Contents x
    Working with assetContext
    • 16 Jun 2024
    • 3 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Working with assetContext

    • Updated on 16 Jun 2024
    • 3 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    About the Asset Context Capability

    The assetContext capability enhances access control by considering contextual information related to Assets when making Authorization decisions. It allows for a more granular control by incorporating factors like relationships between Assets and contextual parameters. This enables more precise and adaptive access control Policies, improving security and compliance.

    Data access through Applications is a common use case in which assetContext can provide significant benefits. Data Access Policies can also incorporate contextual information to determine access more effectively.

    Utilizing the assetContext Capability

    The assetContext capability has been implemented across all Authorization endpoints, which enhances the Policy Decision Point (PDP) by incorporating assetContext in the decision-making process. Through this capability, the PDP conducts further filters the response, taking into account the assetContext, and retrieves the response accordingly.

    The assetContext capability provides several additional benefits in terms of access decision-making:

    • Optimized Filtering: By incorporating assetContext, the access decision-making process becomes more optimized and targeted to the specific Application's needs. The capability allows for a more refined and adaptable access control, enabling the system to tailor the response based on the Contextual Assets or Attributes associated with the Asset.

    • Flexibility and adaptability: The assetContext capability allows for dynamic adjustment of access based on the context of the requested Asset. This makes the access decision-making process flexible and can be particularly useful in dynamic or evolving Environments. This flexibility enables organizations to adapt their access control mechanisms to changing business requirements and data contexts without significant reconfiguration or changes to the underlying infrastructure.

    Sample Use Case

    AccountMan is a web-based application used by a financial organization to manage customer accounts. The application allows authorized users to view and update account information based on their assigned roles. The extent of access granted is determined by the classification of data, ensuring that users can only access specific accounts and view designated fields based on their authorized permissions.

    Authorization Flow

    The flow below illustrates AccountMan’s Application Authorization flow. In Step 1, users can see a list of permitted accounts (objects). In Step 2, they can navigate to a specific account and depending on their permissions, view specific fields in the account.

    image.png

    Sample Policies

    • HR Employees or Managers can access Public Accounts and non-sensitive Account fields.

    • Managers can access Private Accounts and personally identifiable information fields(PII).

    image.png

    For instance, a manager in the organization may have access to both Public and Private accounts. However, the fields visible to the manager within each classified account may vary. In a public account (e.g., acc1), the manager may be able to see the ID, name, and description fields. In contrast, in a private account (e.g., acc2), the manager may have access to fields such as balance, currency, and owner, which could be classified as PII fields.

    Sample Data

    Accounts

    IDSecurity_classification
    acc1Public
    acc2Private

    Account Fields

    Field IDField Classification
    account_namenon-sensitive
    account_descnon-sensitive
    account_idnon-sensitive
    account_balancePII
    account_currencyPII
    account_ownerPII

    Sample Request and Response

    The following example demonstrates how the assetContext capability is used within the User Access Token endpoint. In this scenario, the Authorization query revolves around determining which account fields a user with a manager role can access, specifically within the context of acc1.

    The response indicates that the manager has access to non-sensitive classified Account fields because acc1 is classified as public:

    {
   "entityId": "Manager_user", 
   "clientId": "******",
   "clientSecret": "********",
   "assetContext": [
           { 
               "resourceType": "Accounts", 
               "path": "acc1", 
               "action": "ACCESS"
           }
       ]
}

    {
  "data": [
    {
      "assetContext": {
        "resourceType": "Accounts",
        "path": "acc1"
      },
      "output": {
        "accessResponse": {
          "tokenValidity": 0,
          "response": [
            {
              "access": [
                {
                  "path": "account_name",
                  "attributes": {
                    "path": [
                      "account_name"
                    ],
                    "fieldClassification": [
                      "non-sensitive"
                    ]
                  },
                  "resourceType": "account_fields",
                  "actions": [
                    {
                      "action": "ACCESS"
                    }
                  ]
                },
                {
                  "path": "account_desc",
                  "attributes": {
                    "path": [
                      "account_desc"
                    ],
                    "fieldClassification": [
                      "non-sensitive"
                    ]
                  },
                  "resourceType": "account_fields",
                  "actions": [
                    {
                      "action": "ACCESS"
                    }
                  ]
                },
                {
                  "path": "account_id",
                  "attributes": {
                    "path": [
                      "account_id"
                    ],
                    "fieldClassification": [
                      "non-sensitive"
                    ]
                  },
                  "resourceType": "account_fields",
                  "actions": [
                    {
                      "action": "ACCESS"
                    }
                  ]
                }
              ]
            }
          ]
        },
        "error": ""
      }
    }
  ],
  "contextData": null
}

    The assetContext capability enables the option to include multiple assetContext objects in a single request. As a result, the response provides separate contextual responses for each of the objects included.

    In summary, the assetContext capability provides benefits such as enhanced granularity, simplified implementation, alignment with business logic, improved performance, and flexibility in access decision-making. These benefits contribute to more robust and efficient access control mechanisms, supporting organizations in effectively managing and securing their data assets.

    Was this article helpful?
    What's Next