Security Groups
The security groups allow you to manage access to a DPP wallet. They are defined by an organization and can be used to restrict access to specific users or groups of users to specific DPP resrouces. This is particularly useful for managing access to sensitive data or resources within the DPP.
A security group defines a group of access rules which are then assigned to the target wallet(s).
The access rules define the affected credential ie. resources, the type of access restriction, Internal or OAuth2, and some additional properties, depending on the type of access restriction.
Setting the type of the rule to Internal
will restrict access to credential to the users who were invited to the organization. No additional properties are required in this case.
Setting the type of the rule to OAuth2
will allow access to the credential via OAuth2.0, which requires the user to authenticate agains an autorization server and have the appropriate and defined value in the access token. Currently only the Vera authorization server is supported and only the user email and userId can be used to grant access.
Core Entities
Security groups are defined by the following fields:
Field | Type | Description |
---|---|---|
id | String (UUID) | Unique identifier |
name | String | Name of the security group |
description | String (optional) | Description of the security group |
tags | String[] | Tags associated with the group (used for filtering) |
accessRules | AccessRule[] | Access rules assigned to the group |
wallets | WalletToSecurityGroup[] | Wallets linked to the security group |
createdAt | DateTime | Creation timestamp |
updatedAt | DateTime | Last update timestamp |
Access rules are defined by the following fields:
Field | Type | Description |
---|---|---|
id | String | Unique identifier for the access rule |
name | String | Access Rule Name |
type | AccessRestrictionType | Type of access restriction (Internal or OAuth) |
properties | InternalAccessRuleProperties | OAuth2AccessRuleProperties | Properties of the access rule (see below) |
templates | TemplateMetadata[] | Templates associated with the access rule |
createdAt | Date | Timestamp when the access rule was created |
updatedAt | Date | Timestamp when the access rule was last updated |
Oauth2 Access
Field | Type | Description |
---|---|---|
String[] | Emails of users that will be allowed access | |
sub | String[] | UserIDs that will be allowed access |
Create a Security Group
To create a security group, the following endpoint can be used:
Example request
POST {{baseUrl}}/ssi/security-groups?organizationId={{organizationId}}
{
"name": "Company A Group",
"description": "some description",
"tags": ["auditors"],
"accessRules": [
{
"name": "Internal Admin Rule",
"templateIds": [
"1234-5678-9012-345678901234",
"2345-6789-0123-456789012345"
],
"type": "Internal",
"properties": {}
},
{
"name": "OAuth2 Rule",
"templateIds": [
"3456-7890-1234-567890123456",
"4567-8901-2345-678901234567"
],
"type": "OAuth2",
"properties": {
"email": ["[email protected]", "[email protected]"]
}
}
]
}
Assign a Security Group to a Wallet
Security groups can be assigned to a wallet either on creation or update:
Update wallet with Security groups
PUT {{baseUrl}}/ssi/wallets/{{walletId}}?organizationId={{organizationId}}
DATA
{
"assignSecurityGroups": [
{
"id": "Company A Group"
},
{
"id": "Battery XYZ Group"
}
],
}