Policies and API authorization
Status
-
Proposed -
Trialing -
Under review -
Approved -
Retired
Context & Scope
R2 uses entitlements service and service groups to manage API authorization. API authorization can be viewed as just another form of policy enforcement.
Decision
In R3, API authorization should be external from service implementation. Consider feasibility of using policies as API authorization in R3. Document findings and conduct a review. If feasible and accepted, replace current implementation with policies that ensure API authorization.
Rationale
API authorization can be viewed as just another form of policy enforcement.
Consequences
Simplification of OSDU implementation and administration.
When to revisit
In case of performance degradation.
Alternatives and implications
- Leave API authorization as it is in R2.
- Use different type of policies for API authorization from data entitlements and obligations.
Decision criteria and trade-offs
- Performance
- Usability
- Configurability
- Maintainability
Decision timeline
July 2020