Policy Enforcment Point

Description of Policy Enforcment Point for Altinn Studio Apps

There will be some different Policy Enforcement Points in Altinn Platform depending on the service in platform.

Standard PEP

See GitHub

Attribute based authorization is best solved with Policy Based Authorization in asp.net core

The Policy Enforcement Point in the ASP.Net Web application template is created as a Authorization Handler.

In the App there is defined a set of AuthorizationRequirements and for each operation of the different API endpoints needs to be configured with the correct requirement.

Example on requirements are - InstanceRead (User/system needs to be authorized to perform read action on the instance in current state) - InstanceWrite (User/system needs to be authorized to perform write action on the instance and its data in current state) - InstanceInstantiate (user/system needs to be authorized to Instantiate an instance for an app)

The PEP will based on route data (like instanceId) and the authenticated Identity create a decision request and call PDP. Based on the response the PEP will deny or approve the user. (Deny = http 403)

The PEP validates any obligation from the PDP like minimum authentication level. If this is not valid, the request will be denied. (http 403)

Custom PEP