The Policy Object is defined by the client at the time of the payload's encryption. It contains the information required by the KAS to make an access decision during decryption. The policyObject is stored in the manifest.json for a TDF, and sent to the KAS along with an OIDC bearer token containing a Claims Object so that the KAS may make an access decision.
The KAS uses the Policy Object to make its decision to grant access to the TDF payload. The entity or user requesting access must be in the dissem (dissemination) list AND must possess entity attributes (as returned by the EAS) that satisfy all the data Attributes.
{
"uuid": "1111-2222-33333-44444-abddef-timestamp",
"body": {
"dataAttributes": [<Attribute Object>],
"dissem": ["[email protected]"]
},
"tdf_spec_version:": "x.y.z"
}
| Parameter |
Type |
Description |
uuid |
String |
A unique UUID for the TDF's policy. |
| Parameter |
Type |
Description |
Required? |
body |
Object |
Object which contains information about the policy required for the KAS to make an access decision. |
Yes |
body.dataAttributes |
Array |
An array of attributes a user would need to request access to key. In other words, attributes a user must possess to be able to decrypt the content. An Attribute Object is defined in defined in its own section: Attribute Object. |
Yes |
body.dissem |
Array |
(deprecated) An array of unique userIds. It's used to explicitly list users/entities that should be given access to the payload, and should be given as an id used to authenticate the user against the EAS. |
Yes |
| Parameter |
Type |
Description |
Required? |
tdf_spec_version |
String |
Semver version number of the TDF spec. |
No |