Attribute Based Access Control
Description of the Authorization Architecture for Altinn Platform
På denne siden:
Altinn Platform has a attribute based access control (ABAC).
In short, request is authorized based on attributes for the request. Eg what data element is the user accessing, who owns it, what type of data element and so on.
The Authorization Component contains a large part of the authorization architecture components.
Authorization Architecture Components
The authorization architecture for Altinn Platform are based on the XACML reference architecture.
This architecture defines the following components.
The Overall Authorization flow
The sequence diagram below shows how request is authorized
The following example flow describes in detail the authorization process when the REACT frontend calls an API to store form data
- User trigger save in the REACT application. REACT application makes a http post request against the ServiceAPIController in
- The configured Policy Enforcement Point for the API, the Service Access Handler,
triggers to verify that user is authorized
- The PEP identifies the authenticated user from authorizationhandler context and find the relevant resource ID from request
- The PEP calls the PDP functionality in Authorization Component in Altinn Platform
- PDP calls context handler to enrich the decision request
- Context handler calls Storage PIP to get resource information
- Context handler calls authorization PIP to get roles user have for resource party
- Context handler enriches the decision request and return to PDP
- PDP calls PRP to get the policy for the resource
- PDP evaluates the decision request and returns a decision response
- If the result was Permit, the PEP validates the obligation from PDP to see if authentication level was high enough. If it is enough the request is let through
- If the authentication level is not high enough the PEP will throw a not authorized exception (403)
- If the result was “Not Applicable” the PEP will throw a not authorized exception (403)