Meta-delegations

NOTE: This page will become part of https://dev.ishare.eu/.

iSHARE certified Authorization Registries should support the creation of meta-delegations. Meta-delegations are created by an Entitled Party and contain rulesets based upon which incoming delegation requests (using the policy creation endpoint /policies) are evaluated and automatically created or refused.

There are no technical specifications on how the Entitled Party should be provided with the possibility of managing meta-delegations. However the following principles should be followed:

• The meta-delegation must use a data license (9998 + additional licenses as applicable) to limit liability on automatically created policies.

• The meta-delegation may use ISHARE.DELEGATION as a resource type.

• The meta-delegation may implement the iSHARE concept of actions that can be performed on the delegations. Action names here are not prescribed, but as a best practice we suggest to use "ISHARE.CREATE", "ISHARE.READ", "ISHARE.UPDATE" and "ISHARE.DELETE" to improve interoperability between Authorization Registries.

• The meta-delegation must be limited with rules that work the same as described in https://ishareworks.atlassian.net/wiki/spaces/IS/pages/70222127/Structure+of+delegation+evidence. An extra requirement for this meta-delegation is that at least one rule limiting the scope of kind of delegation to be created via this mechanism should be present, preventing a “*” meta-delegation.

The Authorization Registry should provide clear information on how the rulesets of meta-delegations are processed if they overlap. Refer to the guidance section below for further information.

Guidance

The following is not not part of the specifications, but provided as guidance for implementation.

Logic when requesting the creation of delegation policies

The Authorization Registry should contain logic for handling delegation policy requests when there are overlapping meta-delegations in place.

An example of a principle that could be followed is:

• If multiple meta-delegations are present, the most recently added meta-delegation takes precedence over older.

Logic when requesting delegation evidence

An Authorization Registry should contain logic for handling delegation evidence requests when there are overlapping delegation policies in place. Since the creation of delegation policies can be automated, it becomes more likely that overlapping policies will occur.

Example of delegation policies can be considered:

• Directly provided by the Entitled Party (direct delegation policies)

• Provided based on a meta-delegation (indirect delegation policies)

Example of principles that could be followed are:

• Directly provided policies take precedence over policies created based on meta-delegations.

• If multiple delegation policies are present, the most recently added delegation policies takes precedence over older.

• Within a policy rules should be evaluated in a deny-override manner, allowing a Permit only if all of the rule elements evaluate to Permit.