Skip to content

[Ticket] Management Endpoint for ABAC #134

New issue
New issue
Open
#192
Open
[Ticket] Management Endpoint for ABAC#134
#192
Assignees
Martin187187
@FriedJannik

Description

@FriedJannik
FriedJannik
opened on Jan 20, 2026

User Story

As a System Administrator, I need a management Endpoint, so that i can change ABAC rules at runtime.

Rules

  • What: We need endpoints to manage ABAC rules:

    • GET /rules - GETs all available rules
    • GET /rules/{ruleID} - GETs a rule by its specific ruleID
    • POST /rules - Bulk creation of ABAC Rules
    • POST /rule/{ruleID} - POSTs a new rule - 409 on conflict
    • PUT /rule/{ruleID} - Creates/Replaces a rule by ID - Creates rule if not exists!
    • PATCH /rule/{ruleID} - Updates (also partially) a rule - 404 if not found
    • DELETE /rule/{ruleID} - DELETEs a rule by ID

  • These Endpoints should be implemented in internal/common and must only be imported by the individual components

  • They should be dependency injected

  • Authorization: Attribute "management_role: superuser"

  • For MVP: All access or no access - no ABAC for now.

  • Token: Must be the same as for the standardized endpoints.

  • The Feature should be disableable -> Enabled with ABAC by default.

  • When: The Endpoints are "present" if ABAC is enabled and a authorized request is sent - otherwise the Endpoints must return 404 Not Found.

Examples:

  • ABAC is disabled and a user tries to access the /rules* endpoints:

    • 404 Not Found

  • ABAC is enabled and a unauthorized user tries to access the /rules* endpoints:

    • 404 Not Found

  • No ORM -> Model Classes will likely be put into an SDK

Entry Points

  • ABAC Rules
  • ABAC Engine
  • ABAC Model
  • Martin
  • For importing Endpoints from common see HealthEndpoint (see main.go of submodelrepository, aasregistry)

Acceptance Criteria

  • At least one Component that has security, showcases the use of those endpoints
  • Integration Tests are present
  • Feature and Endpoints are well documented (User and Developer Documentation)
    • How to set up
    • How to set up keycloak
    • How to create a valid user for the management endpoints
    • How to obtain access token
  • Example Setup

The goal is that the user can set-up a complete secured and managed [1] Component, so that he doesn't need help from a third-party source.

Risks and Assumptions

  • Assumption: The Token can be easily reused
  • Assumption: The endpoints and rules are abstract enough to put them into common

[1] - "Managed" -> Management Endpoints enabled

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

BaSyx Backlog

Status

BaSyx Go

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions