Authorization/Access Control

An authorization system determines whether an agent has access to perform a given action on a particular resource.

ACP

ESS uses Access Control Policy (ACP) [2] to define the policies that determine access to Pod’s resources.

If

< allOf | anyOf > (Matcher(s)) evaluates to true, AND

< allOf | anyOf | noneOf > (Matcher(s)) evaluates to true, AND

…

Then

<allow (AccessMode(s)) | deny (AccessMode(s)) | allow (AccessMode(s)) AND deny (AccessMode(s)) >

For more information, see Access Control Policy (ACP).

Access Control Mechanisms

ESS supports:

• Identity-Based Access, where access to Pod resources is based on agents’ identity, and optionally, the identity of their clients.

  To use identity based access, the resource must have ACPs that specify the Agents’ WebIDs (and, optionally, Client IDs). For details, see Identity-Based ACPs.

• Access Grants, where access to Pod resources can be requested and granted.

  To use access grants, the resource must have ACP that enables the use of access grants. For details, see Access Grants ACPs.

Authorization Services

To support authorization, ESS provides the following services:

• Authorization Service

• UMA Service

• Access Grant Service

Authorization and Clients

ESS supports the the use of Client IDs in client allow lists and access policies. [1]

Client Allow Lists

Operators can use Client IDs in the following allow lists:

• INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST (New in version 2.1).

  • INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST is used to initialize a Pod’s default access policies, specifically the policies’ client matcher. To configure this option, see Set Initial Pod Clients Allow List for an example.

• INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST.

  • INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST determines which applications can modify the Access Control Resource (i.e., which applications can modify the Access Control Policies for Pod resources). To configure this option, see Set Authorization Client Allow List for an example.

    This list may also used to initialize a Pod’s access policies if INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST is unset.

• INRUPT_VC_CLIENT_ID_ALLOW_LIST.

  • INRUPT_VC_CLIENT_ID_ALLOW_LIST determines which applications can access the /issue Endpoint and the /status Endpoint.

Client Matchers

Client IDs can be used in Client Matcher statements in Access Control Policy (ACP) policies.

For example, if client allow list configuration for the initial policy is set, ESS creates default ACP policies of the form:

If allOf(AgentMatcher and ClientMatcher) evaluates to true, Then allow (Read and Write).

[1]

ESS does not support the use of dynamically registered Client ID values in client allow lists and access policies.

[2]

Inrupt does not provide support for ESS servers running Web Access Control (WAC) in Production.