Authorization
The authorization components provide access management and control functionality for digital and analog services hosted in the Altinn Platform or other places.
The typical scenario is that some event will be triggered, or data will be read, updated, or created by a digital or analog service. A service owner owns this service and has defined some business rules for who is allowed to use the service.
This service needs to control who can access and modify data.
Altinn Authorization provides the capability to verify and enforce this.
User scenario
Users and organizations get rights to access a service from defined rules and policies.
The below drawing show all aspects that control who and what rights a user or organization has.
Access control aspects
- Resources - describes the resource a rule applies to. It can be an app, a resource in the resource register, a specific task, or any other sub-resources to an app or resource in the rescource registry.
- Action - describes which action the rules apply to. This can be any action like read, write, sign, fire, Opendoor +++
- Subject - describes who the rules apply to. It can be a role, access group, an organization number or a specific user, and many more
- Obligation - describes additional information like minimum authentication level.
- Condition - Describes additional conditions like the reportee needs to be registered in SRR/RRR for this resource/service.
Conceptual Components
In 2022-2024, Altinn will modernize its authorization architecture and components. Therefore, the below description is a mix of as-is and to-be.
Altinn uses attribute-based access control (ABAC).
In short, Altinn authorization control access through rules defined in XACML Policies. Each rule defines which resource the rule describes, what operation, and who can perform it.
When defining the authorization components, we used the XACML reference architecture.
We have defined the following conceptual components/functional areas from the reference architecture.
PDP - Policy Decision Point
The policy decision point is responsible for deciding if an authorization request is authorized or not. It bases its decision on rules and information it has of the resource and the user/system trying to access and perform an operation on a resource.
PAP - Policy Administration Point
Responsible for defining and administering authorization policies.
In Altinn Authorization, there are the following components that function as a PAP
- Altinn Studio to define rules for Apps
- Altinn Access Management for defining delegated rules
- Altinn Resource Registry allows the administration of resource policies.
PRP - Policy Retrieval Point
The Policy Retrieval Point is responsible for finding the right policy.
In Altinn, there are two sources of Policies. Altinn Access Management for delegated policies and Altinn Resource Registry
Context Handler - In production
Responsible for enriching the decision request so authorization correctly can be evaluated. Read more
PIP - Policy information point - In production
Responsible for providing information about the subject and the resource to the context handler. Read more
PEP - Policy Enforcement Point - In Pro
Responsible for enforcing the decision from PDP. PEP is the component that blocks a request or lets it through.
Altinn Authorization - Components
The below diagram shows the future components of a new Altinn Architecture.
Future solution Altinn Authorization
This architecture defines the following components.
Altinn Access Management
This component will be the component responsible for the administration of access to self and organization
- Giving the end-users an overview of which rights they and others have.
- Administration of AccessGroups
- Possibility to delegate and revoke rights
Altinn Resource Registry
This component will provide a register of
- Altinn 3 Apps
- Altinn 2 apps
- External services are hosted on other platforms but registered in Altinn for authorization purposes.
Altinn Access Groups
The Altinn Access Groups component contains the Altinn-defined Access Groups and information about members of these groups.
Exposes API to list and delegate Access Groups.
Altinn Access Information
Altinn Access Information exposes API for Reportee, access groups, and rights for external consumers. Therefore, it needs to be highly scalable.
Altinn Consent
This component provides functionality to request consent and give consent.
Altinn Policy Decision Point
The PDP component is responsible for evaluating if the user should get access to a given resource or not.
The component has a context handler, PIP functionality, PRP information, and more. Read more
Altinn Resource Rights Registry
A register allows resource owners to control which organizations or persons can access a service resource.