Architecture

In Altinn Platform there is currently no Policy Administration Point functionality, but Altinn Platform provides functionality used by the other Policy Administration Points in Altinn 3. The PRP provides API for storing policies and retrieving them. Policy Administration Point for applications The authorization policy for apps is defined in Altinn Studio when developing the app. See Policy Administration Point in Altinn Studio for details. Delegated Policies Access Management component will allow end users to delegate rights to persons, enterprise users and organizations »

Without this information it would be impossible for the PDP to evaluate the context request in many scenarios. For the Altinn Platform there are serveral Policy Information Points: Altinn II Authorization - Get information about roles a user or system has for a given party Storage PIP - Get attributes about the resource in the decision request. (what kind of app, who is the reportee of the data, what is the current process state) The number of PIP are expected to grow in the future. »

During deployment of an app the rules for the app is added to the Altinn Storage. The rules are defined as a XACML 3.0 Policy document. For delegated rights Altinn II will provide the delegated policy. See Policy Adminstration Point for details about how the policies are created. See construction components how PRP is built. »

Concept Generally, digital services are available for all persons or all organizations of a given type. When a resource has enabled resource rights registry requirement, a reportee must be given a resource right. The resource rights register allows defining who can use a digital service. Access Lists The main concept of Resource Rights Registry is that possibility to define AccessList containg a list of organizations Access List Connections When you have a list you can connect it to a resource with a set of rights given to organizations in that lists. »

Innhold på siden er under arbeid. Innholdet vil ikke være gjeldende før nye tilgangspakker trer i kraft. Dette må derfor ikke ansees som en fasit pr nå I mange tilfeller er det mulig å registrere andre organisasjoner i en eller flere roller på virksomeheten. Altinn vil i mange tilfeller da sørge for en knytning mellom disse virksomhetene slik at person som har bestemte roller i tilknyttet organisasjon da få fullmakter på vegne av den aktuelle virksomheten. »

The standard defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies. The Altinn Studio and Altinn Studio Apps solution uses the XACML standard for the following XACML Reference Architecture: Used as input for defining the Altinn Studio Apps authorization architecture XACML Policy: Used to define the authorization rules for apps XACML Request: Format used for PEP to call PDP XACML Response: Format used for response from PDP to PEP. »

The Policy Decision Point is implemented in the access control component that is deployed to Altinn Platform. The Policy Decision Point follow eXtensible Access Control Markup Language (XACML) Version 3.0. This mean that the rules are defined in XACML Policies files and PDP evalutes request based on the rules. The PDP evaluates the Context Request based on standard XACML 3.0 behaviour. There is no specific Altinn behaviour. Policy Decision Point exposes a method that authorize the decision request. »