:
Last modified: Mar 1, 2024

security

Access Management component

This is work in progress The access management will provide functionality to manage different aspects of authorization in Altinn. Delegate and revoke Altinn 2 roles Add and remove membership for Access Groups Delegate App and instance rights Manage Delegatable Maskinporten API resources List access groups members List resources that is linked to access groups Delegation & Administration of Delegated API Access This functionality allows users to delegate access throug API with help of delegating access in maskinporten. »

Context Handler

As an example, a decision request could contain only userId and instanceId together with the action requested. <?xml version="1.0" encoding="utf-8"?> <Request xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd" ReturnPolicyIdList="false" CombinedDecision="false" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <Attribute IncludeInResult="false" AttributeId="urn:altinn:user-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">15468</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute IncludeInResult="false" AttributeId="urn:altinn:instance-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">cbdc7b44-9442-4fe0-854b-da278bf0b0e</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Read</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" /> </Request> The enriched decision request contains all the needed attributes for subject and resource so PDP can identify the correct policy and evauluate the request based on it. »

Migrering av lenketjenester fra Altinn 2

En ressurs kan opprettes på nytt eller importeres fra en Altinn 2 lenketjeneste Import fra Altinn 2 lenketjenester Hvis man har eksisterende lenketjenester i Altinn 2 som man benytter for ekstern autorisasjon må disse flyttes over til ressursregisteret i Altinn 3 plattformen. I Altinn Studio kan man velge å opprette ny ressurser basert på eksisteren lenketjenste. Velg importer ressurs Gi id som skal benyttes i Altinn ressourceregistret Når man trykker import opprettes det en ny ressurs i Altinn Studio i repositry til organisasjon. »

Policy Administration Point

In Altinn Platform there is currently no Policy Administration Point functionality, but Altinn Platform provides functionality used by the other Policy Administration Points in Altinn 3. The PRP provides API for storing policies and retrieving them. Policy Administration Point for applications The authorization policy for apps is defined in Altinn Studio when developing the app. See Policy Administration Point in Altinn Studio for details. Delegated Policies Access Management component will allow end users to delegate rights to persons, enterprise users and organizations »

Policy Information Point

Without this information it would be impossible for the PDP to evaluate the context request in many scenarios. For the Altinn Platform there are serveral Policy Information Points: Altinn II Authorization - Get information about roles a user or system has for a given party Storage PIP - Get attributes about the resource in the decision request. (what kind of app, who is the reportee of the data, what is the current process state) The number of PIP are expected to grow in the future. »

Policy Retrieval Point

During deployment of an app the rules for the app is added to the Altinn Storage. The rules are defined as a XACML 3.0 Policy document. For delegated rights Altinn II will provide the delegated policy. See Policy Adminstration Point for details about how the policies are created. See construction components how PRP is built. »

Resource Rights Registry

Concept Generally, digital services are available for all persons or all organizations of a given type. When a resource has enabled resource rights registry requirement, a reportee must be given a resource right. The resource rights register allows defining who can use a digital service. Access Lists The main concept of Resource Rights Registry is that possibility to define AccessList containg a list of organizations Access List Connections When you have a list you can connect it to a resource with a set of rights given to organizations in that lists. »

Fullmakter fra Enhetsregisteret som knytter virksomheter sammen

Innhold på siden er under arbeid. Innholdet vil ikke være gjeldende før nye tilgangspakker trer i kraft. Dette må derfor ikke ansees som en fasit pr nå I mange tilfeller er det mulig å registrere andre organisasjoner i en eller flere roller på virksomeheten. Altinn vil i mange tilfeller da sørge for en knytning mellom disse virksomhetene slik at person som har bestemte roller i tilknyttet organisasjon da få fullmakter på vegne av den aktuelle virksomheten. »

XACML - Altinn Studio

The standard defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in policies. The Altinn Studio and Altinn Studio Apps solution uses the XACML standard for the following XACML Reference Architecture: Used as input for defining the Altinn Studio Apps authorization architecture XACML Policy: Used to define the authorization rules for apps XACML Request: Format used for PEP to call PDP XACML Response: Format used for response from PDP to PEP. »

Access Control (PDP)

The Policy Decision Point is implemented in the access control component that is deployed to Altinn Platform. The Policy Decision Point follow eXtensible Access Control Markup Language (XACML) Version 3.0. This mean that the rules are defined in XACML Policies files and PDP evalutes request based on the rules. The PDP evaluates the Context Request based on standard XACML 3.0 behaviour. There is no specific Altinn behaviour. Policy Decision Point exposes a method that authorize the decision request. »