This is work in progress The access management will provide functionality to manage different aspects of authorization in Altinn.
Delegate and revoke Altinn 2 roles Add and remove membership for Access Groups Delegate App and instance rights Manage Delegatable Maskinporten API resources List access groups members List resources that is linked to access groups Delegation & Administration of Delegated API Access This functionality allows users to delegate access throug API with help of delegating access in maskinporten. »
As an example, a decision request could contain only userId and instanceId together with the action requested.
<?xml version="1.0" encoding="utf-8"?> <Request xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd" ReturnPolicyIdList="false" CombinedDecision="false" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <Attribute IncludeInResult="false" AttributeId="urn:altinn:user-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">15468</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute IncludeInResult="false" AttributeId="urn:altinn:instance-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">cbdc7b44-9442-4fe0-854b-da278bf0b0e</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Read</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" /> </Request> The enriched decision request contains all the needed attributes for subject and resource so PDP can identify the correct policy and evauluate the request based on it. »
Innen juni 2025 så skal dagens Altinn løsning være modernisert og migrert til skyen. Det innebærer at mye av dagens løsning må utvikles på nytt.
Overordnet målsetning for modernisering Autorisasjon skal være en selvstendig komponent og eget produkt Sikre en robust og sikker drift samtidig som vi understøtter stor vekst i bruken av autorisasjon. Øke endringstakten i Autorisasjon slik at veien fra behov til løsning blir raskere. Forbedre og forenkle brukerflyten slik at det blir enklere å administrere tilganger Tilby nye og moderne API som gjør det enklere å integrere mot og ta i bruk Altinn Autorisasjon som tilgangsstyringløsning for andre offentlige tjenester Hva skal gjøres? »
En ressurs kan opprettes på nytt eller importeres fra en Altinn 2 lenketjeneste
Import fra Altinn 2 lenketjenester Hvis man har eksisterende lenketjenester i Altinn 2 som man benytter for ekstern autorisasjon må disse flyttes over til ressursregisteret i Altinn 3 plattformen.
I Altinn Studio kan man velge å opprette ny ressurser basert på eksisteren lenketjenste.
Velg importer ressurs
Migration Gi id som skal benyttes i Altinn ressourceregistret
Migration Når man trykker import opprettes det en ny ressurs i Altinn Studio i repositry til organisasjon. »
In Altinn Platform there is currently no Policy Administration Point functionality, but Altinn Platform provides functionality used by the other Policy Administration Points in Altinn 3. The PRP provides API for storing policies and retrieving them.
Policy Administration Point for applications The authorization policy for apps is defined in Altinn Studio when developing the app.
See Policy Administration Point in Altinn Studio for details.
Delegated Policies Access Management component will allow end users to delegate rights to persons, enterprise users and organizations »
During deployment of an app the rules for the app is added to the Altinn Storage.
The rules are defined as a XACML 3.0 Policy document.
For delegated rights Altinn II will provide the delegated policy.
See Policy Adminstration Point for details about how the policies are created.
See construction components how PRP is built. »
Concept Generally, digital services are available for all persons or all organizations of a given type. When a resource has enabled resource rights registry requirement, a reportee must be given a resource right.
The resource rights register allows defining who can use a digital service.
Access Lists The main concept of Resource Rights Registry is that possibility to define AccessList containg a list of organizations
Access List Connections When you have a list you can connect it to a resource with a set of rights given to organizations in that lists. »
Innhold på siden er under arbeid. Innholdet vil ikke være gjeldende før nye tilgangspakker trer i kraft. Dette må derfor ikke ansees som en fasit pr nå
I mange tilfeller er det mulig å registrere andre organisasjoner i en eller flere roller på virksomeheten. Altinn vil i mange tilfeller da sørge for en knytning mellom disse virksomhetene slik at person som har bestemte roller i tilknyttet organisasjon da få fullmakter på vegne av den aktuelle virksomheten. »
The Policy Decision Point is implemented in the access control component that is deployed to Altinn Platform.
The Policy Decision Point follow eXtensible Access Control Markup Language (XACML) Version 3.0.
This mean that the rules are defined in XACML Policies files and PDP evalutes request based on the rules.
The PDP evaluates the Context Request based on standard XACML 3.0 behaviour. There is no specific Altinn behaviour.
Policy Decision Point exposes a method that authorize the decision request. »
This is work in progress Type of resources There are different types of resources that can be registrated
GenericAccessResource MaskinportenSchema Systemresource Later it will be possible to registrate
Altinn 3 Apps Legacy Altinn 2 services for legacy archive authorization (not finalized) Generic Access Resources GenericAccessResources will be used as linkServices are used in Altinn 2.
The resource would be any type of service provided by public organiazations.
We used cpsv:PublicService as inspiration to the data model. »
