Skip to content

Authorization

OSDU data platform has two additional service that are used together with policy service to perform data authorization:

Entitlements service which provides information about user group membership,

Legal service that provides additional attributes that can be used to conform to legal and organizational regulations.

The data authorization policies define the requests to OSDU services and assertions required by OPA to evaluate user authorization. Entitlements service requires the x-user-id header and data-partition-id header for all calls to evaluate that a user belongs to a service group within a partition to be authorized to access a record or make a request, which is why these headers must be included in the policies api calls to OSDU services.

Policy Service APIs are consistent with other OSDU APIs in a way that they require Bearer token as authorization header and data partition as data-partition-id header for all the calls. Similarly, user making the call needs to be in a necessary service group to be authorized to make the call.

For policy service, the relevant service groups are service.policy.user and service.policy.admin (configurable in conf.py but this will not update inline doc for OpenAPI/swagger, etc).

OSDU data platform policy designers that have required permissions (e.g., OSDU admin) can use information about:

  • Data or more specifically record metadata that contains id, kind, acl, legal, and tags;
  • Entitlements groups which correspond to flattened list of all groups user is a member of and can be used in record acl;
  • Legal tags which are referenced from record legal block; to write complex expressions defining who can discover and access what data.