docs(annex): add normative Operation-to-RIGHT mapping#586
Open
aorzelskiGH wants to merge 1 commit intoIDTA-01002-3-2_workingfrom
Open
docs(annex): add normative Operation-to-RIGHT mapping#586aorzelskiGH wants to merge 1 commit intoIDTA-01002-3-2_workingfrom
aorzelskiGH wants to merge 1 commit intoIDTA-01002-3-2_workingfrom
Conversation
Add a new annex that defines, for every AAS HTTP/REST API operation, the RIGHT (per IDTA-01004 rightsEnum) an access-rule enforcement point MUST use. The table covers: - AAS Repository and AAS Service operations (shells, submodels, submodel elements, attachments, operation invocation), - Concept Description Repository operations, - Registry operations (shell- and submodel-descriptors), - Discovery operations (/lookup/shells), - /description and /query. For PUT on client-addressable resources, the required RIGHT is listed as "CREATE or UPDATE" and the enforcement point resolves the right at request time based on existence. Also register the new annex in nav.adoc. Refs: Review Finding T-10 Made-with: Cursor
aorzelskiGH
requested review from
BirgitBoss,
alexgordtop,
danielporta,
g1zzm0,
mjacoby,
sebbader-sap,
waltersve and
zrgt
as code owners
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
QDJVMC found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add a normative annex "Operation to RIGHT Mapping" that binds every AAS HTTP/REST API operation to a RIGHT value from IDTA-01004's
rightsEnum, together with a compatible ROUTE literal example.Problem
IDTA-01004 provides an indicative mapping from RIGHTS to HTTP methods, but the per-operation mapping (operationId -> RIGHT) is not defined in either spec. Enforcement points therefore make inconsistent choices, in particular for:
Solution
Add
pages/annex/operation-to-right-mapping.adocwith a normative table covering Shell, Submodel, SubmodelElement, attachment, ConceptDescription, Descriptor (AAS / Submodel Registry), Discovery, Description and Query operations. Register the annex innav.adoc.Affected files
documentation/IDTA-01002-3/modules/ROOT/pages/annex/operation-to-right-mapping.adoc(new)documentation/IDTA-01002-3/modules/ROOT/nav.adocReview notes
admin-shell-io/aas-specs-security#...references this annex from the Rights-and-operation-verbs section.Refs: Review Finding T-10