Skip to content

feat: add obligations #150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
alkalescent merged 11 commits into from
Oct 3, 2025
Merged

feat: add obligations #150

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
771b0ac
add obligation doc
alkalescent Sep 29, 2025
b2fa2d1
gemini suggestion
alkalescent Sep 29, 2025
4c41516
npm run update-vendored-yaml
alkalescent Sep 29, 2025
867dbfc
suggestions
alkalescent Sep 30, 2025
f77bf40
Update docs/components/policy/obligations.md
alkalescent Oct 2, 2025
bc7649d
Update docs/components/policy/obligations.md
alkalescent Oct 2, 2025
9474d41
Update docs/components/policy/obligations.md
alkalescent Oct 2, 2025
a93d361
Update docs/components/policy/obligations.md
alkalescent Oct 2, 2025
3a221e3
add triggers
alkalescent Oct 2, 2025
3d81327
Update docs/components/policy/obligations.md
alkalescent Oct 3, 2025
1739b6a
clarify that pep is optional w explanation of global obl and update d…
alkalescent Oct 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 80 additions & 0 deletions docs/components/policy/obligations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
# Obligations

Obligations are policy constructs that enable Policy Decision Point(PDP) - to - Policy Enforcement Point (PEP) directives that accompany a decision. They express additional controls the PEP should enforce—such as requiring MFA, applying watermarking, encrypting content, or limiting access by time. In effect, the PDP is saying “permit, provided these controls are enforced.” The PDP cannot compel or verify enforcement; it relies on the PEP to honor the obligations.
If the PEP cannot or will not enforce an obligation, it should decline to grant access.
## Composition

An obligation consists of:

1. A Namespace
2. A Definition
3. Values
4. Triggers

Platform Policy Obligations can contain multiple Namespaces, each with multiple Definitions, and each Definition can have multiple Values. Each Value can have multiple Triggers. Each trigger can have an Action, Attribute Value, and PEP identifier (optional). Not specifying a PEP results in a global obligation that applies across *all* PEPs.

Check failure on line 14 in docs/components/policy/obligations.md

View workflow job for this annotation

GitHub Actions / Vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'Namespaces'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'Namespaces'?", "location": {"path": "docs/components/policy/obligations.md", "range": {"start": {"line": 14, "column": 50}}}, "severity": "ERROR"}

```mermaid
graph LR;
%% Every definition is namespaced.
Namespace_A-->ObligationDefinition_A;

%% Define definition and value A.
ObligationDefinition_A-->ObligationValue_A;

%% Define triggers.
ObligationValue_A-->Trigger_A1
Trigger_A1-->Action_A1
Trigger_A1-->AttributeValue_A1
Trigger_A1-->PEP_A

ObligationValue_A-->Trigger_A2
Trigger_A2-->Action_A2
Trigger_A2-->AttributeValue_A2

%% Define definition and value B.
ObligationDefinition_A-->ObligationValue_B;

%% Define triggers.
ObligationValue_B-->Trigger_B1
Trigger_B1-->Action_B1
Trigger_B1-->AttributeValue_B1

ObligationValue_B-->Trigger_B2
Trigger_B2-->Action_B2
Trigger_B2-->AttributeValue_B2
Trigger_B2-->PEP_B
```

## Standard Obligations

Standard Obligations are enforced by the Access PDP (Policy Decision Point) when validating whether an Entity of a specified Category can perform an Action on a given Resource. These obligations must be satisfied for access to be granted.

A Standard Obligation includes:
- **Action**: The specific action being performed (READ, STORE, CREATE, UPDATE, DELETE)
- **Resource Attribute Value**: The data attribute for which this obligation is scoped
- **Obligation Value**: The required obligation value that must be satisfied

### Examples of Standard Obligations:

#### Watermarking
Ensure document traceability:
- **Obligation**: `https://example.com/obl/drm/value/watermarking`
- **Applied to**: sensitive documents
- **Condition**: PEP must apply watermark

#### Prevent Download
Prevent download of plaintext content:

Check failure on line 66 in docs/components/policy/obligations.md

View workflow job for this annotation

GitHub Actions / Vale 

[vale] reported by reviewdog 🐶
[Vale.Spelling] Did you really mean 'plaintext'?

Raw Output:
{"message": "[Vale.Spelling] Did you really mean 'plaintext'?", "location": {"path": "docs/components/policy/obligations.md", "range": {"start": {"line": 66, "column": 21}}}, "severity": "ERROR"}
- **Obligation**: `https://example.com/obl/drm/value/no-download`
- **Applied to**: sensitive documents
- **Condition**: PEP must not allow download

## FQN (Fully Qualified Name) Convention

Check failure on line 71 in docs/components/policy/obligations.md

View workflow job for this annotation

GitHub Actions / Vale 

[vale] reported by reviewdog 🐶
[Vale.Terms] Use 'SDK' instead of 'FQN'.

Raw Output:
{"message": "[Vale.Terms] Use 'SDK' instead of 'FQN'.", "location": {"path": "docs/components/policy/obligations.md", "range": {"start": {"line": 71, "column": 4}}}, "severity": "ERROR"}

Obligations use a specific naming convention to distinguish them from attributes:

- **Obligation Definition**: `<namespace>/obl/<obligation_name>`
- **Obligation Value**: `<namespace>/obl/<obligation_name>/value/<obligation_value>`

For example:
- `https://example.com/obl/drm` (definition)
- `https://example.com/obl/drm/value/watermarking` (value)
55 changes: 52 additions & 3 deletions specs/authorization/v2/authorization.openapi.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -296,6 +296,25 @@ components:
title: resources
maxItems: 1000
minItems: 1
fulfillableObligationFqns:
type: array
items:
type: string
description: |+
if provided, fulfillable_obligation_fqns must be between 1 and 50 in count with all valid FQNs:
```
this.size() == 0 || (this.size() <= 50 && this.all(item, item.isUri()))
```

title: fulfillable_obligation_fqns
description: |+
obligations (fully qualified values) the requester is capable of fulfilling
i.e. https://<namespace>/obl/<definition name>/value/<value>
if provided, fulfillable_obligation_fqns must be between 1 and 50 in count with all valid FQNs:
```
this.size() == 0 || (this.size() <= 50 && this.all(item, item.isUri()))
```

title: GetDecisionMultiResourceRequest
required:
- entityIdentifier
Expand All @@ -306,6 +325,9 @@ components:
1. one entity reference (actor)
2. one action
3. multiple resources

If entitled, checks obligation policy: fulfillable obligations must satisfy all triggered.

Note: this is a more performant bulk request for multiple resource decisions, up to 1000 per request
action.name must be provided:
```
Expand Down Expand Up @@ -341,6 +363,25 @@ components:
resource:
title: resource
$ref: '#/components/schemas/authorization.v2.Resource'
fulfillableObligationFqns:
type: array
items:
type: string
description: |+
if provided, fulfillable_obligation_fqns must be between 1 and 50 in count with all valid FQNs:
```
this.size() == 0 || (this.size() <= 50 && this.all(item, item.isUri()))
```

title: fulfillable_obligation_fqns
description: |+
obligations (fully qualified values) the requester is capable of fulfilling
i.e. https://<namespace>/obl/<definition name>/value/<value>
if provided, fulfillable_obligation_fqns must be between 1 and 50 in count with all valid FQNs:
```
this.size() == 0 || (this.size() <= 50 && this.all(item, item.isUri()))
```

title: GetDecisionRequest
required:
- entityIdentifier
Expand All @@ -352,6 +393,8 @@ components:
1. one entity reference (actor)
2. one action
3. one resource

If entitled, checks obligation policy: fulfillable obligations must satisfy all triggered.
action.name must be provided:
```
has(this.action.name)
Expand All @@ -362,9 +405,7 @@ components:
properties:
decision:
title: decision
description: |-
decision on the resource optional list of obligations represented in URI format
repeated string obligations = 2;
description: decision on the resource
$ref: '#/components/schemas/authorization.v2.ResourceDecision'
title: GetDecisionResponse
additionalProperties: false
Expand Down Expand Up @@ -457,6 +498,14 @@ components:
title: decision
description: decision result
$ref: '#/components/schemas/authorization.v2.Decision'
requiredObligations:
type: array
items:
type: string
title: required_obligations
description: |-
obligations (fully qualified values) the PEP is required to fulfill on the given resource
i.e. https://<namespace>/obl/<definition name>/value/<value>
title: ResourceDecision
additionalProperties: false
common.Metadata:
Expand Down
100 changes: 100 additions & 0 deletions specs/policy/actions/actions.openapi.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -665,6 +665,81 @@ components:
description: Keys for the namespace
title: Namespace
additionalProperties: false
policy.Obligation:
type: object
properties:
id:
type: string
title: id
namespace:
title: namespace
$ref: '#/components/schemas/policy.Namespace'
name:
type: string
title: name
values:
type: array
items:
$ref: '#/components/schemas/policy.ObligationValue'
title: values
fqn:
type: string
title: fqn
metadata:
title: metadata
$ref: '#/components/schemas/common.Metadata'
title: Obligation
additionalProperties: false
policy.ObligationTrigger:
type: object
properties:
id:
type: string
title: id
obligationValue:
title: obligation_value
$ref: '#/components/schemas/policy.ObligationValue'
action:
title: action
$ref: '#/components/schemas/policy.Action'
attributeValue:
title: attribute_value
$ref: '#/components/schemas/policy.Value'
context:
type: array
items:
$ref: '#/components/schemas/policy.RequestContext'
title: context
metadata:
title: metadata
$ref: '#/components/schemas/common.Metadata'
title: ObligationTrigger
additionalProperties: false
policy.ObligationValue:
type: object
properties:
id:
type: string
title: id
obligation:
title: obligation
$ref: '#/components/schemas/policy.Obligation'
value:
type: string
title: value
triggers:
type: array
items:
$ref: '#/components/schemas/policy.ObligationTrigger'
title: triggers
fqn:
type: string
title: fqn
metadata:
title: metadata
$ref: '#/components/schemas/common.Metadata'
title: ObligationValue
additionalProperties: false
policy.PageRequest:
type: object
properties:
Expand Down Expand Up @@ -707,6 +782,15 @@ components:
description: Total count of entire list
title: PageResponse
additionalProperties: false
policy.PolicyEnforcementPoint:
type: object
properties:
clientId:
type: string
title: client_id
minLength: 1
title: PolicyEnforcementPoint
additionalProperties: false
policy.PublicKey:
type: object
oneOf:
Expand Down Expand Up @@ -735,6 +819,17 @@ components:
title: PublicKey
additionalProperties: false
description: Deprecated
policy.RequestContext:
type: object
properties:
pep:
title: pep
$ref: '#/components/schemas/policy.PolicyEnforcementPoint'
title: RequestContext
required:
- pep
additionalProperties: false
description: Holds the context needed for obligation fulfillment
policy.ResourceMapping:
type: object
properties:
Expand Down Expand Up @@ -927,6 +1022,11 @@ components:
items:
$ref: '#/components/schemas/policy.ResourceMapping'
title: resource_mappings
obligations:
type: array
items:
$ref: '#/components/schemas/policy.Obligation'
title: obligations
metadata:
title: metadata
description: Common metadata
Expand Down
Loading