" CombinedDecision="false" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <Attribute IncludeInResult="false" AttributeId="urn:altinn:user-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">15468</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute IncludeInResult="false" AttributeId="urn:altinn:instance-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">cbdc7b44-9442-4fe0-854b-da278bf0b0e</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Read</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" /> </Request> The enriched decision request contains all the needed attributes for subject and resource so PDP can identify the correct policy and evauluate the request based on it. »

Altinn 3 Correspondence

About Altinn CorrespondenceWhat is Altinn 3 Correspondence? What do you get?Main features of Altinn Correspondence Getting Started with Altinn CorrespondenceTutorials for how to get started with Altinn 3 Correspondence, for service owners, senders and recipients How-to-guidesHow-to-guides for Altinn 3 Correspondence ConceptsExplanation of concepts related to Altinn 3 Correspondence Reference documentationReference documentation for Altinn 3 Correspondence News and plansNews and plans for development of Altinn 3 Correspondence. »

Events

API Public API The following API controllers are defined: AppController : publishes (store and forward) and retrieve app events EventsController : publishes (store and forward) and retrieve generic events SubscriptionController : creates, retrieves, validates and deletes event subscriptions Private API The API controllers listed below are exclusively for use within the Notification solution: StorageController : saves incoming events to persistent storage (database) InboundController : pushes events to events-inbound queue OutboundController : identify and authorize event subscribers and push event and subscriber details to events-outbound queue WebhookReceiverController : provides end point to support automated testing of subscriptions Database Events data is persisted in a PostgreSQL database. »

Migrering av lenketjenester fra Altinn 2

En ressurs kan opprettes på nytt eller importeres fra en Altinn 2 lenketjeneste Import fra Altinn 2 lenketjenester Hvis man har eksisterende lenketjenester i Altinn 2 som man benytter for ekstern autorisasjon må disse flyttes over til ressursregisteret i Altinn 3 plattformen. I Altinn Studio kan man velge å opprette ny ressurser basert på eksisteren lenketjenste. Velg importer ressurs Migration Gi id som skal benyttes i Altinn ressourceregistret Migration Når man trykker import opprettes det en ny ressurs i Altinn Studio i repositry til organisasjon. »

Notifications

API Public API The following API controllers are defined: OrdersController: API for retrieving one or more orders with or without processing details and notification summaries EmailNotificationsOrdersController: API for placing new email notification order requests EmailNotificationsController: API for retrieving email notifications related to a single order SmsNotificationsOrdersController: API for placing new sms notification order requests SmsNotificationsController: API for retrieving sms notifications related to a single order Internal API The API controllers listed below are exclusively for use within in the Altinn organization: »

Policy Administration Point

In Altinn Platform there is currently no Policy Administration Point functionality, but Altinn Platform provides functionality used by the other Policy Administration Points in Altinn 3. The PRP provides API for storing policies and retrieving them. Policy Administration Point for applications The authorization policy for apps is defined in Altinn Studio when developing the app. See Policy Administration Point in Altinn Studio for details. Delegated Policies Access Management component will allow end users to delegate rights to persons, enterprise users and organizations »

Policy Information Point

Without this information it would be impossible for the PDP to evaluate the context request in many scenarios. For the Altinn Platform there are serveral Policy Information Points: Altinn II Authorization - Get information about roles a user or system has for a given party Storage PIP - Get attributes about the resource in the decision request. (what kind of app, who is the reportee of the data, what is the current process state) The number of PIP are expected to grow in the future. »