Altinn · jonkjetiloye · Jul 1, 2025 · Jul 1, 2025 · Jul 1, 2025
diff --git a/...tinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyInformationPoint.cs b/...tinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/PolicyInformationPoint.cs
@@ -129,11 +129,13 @@ public async Task<List<Right>> GetRights(RightsQuery rightsQuery, bool returnAll
             }
 
             int minimumAuthenticationLevel = PolicyHelper.GetMinimumAuthenticationLevelFromXacmlPolicy(policy);
+            var validPolicyResourceAttributes = GetValidResourceAttributes(rightsQuery.Resource);
+
             if (userRoles.Any() || returnAllPolicyRights || getDelegableRights)
             {
                 List<AttributeMatch> userRoleAttributeMatches = RightsHelper.GetRoleAttributeMatches(userRoles);
                 RightSourceType policyType = resourceMatchType == ResourceAttributeMatchType.ResourceRegistry ? RightSourceType.ResourceRegistryPolicy : RightSourceType.AppPolicy;
-                EnrichRightsDictionaryWithRightsFromPolicy(result, policy, policyType, userRoleAttributeMatches, minimumAuthenticationLevel: minimumAuthenticationLevel, returnAllPolicyRights: returnAllPolicyRights, getDelegableRights: getDelegableRights);
+                EnrichRightsDictionaryWithRightsFromPolicy(result, policy, validPolicyResourceAttributes, policyType, userRoleAttributeMatches, minimumAuthenticationLevel: minimumAuthenticationLevel, returnAllPolicyRights: returnAllPolicyRights, getDelegableRights: getDelegableRights);
             }
 
             // Delegation Policy Rights
@@ -143,7 +145,7 @@ public async Task<List<Right>> GetRights(RightsQuery rightsQuery, bool returnAll
             {
                 XacmlPolicy delegationPolicy = await _prp.GetPolicyVersionAsync(delegation.BlobStoragePolicyPath, delegation.BlobStorageVersionId, cancellationToken);
                 List<AttributeMatch> subjects = RightsHelper.GetDelegationSubjectAttributeMatches(delegation);
-                EnrichRightsDictionaryWithRightsFromPolicy(result, delegationPolicy, RightSourceType.DelegationPolicy, subjects, minimumAuthenticationLevel: minimumAuthenticationLevel, delegationOfferedByPartyId: delegation.OfferedByPartyId, getDelegableRights: getDelegableRights);
+                EnrichRightsDictionaryWithRightsFromPolicy(result, delegationPolicy, validPolicyResourceAttributes, RightSourceType.DelegationPolicy, subjects, minimumAuthenticationLevel: minimumAuthenticationLevel, delegationOfferedByPartyId: delegation.OfferedByPartyId, getDelegableRights: getDelegableRights);
             }
 
             if (returnAllPolicyRights)
@@ -172,7 +174,9 @@ public async Task<List<Right>> GetDelegableRightsByApp(RightsQuery rightsQuery,
 
             int minimumAuthenticationLevel = PolicyHelper.GetMinimumAuthenticationLevelFromXacmlPolicy(policy);
             RightSourceType policyType = rightsQuery.Resource.ResourceType == ResourceType.AltinnApp ? RightSourceType.AppPolicy : RightSourceType.ResourceRegistryPolicy;
-            EnrichRightsDictionaryWithRightsFromPolicy(result, policy, policyType, rightsQuery.To, minimumAuthenticationLevel: minimumAuthenticationLevel, returnAllPolicyRights: false, getDelegableRights: true);
+            var validPolicyResourceAttributes = GetValidResourceAttributes(rightsQuery.Resource);
+
+            EnrichRightsDictionaryWithRightsFromPolicy(result, policy, validPolicyResourceAttributes, policyType, rightsQuery.To, minimumAuthenticationLevel: minimumAuthenticationLevel, returnAllPolicyRights: false, getDelegableRights: true);
 
             return result.Values.Where(r => r.CanDelegate.HasValue && r.CanDelegate.Value).ToList();
         }
@@ -309,6 +313,21 @@ public async Task<List<AppsInstanceDelegationResponse>> GetInstanceDelegations(A
             return result;
         }
 
+        private static List<List<AttributeMatch>> GetValidResourceAttributes(ServiceResource resource)
+        {
+            var validResourceAttributes = new List<List<AttributeMatch>>
+            {
+                resource.AuthorizationReference
+            };
+
+            if (resource.ResourceType == ResourceType.AltinnApp)
+            {
+                validResourceAttributes.Add(new List<AttributeMatch> { new AttributeMatch(AltinnXacmlConstants.MatchAttributeIdentifiers.ResourceRegistryAttribute, resource.Identifier) });
+            }
+
+            return validResourceAttributes;
+        }
+
         private static List<InstanceRightDelegationResult> GetRightsFromPolicy(XacmlPolicy policy)
         {
             List<InstanceRightDelegationResult> result = new List<InstanceRightDelegationResult>();
@@ -550,7 +569,7 @@ private static void AddAttributeMatchToRule(XacmlMatch xacmlMatch, Rule rule)
             }
         }
 
-        private static void EnrichRightsDictionaryWithRightsFromPolicy(Dictionary<string, Right> rights, XacmlPolicy policy, RightSourceType policySourceType, List<AttributeMatch> subjectMatches, int minimumAuthenticationLevel = 0, int delegationOfferedByPartyId = 0, bool returnAllPolicyRights = false, bool getDelegableRights = false)
+        private static void EnrichRightsDictionaryWithRightsFromPolicy(Dictionary<string, Right> rights, XacmlPolicy policy, List<List<AttributeMatch>> validResourceAttr, RightSourceType policySourceType, List<AttributeMatch> subjectMatches, int minimumAuthenticationLevel = 0, int delegationOfferedByPartyId = 0, bool returnAllPolicyRights = false, bool getDelegableRights = false)
         {
             PolicyDecisionPoint pdp = new PolicyDecisionPoint();
 
@@ -563,6 +582,12 @@ private static void EnrichRightsDictionaryWithRightsFromPolicy(Dictionary<string
                 ICollection<Right> ruleRights = PolicyHelper.GetRightsFromXacmlRules(rule.SingleToList());
                 foreach (Right ruleRight in ruleRights)
                 {
+                    // If rule from policy does not match the resource of the originating policy, skip it
+                    if (!validResourceAttr.Any(attrSet => attrSet.All(attr => ruleRight.Resource.Any(r => attr.Id.Equals(r.Id, StringComparison.OrdinalIgnoreCase) && attr.Value.Equals(r.Value, StringComparison.OrdinalIgnoreCase)))))
+                    {
+                        continue;
+                    }
+
                     ICollection<XacmlContextAttributes> contextAttributes = PolicyHelper.GetContextAttributes(subjectMatches, ruleRight.Resource, ruleRight.Action.SingleToList());
                     XacmlContextRequest authRequest = new XacmlContextRequest(false, false, contextAttributes);
 

diff --git a/.../Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/SingleRightsService.cs b/.../Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Services/SingleRightsService.cs
@@ -554,7 +554,12 @@ private static bool ValidateAllRightsAreForTheSameResource(List<Right> rights)
             foreach (Right right in rights)
             {
                 DelegationHelper.TryGetResourceFromAttributeMatch(right.Resource, out ResourceAttributeMatchType resourceMatchType, out string resourceRegistryId, out string org, out string app, out string serviceCode, out string serviceEditionCode);
-                string currentResourceKey = $"{resourceMatchType}{resourceRegistryId}{org}{app}{serviceCode}{serviceEditionCode}";
+                if (resourceMatchType == ResourceAttributeMatchType.AltinnAppId)
+                {
+                    resourceRegistryId = $"app_{org.ToLower()}_{app.ToLower()}";
+                }
+
+                string currentResourceKey = $"{resourceRegistryId}{serviceCode}{serviceEditionCode}";
 
                 if (firstResourceKey == string.Empty)
                 {

diff --git a/.../Altinn.AccessManagement/src/Altinn.AccessManagement/Models/Rights/RightsQueryExternal.cs b/.../Altinn.AccessManagement/src/Altinn.AccessManagement/Models/Rights/RightsQueryExternal.cs
@@ -44,18 +44,23 @@ public RightsQuery ToRightsQueryInternal(IMapper mapper)
                 Type = RightsQueryType.User,
                 From = mapper.Map<List<AttributeMatch>>(From),
                 To = mapper.Map<List<AttributeMatch>>(To),
-                Resource = new ServiceResource
-                {
-                    Identifier = GetResourceIdentifier(Resource),
-                    AuthorizationReference = mapper.Map<List<AttributeMatch>>(Resource)
-                }
+                Resource = GetResource(Resource, mapper)
             };
         }
 
-        private static string GetResourceIdentifier(List<AttributeMatchExternal> resource)
+        private ServiceResource GetResource(List<AttributeMatchExternal> resource, IMapper mapper)
         {
-            return resource.Find(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.ResourceRegistryAttribute)?.Value ??
+            var id = resource.Find(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.ResourceRegistryAttribute)?.Value ??
                 $"app_{resource.Find(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.OrgAttribute)?.Value}_{resource.Find(r => r.Id == AltinnXacmlConstants.MatchAttributeIdentifiers.AppAttribute)?.Value}";
+
+            var serviceResource = new ServiceResource
+            {
+                Identifier = id,
+                ResourceType = id.StartsWith("app_") ? ResourceType.AltinnApp : ResourceType.Default,
+                AuthorizationReference = mapper.Map<List<AttributeMatch>>(resource)
+            };
+
+            return serviceResource;
         }
     }
 }
diff --git a/...eRightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_false.json b/...eRightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_false.json
@@ -995,5 +995,132 @@
         ]
       }
     ]
+  },
+  {
+    "rightKey": "app_ttd_rf-0002:access",
+    "resource": [
+      {
+        "id": "urn:altinn:resource",
+        "value": "app_ttd_rf-0002"
+      }
+    ],
+    "action": "access",
+    "canDelegate": true,
+    "rightSources": [
+      {
+        "rightSourceType": "AppPolicy",
+        "policyId": "urn:altinn:example:policyid:1",
+        "policyVersion": "1.0",
+        "ruleId": "urn:altinn:example:ruleid:7",
+        "canDelegate": true,
+        "userSubjects": [
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "LOPER"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "ADMAI"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "REGNA"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "SISKD"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "UILUF"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "UTINN"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "UTOMR"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "KLADM"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "ATTST"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "HVASK"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "PAVAD"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "SIGNE"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "UIHTL"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "KOMAB"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "LEDE"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "DAGL"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "ECKEYROLE"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "HADM"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "PASIG"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "A0278"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "A0236"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "A0212"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "A0293"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "A0294"
+          }
+        ],
+        "policySubjects": [
+          [
+            {
+              "matchFound": null,
+              "id": "urn:altinn:rolecode",
+              "value": "DAGL"
+            }
+          ]
+        ]
+      }
+    ]
   }
 ]
diff --git a/...leRightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_true.json b/...leRightsQuery/ttd_rf-0002/from_p50005545/to_u20000490/expected_rights_returnall_true.json
@@ -1260,5 +1260,132 @@
         ]
       }
     ]
+  },
+  {
+    "rightKey": "app_ttd_rf-0002:access",
+    "resource": [
+      {
+        "id": "urn:altinn:resource",
+        "value": "app_ttd_rf-0002"
+      }
+    ],
+    "action": "access",
+    "canDelegate": true,
+    "rightSources": [
+      {
+        "rightSourceType": "AppPolicy",
+        "policyId": "urn:altinn:example:policyid:1",
+        "policyVersion": "1.0",
+        "ruleId": "urn:altinn:example:ruleid:7",
+        "canDelegate": true,
+        "userSubjects": [
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "LOPER"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "ADMAI"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "REGNA"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "SISKD"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "UILUF"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "UTINN"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "UTOMR"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "KLADM"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "ATTST"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "HVASK"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "PAVAD"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "SIGNE"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "UIHTL"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "KOMAB"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "LEDE"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "DAGL"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "ECKEYROLE"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "HADM"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "PASIG"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "A0278"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "A0236"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "A0212"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "A0293"
+          },
+          {
+            "id": "urn:altinn:rolecode",
+            "value": "A0294"
+          }
+        ],
+        "policySubjects": [
+          [
+            {
+              "matchFound": null,
+              "id": "urn:altinn:rolecode",
+              "value": "DAGL"
+            }
+          ]
+        ]
+      }
+    ]
   }
 ]