docs(access-rules): clarify Descriptor FieldIdentifier applicability#78
Open
aorzelskiGH wants to merge 1 commit into
Open
docs(access-rules): clarify Descriptor FieldIdentifier applicability#78aorzelskiGH wants to merge 1 commit into
aorzelskiGH wants to merge 1 commit into
Conversation
$aasdesc / $smdesc address Registry metadata. In deployments without a Registry profile, access rules that use these prefixes have no data to evaluate against. This PR documents: - the data is only available in Registry profiles (per IDTA-01002 "FieldIdentifier Applicability per Profile"); - rules that reference $aasdesc / $smdesc in non-Registry deployments are treated as "not applicable" — neither grant nor deny — and MUST NOT cause evaluation to fail; - implementations SHOULD scope Descriptor-based rules to deployments where at least one Registry profile is supported. Refs: Review Finding T-07 Made-with: Cursor
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| In deployments that do not expose Registry endpoints (pure Repository profiles such as `AssetAdministrationShellRepositoryServiceSpecification/SSP-002`), access rules that reference `$aasdesc` or `$smdesc` are *not applicable*: the referenced metadata does not exist in the deployment, so the rule neither grants nor denies access. Evaluation MUST NOT fail because of such a rule; the rule is skipped for that request and any other applicable rules continue to apply. | ||
|
|
||
| Implementations SHOULD therefore scope Descriptor-based rules to deployments in which at least one Registry profile is supported. The concrete applicability per IDTA-01002 profile is listed in IDTA-01002 § "Service Specifications and Profiles", sub-section xref:IDTA-01002:http-rest-api/service-specifications-and-profiles.adoc#fieldidentifier-applicability[FieldIdentifier applicability per profile]. |
|
|
||
| In deployments that do not expose Registry endpoints (pure Repository profiles such as `AssetAdministrationShellRepositoryServiceSpecification/SSP-002`), access rules that reference `$aasdesc` or `$smdesc` are *not applicable*: the referenced metadata does not exist in the deployment, so the rule neither grants nor denies access. Evaluation MUST NOT fail because of such a rule; the rule is skipped for that request and any other applicable rules continue to apply. | ||
|
|
||
| Implementations SHOULD therefore scope Descriptor-based rules to deployments in which at least one Registry profile is supported. The concrete applicability per IDTA-01002 profile is listed in IDTA-01002 § "Service Specifications and Profiles", sub-section xref:IDTA-01002:http-rest-api/service-specifications-and-profiles.adoc#fieldidentifier-applicability[FieldIdentifier applicability per profile]. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Clarify in the Access Rule Model that Descriptor-based FieldIdentifiers (
$aasdesc,$smdesc) are only meaningful in Registry deployments, and specify how non-applicable rules MUST behave.Problem
$aasdescand$smdescaccess Registry metadata that is only exposed by the Registry profiles of IDTA-01002. In deployments that do not implement a Registry profile (e.g. a pure AAS Repository deployment), there is no descriptor data to evaluate against. The specification currently does not say what should happen for such a rule, so implementations disagree on whether to fail, deny or ignore it.Solution
Add a small "Descriptor FieldIdentifier Applicability" paragraph to the Objects section of the Access Rule Model. Rules that reference
$aasdescor$smdescin non-Registry deployments are treated as not applicable: they neither grant nor deny and MUST NOT cause evaluation to fail. A cross-reference points to the new "FieldIdentifier Applicability per Profile" table in IDTA-01002.Affected files
documentation/IDTA-01004/modules/ROOT/pages/access-rule-model.adocReview notes
admin-shell-io/aas-specs-api#584introduces the applicability table referenced from here.Refs: Review Finding T-07