Security Groups

The security groups allow you to manage access to a DPP wallet. They are defined by an organization and can be used to restrict access to specific users or groups of users to specific DPP resrouces. This is particularly useful for managing access to sensitive data or resources within the DPP.

A security group defines a group of access rules which are then assigned to the target wallet(s).

The access rules define the affected credential ie. resources, the type of access restriction, Internal or OAuth2, and some additional properties, depending on the type of access restriction.

Setting the type of the rule to Internal will restrict access to credential to the users who were invited to the organization. No additional properties are required in this case.

Setting the type of the rule to OAuth2 will allow access to the credential via OAuth2.0, which requires the user to authenticate agains an autorization server and have the appropriate and defined value in the access token. Currently only the Vera authorization server is supported and only the user email and userId can be used to grant access.

Core Entities

Security groups are defined by the following fields:

FieldTypeDescription
idString (UUID)Unique identifier
nameStringName of the security group
descriptionString (optional)Description of the security group
tagsString[]Tags associated with the group (used for filtering)
accessRulesAccessRule[]Access rules assigned to the group
walletsWalletToSecurityGroup[]Wallets linked to the security group
createdAtDateTimeCreation timestamp
updatedAtDateTimeLast update timestamp

Access rules are defined by the following fields:

FieldTypeDescription
idStringUnique identifier for the access rule
nameStringAccess Rule Name
typeAccessRestrictionTypeType of access restriction (Internal or OAuth)
propertiesInternalAccessRuleProperties | OAuth2AccessRulePropertiesProperties of the access rule (see below)
templatesTemplateMetadata[]Templates associated with the access rule
createdAtDateTimestamp when the access rule was created
updatedAtDateTimestamp when the access rule was last updated

Oauth2 Access

FieldTypeDescription
emailString[]Emails of users that will be allowed access
subString[]UserIDs that will be allowed access

Create a Security Group

To create a security group, the following endpoint can be used:

Example request

POST {{baseUrl}}/ssi/security-groups?organizationId={{organizationId}}

{
  "name": "Company A Group",
  "description": "some description",
  "tags": ["auditors"],
  "accessRules": [
    {
      "name": "Internal Admin Rule",
      "templateIds": [
        "1234-5678-9012-345678901234",
        "2345-6789-0123-456789012345"
      ],
      "type": "Internal",
      "properties": {}
    },
    {
      "name": "OAuth2 Rule",
      "templateIds": [
        "3456-7890-1234-567890123456",
        "4567-8901-2345-678901234567"
      ],
      "type": "OAuth2",
      "properties": {
        "email": ["[email protected]", "[email protected]"]
      }
    }
  ]
}

Assign a Security Group to a Wallet

Security groups can be assigned to a wallet either on creation or update:

Update wallet with Security groups


PUT {{baseUrl}}/ssi/wallets/{{walletId}}?organizationId={{organizationId}}

DATA
{
  "assignSecurityGroups": [
    {
      "id": "Company A Group"
    },
    {
      "id": "Battery XYZ Group"
    }
  ],
}

Was this page helpful?