Altinn Platform - Authorization

The authorization component provides functionality to authorize access to applications and components in Altinn Apps and Altinn Platform.

The authorization components are based on attribute based access control (ABAC).

In short, a request is authorized based on attributes for the request. Eg what data element is the user accessing, who owns it, what type of data element, and so on.

The authorization architecture for the Altinn Platform is based on the XACML reference architecture.

The following diagram describes the different solution components that provide Authorization capabilities.

Authorization Solution components

Authorization solution components

This architecture defines the following components.

PDP - Policy Decision Point

Responsible to decide if a request is authorized or not. Read more

PAP - Policy Administration Point

Responsible for defining and administration authorization policies. Read more

PRP - Policy Retrieval Point

Responsible for identifying the correct policy for a request. Read more

Context Handler

Responsible for enriching the decision request so it can correctly be evaluated. Read more

PIP - Policy information point

Responsible for providing information about the subject and the resource to the context handler. Read more

PEP - Policy Enforcement Point

Responsible for enforcing the decision from PDP. This is the component that blocks a request or let it through.

For details about how the components are constructed go here.

The Overall Authorization flow

The sequence diagram below shows how a request is authorized

Authorization flow

Authorization flow

Example process

The following example flow describes in detail the authorization process when the REACT frontend calls an API to store form data

  1. User trigger save in the REACT application. REACT application makes an HTTP post request against the ServiceAPIController in
  2. The configured Policy Enforcement Point for the API, the Service Access Handler,
    triggers to verify that user is authorized
  3. The PEP identifies the authenticated user from authorizationhandler context and find the relevant resource ID from request
  4. The PEP calls the PDP functionality in Authorization Component in Altinn Platform
  5. PDP calls context handler to enrich the decision request
  6. Context handler calls Storage PIP to get resource information
  7. Context handler calls authorization PIP to get roles user have for resource party
  8. Context handler enriches the decision request and returns to PDP
  9. PDP calls PRP to get the policy for the resource
  10. PDP evaluates the decision request and returns a decision response
  11. If the result was Permit, the PEP validates the obligation from PDP to see if the authentication level was high enough. If it is enough the request is let through
  12. If the authentication level is not high enough the PEP will throw a not authorized exception (403)
  13. If the result was “Not Applicable” the PEP will throw a not authorized exception (403)

Authorization API

The Authorization component exposes a REST-API to Altinn Apps. Use the authorization API to manage authorizations in altinn platform.

Parties

A party is a person whom you can represent and perform a request on his behalf. A logged in user can retrieve a list of parties that he/she can represent.

Operations

Get a list of parties that the user can represent. The userid is sent as parameter.

GET /authorization/api/v1/parties?userid={userid}

Validate that a given user is allowed to represent a given party. The partyid and userid are sent as parameters.

GET /authorization/api/v1/parties/{partyId}/validate?userid={userid}

Roles

A role in altinn offers or denies right to the logged in user to perform an action or group of actions for him or on behalf of someone.

Operations

Get a list of roles that the user can perform for the selected party.

GET /authorization/api/v1/roles

Policies

A set of polices contains authorization rules.

Operations

Stores / updates rules for a given app, defined in the query string. The rules are sent in the body of the request. Reade more about the policy format.

POST /authorization/api/v1/policies?org=org&app=app

Altinn Authorization - Future

This is work in progress

In the coming years, Authorization will be modernized from being a part of Altinn 2 monolith to a cloud-native architecture.

The diagram below shows the different solution components.

Future solution Altinn Authorization

Future solution Altinn Authorization

Altinn Access Management

This component will be the component responsible for the administration of access to self and organization

  • Giving the end-users an overview of which rights he and other has
  • Administration of AccessGroups
  • Possibility to delegate and revoke rights

Github Issue

Altinn Resource Registry

This component will provide a register of

  • Altinn 3 Apps
  • Altinn 2 apps
  • External services that are hosted in other platforms but registered in Altinn for authorization purposes.

Github issue

A POC is planned

Altinn Access Groups

Altinn Access Groups component contains the Altinn defined Access Groups and information which is member of this groups.

Exposes API to list and delegate Access Groups.

Github issue

A POC is planned

Altinn Access Policies

Store for the different policies. Able to identify the correct policy based on Authorization Request.

Have functionality to create delegated policies

Github issue

A POC is planned

Altinn Access Information

Altinn Access Information exposes API for Reportee, access groups, and rights for external consumers. Therefore, it needs to be highly scalable.

Provides functionality to request consent and give consents

Github issue

Altinn Policy Decision Point

This is the core PDP responsible to evaluate if the user should get access to a given resource.

Depends on Altinn Access Groups for groups information and Altinn Access Policies for policy information.

Altinn Resource Rights Registry

A register that allows resource owner to control which organizations or person that can access a service resource.

Github Issue

  • Access Groups

    The Access Groups component is responsible for keeping track of membership of different Access Groups defined in Altinn.

  • Access Management component

    The Access Management provides functionality to end users for managing groups, roles and rights

  • Access Policies component

    The Access Policies component is the policy store for all access policies in Altinn platform.

  • Context Handler

    The responsibility to the Context Handler is to enrich a decision request sent from a PEP so it can be evaluated by PDP.

  • Policy Administration Point

    The Policy Administration Point is responsible for creating and modifying the different authorization policies used by the PDP

  • Policy Decision Point

    The Policy Decision Point is responsible to evaluate if users and systems is authorized to perform the requested operation on a resource.

  • Policy Enforcement Point

    In Altinn Platform there are PEP's that enforce access to different types of API

  • Policy Information Point

    The Policy Information Point(s) are responsible for providing needed information to the context handler so it can enrich the context request.

  • Policy Retrieval Point

    The Policy Retrieval Point is the functionality where Policy Decision Point (PDP) can retrieve the policy defined for an app resource.

  • Resource Registry

    The Resource Registry

  • Resource Rights Registry

    The Resource Rights Registry gives the administrator of a Resource in Resource Registry the capability to administrate which organizations and persons can access their resources.

  • XACML - Altinn Studio

    XACML stands for "eXtensible Access Control Markup Language".