Architecture

This is work in progress The access management will provide functionality to manage different aspects of authorization in Altinn. Delegate and revoke Altinn 2 roles Add and remove membership for Access Groups Delegate App and instance rights Manage Delegatable Maskinporten API resources List access groups members List resources that is linked to access groups Delegation & Administration of Delegated API Access This functionality allows users to delegate access throug API with help of delegating access in maskinporten. »

The typical scenario is that some event will be triggered, or data will be read, updated, or created by a digital or analog service. A service owner owns this service and has defined some business rules for who is allowed to use the service. This service needs to control who can access and modify data. Altinn Authorization provides the capability to verify and enforce this. User scenario Users and organizations get rights to access a service from defined rules and policies. »

In 2022-2026, Altinn will modernize its authorization architecture and components. Therefore, the below description is a mix of as-is and to-be. Altinn uses attribute-based access control (ABAC). In short, Altinn authorization control access through rules defined in XACML Policies. Each rule defines which resource the rule describes, what operation, and who can perform it. Altinn Authorization - Components The diagram below shows the future components of a new Altinn Architecture. »

As an example, a decision request could contain only userId and instanceId together with the action requested. <?xml version="1.0" encoding="utf-8"?> <Request xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd" ReturnPolicyIdList="false" CombinedDecision="false" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <Attribute IncludeInResult="false" AttributeId="urn:altinn:user-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">15468</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute IncludeInResult="false" AttributeId="urn:altinn:instance-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">cbdc7b44-9442-4fe0-854b-da278bf0b0e</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Read</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" /> </Request> The enriched decision request contains all the needed attributes for subject and resource so PDP can identify the correct policy and evauluate the request based on it. »

Innen juni 2025 så skal dagens Altinn løsning være modernisert og migrert til skyen. Det innebærer at mye av dagens løsning må utvikles på nytt. Overordnet målsetning for modernisering Autorisasjon skal være en selvstendig komponent og eget produkt Sikre en robust og sikker drift samtidig som vi understøtter stor vekst i bruken av autorisasjon. Øke endringstakten i Autorisasjon slik at veien fra behov til løsning blir raskere. Forbedre og forenkle brukerflyten slik at det blir enklere å administrere tilganger Tilby nye og moderne API som gjør det enklere å integrere mot og ta i bruk Altinn Autorisasjon som tilgangsstyringløsning for andre offentlige tjenester Hva skal gjøres? »

»

En ressurs kan opprettes på nytt eller importeres fra en Altinn 2 lenketjeneste Import fra Altinn 2 lenketjenester Hvis man har eksisterende lenketjenester i Altinn 2 som man benytter for ekstern autorisasjon må disse flyttes over til ressursregisteret i Altinn 3 plattformen. I Altinn Studio kan man velge å opprette ny ressurser basert på eksisteren lenketjenste. Velg importer ressurs Migration Gi id som skal benyttes i Altinn ressourceregistret Migration Når man trykker import opprettes det en ny ressurs i Altinn Studio i repositry til organisasjon. »