Alternative to XACML access policy file

Description

Currently each app contains a policy.xml file, containing rules for access control in the XACML format.

The XACML-format, while very flexible, has some major drawbacks:

Extremely verbose and complex, making it very hard to read or edit by hand.
This makes it easy to make mistakes, causing misconfigurations.
Complex XML, making it hard to create a graphical user interface for editing the policy
Not easy to create a simple schema for intellisense and validation
Resources in rules in policy.xml contains org-name and app-name, making forking and reusing across apps harder.
Use of obligation for defining authentication level feels a little "off". Would using Conditions be better?

To solve these problems, we should do the following:

Create a new format based on JSON Schema, that will provide intellisense and validation in vscode and Gitea GUI. Here's an initial draft (wip): https://altinncdn.no/schemas/json/policy/policy.schema.v1.json
Add a default policy.json in new apps instead of policy.xml.
Create a converter for converting policy.json to policy.xml, triggered when building the app. This way our authorization-engine can still be standard and keep on using XACML 3.0 without any changes. This format could help solve #26

Sample

See this page (work in progress) to see examples of the difference between the current format and a potential JSON-format.

Simple app policy

XML XACML

<?xml version="1.0" encoding="utf-8"?>
<xacml:Policy xmlns:xsl="http://www.w3.org/2001/XMLSchema-instance" xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="urn:altinn:example:policyid:1" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
  <xacml:Target/>
  <xacml:Rule RuleId="urn:altinn:example:ruleid:1" Effect="Permit">
    <xacml:Description>Example rule where policy only defines the base resource in app and give a person with the accessgroup:lonn all the actions. Service has two task. DATA + CONFIRMATION but not listed</xacml:Description>
    <xacml:Target>
      <xacml:AnyOf>
        <xacml:AllOf>
          <xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">lonn</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:altinn:accessgroup" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
        </xacml:AllOf>
        <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ttd</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:altinn:org" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
        </xacml:AllOf>
      </xacml:AnyOf>
      <xacml:AnyOf>
        <xacml:AllOf>
          <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ssb</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:altinn:org" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
          <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">lonnstatistikk</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:altinn:app" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
        </xacml:AllOf>
      </xacml:AnyOf>
      <xacml:AnyOf>
        <xacml:AllOf>
          <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">instantiate</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
        </xacml:AllOf>
        <xacml:AllOf>
          <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
        </xacml:AllOf>
     <xacml:AllOf>
          <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
        </xacml:AllOf>
      </xacml:AnyOf>
     <xacml:AllOf>
          <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">confirm</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
        </xacml:AllOf>
      </xacml:AnyOf>
     <xacml:AllOf>
          <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
        </xacml:AllOf>
      </xacml:AnyOf>
    </xacml:Target>
  </xacml:Rule>
  <xacml:ObligationExpressions>
    <xacml:ObligationExpression FulfillOn="Permit" ObligationId="urn:altinn:obligation:authenticationLevel1">
      <xacml:AttributeAssignmentExpression AttributeId="urn:altinn:obligation1-assignment1" Category="urn:altinn:minimum-authenticationlevel">
        <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">2</xacml:AttributeValue>
      </xacml:AttributeAssignmentExpression>
    </xacml:ObligationExpression>
  </xacml:ObligationExpressions>
</xacml:Policy>

JSON VARIANT 1

{
    "Rules": [
        {
            "AccessSubject": [
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:accessgroup",
                            "Value": "lonn"
                        }
                    ]
                },
               {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:org",
                            "Value": "brg"
                        }
                    ]
                }
            ],
            "Action": [
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                            "Value": "read",
                            "DataType": "http://www.w3.org/2001/XMLSchema#string"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                            "Value": "write",
                            "DataType": "http://www.w3.org/2001/XMLSchema#string"
                        }
                    ]
                },
               {
                    "Attribute": [
                        {
                            "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                            "Value": "confirm",
                            "DataType": "http://www.w3.org/2001/XMLSchema#string"
                        }
                    ]
                },
                 {
                    "Attribute": [
                        {
                            "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                            "Value": "delete",
                            "DataType": "http://www.w3.org/2001/XMLSchema#string"
                        }
                    ]
                }
            ],
            "Resource": [
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:org",
                            "Value": "ssb"
                        },
                        {
                            "AttributeId": "urn:altinn:app",
                            "Value": "lonnstatistikk"
                        }
                    ]
                }

]
}

JSON Variant 2

{
    "Rules": [
        {
            "AccessSubject": [
                [
                    "urn:altinn:accessgroup=lonn"
                ],
                 [
                    "urn:altinn:org=ssb"
                ]
            ],
            "Action": [
                    "read",
                    "write",
                    "confirm",
                    "delete"
            ],
            "Resource": [
                [
                    "urn:altinn:org=ssb",
                    "urn:altinn:app=lonnstatikk"
                ]
            ]
        }
   ]
}

Cant set datatype. Default to string. We can define som standard datatypes for the standard attribute type (like partyid, rolecode++)
Cant set compare algorithm

Resource Registry: API Admin Altinn Portal

XACML Version

<?xml version="1.0" encoding="utf-8"?>
<xacml:Policy xmlns:xsl="http://www.w3.org/2001/XMLSchema-instance" xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="urn:altinn:example:policyid:1" Version="1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
  <xacml:Target/>
  <xacml:Rule RuleId="urn:altinn:example:ruleid:1" Effect="Permit">
    <xacml:Description>Rule giving apiadm and adpiadmnuf read and write right to API selection functionality in Altinn portal</xacml:Description>
    <xacml:Target>
      <xacml:AnyOf>
        <xacml:AllOf>
          <xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">apiadm</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:altinn:rolecode" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
        </xacml:AllOf>
        <xacml:AllOf>
          <xacml:Match MatchId="urn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">apiadmnuf</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:altinn:rolecode" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
        </xacml:AllOf>
      </xacml:AnyOf>
      <xacml:AnyOf>
        <xacml:AllOf>
          <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">altinn_maskinporten_scope_delegation</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:altinn:resourceregistry" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
        </xacml:AllOf>
      </xacml:AnyOf>
      <xacml:AnyOf>
        <xacml:AllOf>
          <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
        </xacml:AllOf>
        <xacml:AllOf>
          <xacml:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</xacml:AttributeValue>
            <xacml:AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
          </xacml:Match>
        </xacml:AllOf>
      </xacml:AnyOf>
    </xacml:Target>
  </xacml:Rule>
  <xacml:ObligationExpressions>
    <xacml:ObligationExpression FulfillOn="Permit" ObligationId="urn:altinn:obligation:authenticationLevel1">
      <xacml:AttributeAssignmentExpression AttributeId="urn:altinn:obligation1-assignment1" Category="urn:altinn:minimum-authenticationlevel">
        <xacml:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">2</xacml:AttributeValue>
      </xacml:AttributeAssignmentExpression>
    </xacml:ObligationExpression>
  </xacml:ObligationExpressions>
</xacml:Policy>

Json Version

{
    "Rules": [
        {
            "Description": "Rule giving apiadm and adpiadmnuf read and write right to API selection functionality in Altinn portal. Because we say so"
            "AccessSubject": [
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:accessgroup",
                            "Value": "apiadm"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:accessgroup",
                            "Value": "apiadmnuf"
                        }
                    ]
                }
            ],
            "Action": [
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                            "Value": "read",
                            "DataType": "http://www.w3.org/2001/XMLSchema#string"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                            "Value": "read",
                            "DataType": "http://www.w3.org/2001/XMLSchema#string"
                        }
                    ]
                }
            ],
            "Resource": [
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:resourceregistry",
                            "Value": "altinn_maskinporten_scope_delegation"
                        }
                    ]
                }
            ]
        }
    ]
}

Altinn Studio App: Reelle rettighetshavere

See original XACML here. (it is large)

https://altinn.studio/repos/brg/rrh-innrapportering/raw/branch/master/App/config/authorization/policy.xml

XACML

JSON Version 1

{
    "Rules": [
        {
            "AccessSubject": [
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "MEDL"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "LEDE"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "NEST"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "DAGL"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "DTPR"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "FFØR"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "REPR"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "KONT"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "KNUF"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:org",
                            "Value": "brg"
                        }
                    ]
                }
            ],
            "Action": [
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                            "Value": "read",
                            "DataType": "http://www.w3.org/2001/XMLSchema#string"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                            "Value": "read",
                            "DataType": "http://www.w3.org/2001/XMLSchema#string"
                        }
                    ]
                }
            ],
            "Resource": [
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:org",
                            "Value": "brg"
                        },
                        {
                            "AttributeId": "urn:altinn:app",
                            "Value": "rrh-innrapportering"
                        }
                    ]
                }
            ]
        },
        {
            "AccessSubject": [
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "MEDL"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "LEDE"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "NEST"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "DAGL"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "DTPR"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "FFØR"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "REPR"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "KONT"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "KNUF"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:org",
                            "Value": "brg"
                        }
                    ]
                }
            ],
            "Action": [
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                            "Value": "read",
                            "DataType": "http://www.w3.org/2001/XMLSchema#string"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                            "Value": "write",
                            "DataType": "http://www.w3.org/2001/XMLSchema#string"
                        }
                    ]
                }
            ],
            "Resource": [
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:org",
                            "Value": "brg"
                        },
                        {
                            "AttributeId": "urn:altinn:app",
                            "Value": "rrh-innrapportering"
                        },
                        {
                            "AttributeId": "urn:altinn:task",
                            "Value": "TaskUtfylling"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:org",
                            "Value": "brg"
                        },
                        {
                            "AttributeId": "urn:altinn:app",
                            "Value": "rrh-innrapportering"
                        },
                        {
                            "AttributeId": "urn:altinn:end-event",
                            "Value": "BREnd"
                        }
                    ]
                }
            ]
        },
        {
            "AccessSubject": [
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "MEDL"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "LEDE"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "NEST"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "DAGL"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "DTPR"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "FFØR"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "REPR"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "KONT"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "KNUF"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:org",
                            "Value": "brg"
                        }
                    ]
                }
            ],
            "Action": [
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                            "Value": "read",
                            "DataType": "http://www.w3.org/2001/XMLSchema#string"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                            "Value": "confirm",
                            "DataType": "http://www.w3.org/2001/XMLSchema#string"
                        }
                    ]
                }
            ],
            "Resource": [
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:org",
                            "Value": "brg"
                        },
                        {
                            "AttributeId": "urn:altinn:app",
                            "Value": "rrh-innrapportering"
                        },
                        {
                            "AttributeId": "urn:altinn:task",
                            "Value": "TaskBekreftelse"
                        }
                    ]
                }
            ]
        },
        {
            "AccessSubject": [
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "MEDL"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "LEDE"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "NEST"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "DAGL"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "DTPR"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "FFØR"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "REPR"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "KONT"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:rolecode",
                            "Value": "KNUF"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:org",
                            "Value": "brg"
                        }
                    ]
                }
            ],
            "Action": [
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                            "Value": "read",
                            "DataType": "http://www.w3.org/2001/XMLSchema#string"
                        }
                    ]
                },
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
                            "Value": "confirm",
                            "DataType": "http://www.w3.org/2001/XMLSchema#string"
                        }
                    ]
                }
            ],
            "Resource": [
                {
                    "Attribute": [
                        {
                            "AttributeId": "urn:altinn:org",
                            "Value": "brg"
                        },
                        {
                            "AttributeId": "urn:altinn:app",
                            "Value": "rrh-innrapportering"
                        },
                        {
                            "AttributeId": "urn:altinn:task",
                            "Value": "TaskBekreftelse"
                        }
                    ]
                }
            ]
        }
    ]
}

Json VErsion 2

{
    "Rules": [
        {
            "AccessSubject": [
                [
                    "urn:altinn:rolecode=MEDL"
                ],
                [
                    "urn:altinn:rolecode=LEDE"
                ],
                [
                    "urn:altinn:rolecode=NEST"
                ],
                [
                    "urn:altinn:rolecode=DAGL"
                ],
                [
                    "urn:altinn:rolecode=DTPR"
                ],
                [
                    "urn:altinn:rolecode=FFØR"
                ],
                [
                    "urn:altinn:rolecode=REPR"
                ],
                [
                    "urn:altinn:rolecode=KONT"
                ],
                [
                    "urn:altinn:rolecode=KNUF"
                ],
                [
                    "urn:altinn:org=brg"
                ]
            ],
            "Action": [
                [
                    "urn:oasis:names:tc:xacml:1.0:action:action-id=read"
                ],
                [
                    "urn:oasis:names:tc:xacml:1.0:action:action-id=write"
                ]
            ],
            "Resource": [
                [
                    "urn:altinn:org=brg",
                    "urn:altinn:app=rrh-innrapportering"
                ]
            ]
        },
        {
            "AccessSubject": [
                [
                    "urn:altinn:rolecode=MEDL"
                ],
                [
                    "urn:altinn:rolecode=LEDE"
                ],
                [
                    "urn:altinn:rolecode=NEST"
                ],
                [
                    "urn:altinn:rolecode=DAGL"
                ],
                [
                    "urn:altinn:rolecode=DTPR"
                ],
                [
                    "urn:altinn:rolecode=FFØR"
                ],
                [
                    "urn:altinn:rolecode=REPR"
                ],
                [
                    "urn:altinn:rolecode=KONT"
                ],
                [
                    "urn:altinn:rolecode=KNUF"
                ],
                [
                    "urn:altinn:org=brg"
                ]
            ],
            "Action": [
                [
                    "urn:oasis:names:tc:xacml:1.0:action:action-id=read"
                ],
                [
                    "urn:oasis:names:tc:xacml:1.0:action:action-id=write"
                ]
            ],
            "Resource": [
                [
                    "urn:altinn:org=brg",
                    "urn:altinn:app=rrh-innrapportering",
                    "urn:altinn:task=TaskUtfylling"
                ],
                [
                    "urn:altinn:org=brg",
                    "urn:altinn:app=rrh-innrapportering",
                    "urn:altinn:end-event=BREnd"
                ]
            ]
        },
        {
            "AccessSubject": [
                [
                    "urn:altinn:rolecode=MEDL"
                ],
                [
                    "urn:altinn:rolecode=LEDE"
                ],
                [
                    "urn:altinn:rolecode=NEST"
                ],
                [
                    "urn:altinn:rolecode=DAGL"
                ],
                [
                    "urn:altinn:rolecode=DTPR"
                ],
                [
                    "urn:altinn:rolecode=FFØR"
                ],
                [
                    "urn:altinn:rolecode=REPR"
                ],
                [
                    "urn:altinn:rolecode=KONT"
                ],
                [
                    "urn:altinn:rolecode=KNUF"
                ],
                [
                    "urn:altinn:org=brg"
                ]
            ],
            "Action": [
                [
                    "urn:oasis:names:tc:xacml:1.0:action:action-id=read"
                ],
                [
                    "urn:oasis:names:tc:xacml:1.0:action:action-id=confirm"
                ]
            ],
            "Resource": [
                [
                    "urn:altinn:org=brg",
                    "urn:altinn:app=rrh-innrapportering",
                    "urn:altinn:task=TaskBekreftelse"
                ]
            ]
        },
        {
            "AccessSubject": [
                [
                    "urn:altinn:rolecode=MEDL"
                ],
                [
                    "urn:altinn:rolecode=LEDE"
                ],
                [
                    "urn:altinn:rolecode=NEST"
                ],
                [
                    "urn:altinn:rolecode=DAGL"
                ],
                [
                    "urn:altinn:rolecode=DTPR"
                ],
                [
                    "urn:altinn:rolecode=FFØR"
                ],
                [
                    "urn:altinn:rolecode=REPR"
                ],
                [
                    "urn:altinn:rolecode=KONT"
                ],
                [
                    "urn:altinn:rolecode=KNUF"
                ],
                [
                    "urn:altinn:org=brg"
                ]
            ],
            "Action": [
                [
                    "urn:oasis:names:tc:xacml:1.0:action:action-id=delete"
                ]
            ],
            "Resource": [
                [
                    "urn:altinn:org=brg",
                    "urn:altinn:app=rrh-innrapportering"
                ]
            ]
        }
    ]
}

Considerations

How should the format should be without org/app "hardcoding"? The enabler here is that we convert to XACML in the app context.
Use string with prefixes (app:, role:, etc) or JSON objects? Strings are shorter, objects can provide better intellisense.
Is it possible to "get rid" of obligations and use conditions instead for authentication level?
How should we get around this limit in monaco in Gitea? Submit a PR to Gitea?

Acceptance criteria

Apps should use a simple JSON-format for policy by default instead of XACML.
The JSON-format should, over time, be able to cover 99%+ of all cases in the real world
It should still be possible to use XACML, as today, instead of JSON, for complex cases that the simpler format can't handle.
The new JSON format should be designed with brewity and easy editing in mind, optimized for apps.
The new JSON format should not need hardcoded org/app in rules, making it usable across forks.
The new JSON format should have good intellisense and validation in vscode, and if possible in Gitea.

Specification tasks

[ ] Development tasks are defined
[ ] Test design / decide test need

Development tasks

[ ] Finalize JSON Schema: https://altinncdn.no/schemas/json/policy/policy.schema.v1.json
[ ] Create converter code with unit tests
[ ] Update app template with the new default file, remove the old

Definition of done

Verify that this issue meets DoD (Only for project members) before closing.

[ ] Documentation is updated (if relevant)
- [ ] Technical documentation (docs.altinn.studio)
- [ ] User documentation (altinn.github.io/docs)
[ ] QA
[ ] Manual test is complete (if relevant)
[ ] Automated test is implemented (if relevant)
[ ] All tasks in this userstory are closed (i.e. remaining tasks are moved to other user stories or marked obsolete)

Altinn / altinn-studio

Alternative to XACML access policy file #5016