Authorisations
Authorisation
Authorisation is a record of someone (the Principal) giving another (the Delegate) the authorisation to perform actions of certain type for a limited time. The ID service serves as a trusted storage of these records.
Type
The authorised action type is defined with a text (String). The content of that text can be anything. The meaning must be agreed between the creator of the Authorisation and the consumers of the Authorisation information.
Principal
Principal is the entity whose authority to perform actions is given to the Delegate. The Delegate will therefore perform the actions on behalf of the Principal.
In the Authorisation API the Principal is also called the Object of the Authorisation.
The Principal can be one of:
-
An User account - identified by the User account’s ID
-
An arbitrary String - meaning is defined by creator of the Authorisation
-
An User Group - identified by the Group’s ID
-
A Contact - identifed by the Contact’s ID
-
A Target - identified by the Target’s ID
Delegate
Delegate is the entity to whom authority to perform actions is given by the Principal.
In the Authorisation API the Delegate is also called the Subject of the Authorisation.
The Delegate can be one of:
-
An User account - identified by the User account’s ID
-
An User Group - identified by the Group’s ID
-
An arbitrary String - meaning is defined by creator of the Authorisation
Time limitation
Authorisations have a limited lifetime. They come into effect at a specified start time, and remain in effect until another specified end time.
The start time must be specified when creating an Authorisation, or the current time will be used.
The end time can be specified when creating an Authorisation, or alternatively a default time, configured in the Namespace settings of the Delegate, may be used.
The Authorisation is not active until the start time has passed, and ceases to be active when the end time has passed.
Revocation
Authorisations can be revoked before they have expired. They can be revoked either by the creator of the Authorisation, or the Principal of it.
Access
The creator of an Authorisation (an User or a Management API Client) has access to Authorisations they have created. The Principal and the Delegate also have access to Authorisations they are connected to.
Authorisations are connected to a selected namespace upon creation. Often it is the namespace of the Authorisation creator, or the Delegate. This has effect mostly as a restriction to administrator access to the Authorisations.
After expiration or revocation
Authorisations which are no longer in effect will stay in the system until a configured amount of time has passed. After that time they will be purged from the system permanently by an automated system.
Modification (restricted)
Authorisations should not be modified after creation. Instead they should be revoked and another Authorisation be created.
Previously entities with a special permission were allowed to modify Authorisation records, currently only the time limit modification is permitted for such entities.
Deletion (restricted)
Authorisations can be “soft deleted” by entities with a special permission. Such Authorisations are not effective any more, but they remain in the system for auditing. The recommendation is to revoke Authorisations instead.
Sources of Authorisations
The Authorisation system stores Authorisations from different sources.
Authorisations created through our APIs and user interfaces are completely managed by our systems and support all the features.
Some Authorisations may come from external sources and are only partially imported to our system. They may lack some data and actions such as revocation may be ineffective through our APIs. Such authorisations must be managed through the original service.
Authorisation system configuration
Some Authorisation features are adjustable in Namespace settings.
Default validity time
Authorisations without a specific end time will stay in effect from the start time for the length of this duration.
Purge delay time
This configuration controls how long Authorisations are kept in the system after they have expired or been revoked.