Policy Sets

The second level objects in policySets each contain the following parameters. Other parameters are not allowed. Note that XACML spec is heavily restricted, a.o. for the reason to prevent redundancy (and resulting possible conflicts) with the root policySet element.

maxDelegationDepth
Integer. Contained in policySets. Optional.
Optional element that, if present, indicates that further delegation of the rights, conveyed in the policy elements that are part of this PolicySet, is allowed. The value indicates the delegation steps that are allowed after this step in order to evaluate the entire delegation path to Permit.
target
Object. Contained in policySets.
Contains environment.
environment
Object. Contained in target.
Contains licenses.
licenses
Array of Strings. Contained in environment.
Array which describes which iSHARE licenses apply to this policySet.
policies
Array of Objects. Contained in policySets.
Used to express the actual rights for which evidence is being requested. Note that policies within one policySets object MUST not restrict each other, but rather offer a mechanism to express additional rights. They will be evaluated in a permit-override manner, allowing a Permit if only one of the policy elements evaluates to Permit.

Warning

For Delegation Mask (Delegation Request) only policies are required. All other parameters should be ignored.

Example:

{
  "policySets": [
    {
      "maxDelegationDepth": 5,
      "target": {
        "environment": {
          "licenses": [ "string" ]
        }
      },
      "policies": [ "object" ]
    }
  ]
}

Policies

target
Object. Contained in policies.
Describes the target, in terms of resource and action, this request applies to. It is also the scope that is permitted through the default rule.
resource
Object. Contained in target.
Contains type, identifiers and attributes.
type
String. Contained in resource.
String which describes the type of resource to which the rules apply.
identifiers
Array of Strings. Contained in resource. Optional.
Optional array of strings containing one or more resource identifiers.
attributes
Array of Strings. Contained in resource. Optional.
Optional array of attributes of the resources the delegated rights apply to.
actions
Array of Strings. Contained in target.
Array of actions that apply to this policy.
environment
Object. Contained in target. Optional
Optional field that contains serviceProviders.
serviceProviders
Array of Strings. Contained in environment. Optional
Array which lists the iSHARE client ID’s of serviceProviders which are allowed to provide services to the accessSubject as described within this policy.
rules
Array of Objects. Contained in policies.
The first rule element is the default rule that applies to the target at policies level. Note that additional rule elements within one policies object are intended to restrict each the default rule. All rule elements in a Policy will be evaluated in a deny-override manner, allowing a Permit only if all of the rule elements evaluate to Permit.

Example:

{
  "policies": [
    {
      "target": {
        "resource": {
          "type": "CONTAINER.DATA",
          "identifiers": [
            "ID.12345"
          ],
          "attributes": [
            "CONTAINER.ETA"
          ]
        },
        "actions": [
          "iSHARE.READ"
        ],
        "environment": {
          "serviceProviders": [
            "EU.EORI.NL567891234"
          ]
        }
      },
      "rules": [ "object" ]
    }
  ]
}

Rules

The default rule element contains the following parameter:

effect
String. Contained in rules.
Value must be equal to Permit.

Additional rule elements contains the following parameters. Although individually not required, at least one type, identifier or attribute MUST be specified to which additional rules apply:

effect
String. Contained in rules.
Value must be equal to Deny.
target
Object. Contained in policies.
Describes the target, in terms of resource and action, this additional rule applies to. Additional rule elements are limitations of the default rule and resource scope.
resource
Object. Contained in target.
Contains type, identifiers and attributes.
type
String. Contained in resource. Optional.
String which describes the type of resource to which the rules apply. Defaults to none if not specified.
identifiers
Array of Strings. Contained in resource. Optional.
Optional array of strings containing one or more resource identifiers. Depending on the type an identifier SHOULD be a URN.
attributes
Array of Strings. Contained in resource. Optional.
Optional array of attributes of the resources the delegated rights apply to. If omitted defaults to all attributes. Depending on the type an attribute SHOULD be a URN.
actions
Array of Strings. Contained in target. Optional.
Array of actions that apply to this policy. If no actions are listed then the default is to all iSHARE actions defined within the policy.

Example:

{
  "rules": [
    {
      "effect": "Permit"
    },
    {
      "effect": "Deny",
      "target": {
        "resource": {
          "type": "CONTAINER.DATA",
          "identifiers": [
            "ID.12378",
            "ID.12379"
          ],
          "attributes": [
            "CONTAINER.WEIGHT"
          ]
        }
      }
    }
  ]
}