Authorization/Access Control

An authorization system determines whether an agent has access to perform a given action on a particular resource.

ACP

ESS uses Access Control Policy (ACP) [1] to define the policies that determine access to Pod’s resources.

If

< allOf | anyOf > (Matcher(s)) evaluates to true, AND

< allOf | anyOf | noneOf > (Matcher(s)) evaluates to true, AND

…

Then

<allow (AccessMode(s)) | deny (AccessMode(s)) | allow (AccessMode(s)) AND deny (AccessMode(s)) >

For more information, see Access Control Policy (ACP).

Access Control Mechanisms

ESS supports:

• Identity-Based Access, where access to Pod resources is based on agents’ identity, and optionally, the identity of their clients.

  To use identity based access, the resource must have ACPs that specify the Agents’ WebIDs (and, optionally, Client IDs). For details, see Identity-Based ACPs.

• Access Grants, where access to Pod resources can be requested and granted.

  To use access grants, the resource must have ACP that enables the use of access grants. For details, see Access Grants ACPs.

Authorization Services

To support authorization, ESS provides the following services:

• Authorization Service

• UMA Service

• Access Grant Service

[1]

Inrupt does not provide support for ESS servers running Web Access Control (WAC) in Production.