Authorization
Business Partner Numbers (BPN) allow for sharing data with third parties.
This page details how to manage read access to specific assets of Asset Administration Shell Descriptor entities (Shells) within Catena-X, using `specificAssetId`s.
For accessing the Asset Administration Shells on the data provider’s tenant of the Digital Twin Registry, membership on that tenant is not enough. In addition to just having access to the tenant, the users and the technical clients also need the corresponding roles (AAS Viewer or AAS Manager). For details, refer to Authorization. |
Closed by default and accessible only by the owner
By default, only the owner of an Asset Administration Shell Descriptor entity can access it and can see all the Asset Administration Shell Descriptor entity attributes.
Semantic meaning of the externalSubjectId
attribute
The Digital Twin Registry allows the discovery of an Asset Administration Shell by search via specific asset IDs associated with the asset represented by the Asset Administration Shell. This is done by using the specificAssetIds
attribute within the Asset Administration Shell Descriptor.
To each such a specific asset ID, assign an externalSubjectId
to grant read access. The value of externalSubjectId
corresponds to a BPN or `PUBLIC_READABLE `.
Without an externalSubjectId
, the content remains exclusively visible to the owner of the Asset Administration Shell.
Example A - Lock access to owner of the Asset Administration Shell
SpecificAssetIds can be posted to existing Asset Administration Shells using the SpecificAssetId registration endpoint
[
{
"name": "partInstanceId",
"value": "24975539203421"
}
]
In this example, because an externalSubjectId
attribute is missing, only you as the owner can access the Asset Administration Shell listed below and its SpecificAssetId.
How read access is facilitated to data consumers
Only users for whom their Business Partner Numbers (BPN) fetched into the Eclipse Dataspace Components header of their API request matches the
externalSubjectId
of an Asset Administration Shell can discover and read the content that is allowed for their BPN or which is set public readable.
Enabling public readable access
To grant all users read access to a specific asset, include an externalSubjectId
.
Assign either the manufacturerPartId
or assetLifecyclePhase
as its name and set the value to PUBLIC_READABLE
.
Using PUBLIC_READABLE allows for reading the specificAssetId.name attribute. It works only for the value manufacturerPartId or assetLifecyclePhase .
Any other value of specificAssetId.name is considered invalid for enabling the public read access and therefore the public read access feature will not be
enabled for that specific asset. However, granting read access to particular BPNs is still possible, as it will be showcased below in
section Example C - Grant access to specific BPN.
|
Example B - Grant public readable access
Using the SpecificAssetId registration endpoint to post SpecificAssetIds to an existing Asset Administration Shell:
[
{
"name": "manufacturerPartId",
"value": "231982",
"externalSubjectId": {
"type": "ExternalReference",
"keys": [
{
"type": "GlobalReference",
"value": "PUBLIC_READABLE"
}
]
}
}
]
All readers of this Asset Administration Shell can read the specificAssetId because it is a manufacturerPartId
(also works for assetLifecyclePhase
) and it has been marked
as PUBLIC_READABLE
.
Allow read access to particular BPNs
Assign an externalSubjectId
to each specific asset of an Asset Administration Shell for which you want to grant read access. In the externalSubjectId
you can
add the BPN that is allowed to read the specific asset.
This functionality is facilitated by the comparison with the BPN header sent in API requests to the Digital Twin Registry, as described in How read access is facilitated to data consumers.
Example C - Grant access to specific BPN
Below example depicts the scenario of two dedicated business partners who can read this specific Asset Administration Shell.
As shown below, the specific Asset Administration Shell has to be defined twice because the externalSubjectId
attribute holds one BPN access.
[
{
"name": "manufacturerId",
"value": "123829238",
"externalSubjectId": {
"type": "ExternalReference",
"keys": [
{
"type": "GlobalReference",
"value": "BPN_COMPANY_001"
}
]
}
},
{
"name": "manufacturerId",
"value": "123829238",
"externalSubjectId": {
"type": "ExternalReference",
"keys": [
{
"type": "GlobalReference",
"value": "BPN_COMPANY_002"
}
]
}
}
]
Secure the list of BPNs having access
The business partners who can discover the existence of an Asset Administration Shell and thus its Asset Administration Shell Descriptor cannot discover which are the other business partners who also may find the same Asset Administration Shell, i.e. which other BPNs are assigned to the specific asset IDs.
Considering above example Example C - Grant access to specific BPN, the business partner "BPN_COMPANY_002" cannot detect that "BPN_COMPANY_001" also may discover the Asset Administration Shell via the specific asset ID manufacturerId
with value 123829238
, because this information is omitted in the API response that business partner 002 receives. Below example shows how the response looks like
for business partner 002:
[
{
"name": "manufacturerId",
"value": "123829238",
"externalSubjectId": {
"type": "ExternalReference",
"keys": [
{
"type": "GlobalReference",
"value": "BPN_COMPANY_002"
}
]
}
}
]
Combining the BPN-based and public readable read accesses and securing the read access list
Let’s assume the below scenario, in which the owner of the Asset Administration Shell Descriptor entity wants to grant read access to the Asset Administration Shell Descriptor for the following third parties for specific assets:
-
Business partner 001
-
Business partner 002
-
Business partner 003
In this example the Asset Administration Shell Descriptor entity has four specific asset IDs:
-
partInstanceId
— which is something the owner wants to keep private to themselves -
customerPartId
— which the owner wants to share with only one business partner -
manufacturerId
— which the owner wants to share with two business partners -
manufacturerPartId
— which the owner wants to be always readable for all business partners
In this example, the owner wants to allocate read access as detailed in the following table:
partInstanceId |
customerPartId |
manufacturerId |
manufacturerPartId |
|
---|---|---|---|---|
Business partner 001 |
— |
read access |
read access |
public readable |
Business partner 002 |
— |
— |
read access |
public readable |
Business partner 003 |
— |
— |
— |
public readable |
To achieve read access as indicated in the table, the owner of the Asset Administration Shell Descriptor entity needs to shape the specificAssetIds
as follows:
[
{
"name": "partInstanceId",
"value": "24975539203421"
},
{
"name": "customerPartId",
"value": "231982",
"externalSubjectId":
{
"type": "ExternalReference",
"keys": [
{
"type": "GlobalReference",
"value": "BPN_COMPANY_001"
}
]
}
},
{
"name": "manufacturerId",
"value": "123829238",
"externalSubjectId":
{
"type": "ExternalReference",
"keys": [
{
"type": "GlobalReference",
"value": "BPN_COMPANY_001"
}
]
}
},
{
"name": "manufacturerId",
"value": "123829238",
"externalSubjectId":
{
"type": "ExternalReference",
"keys": [
{
"type": "GlobalReference",
"value": "BPN_COMPANY_002"
}
]
}
},
{
"type": "GlobalReference",
"name": "manufacturerPartId",
"value": "231982",
"externalSubjectId":
{
"type": "ExternalReference",
"keys": [
{
"type": "GlobalReference",
"value": "PUBLIC_READABLE"
}
]
}
}
]
The following examples detail the response which each user receives when requesting the Asset Administration Shell Descriptor entity.
Note that if the Asset Administration Shell Descriptor entity is accessible through a BPN number or a public readable key, then only the id
, specificAssetIds
,
submodelDescriptors
and groups
attributes are provided.
For clarity, the containment of submodelDescriptors
and groups
are left empty in all the examples below. However, it is important to note that
all the submodel descriptors belonging to the Asset Administration Shell Descriptor entity and all the shell groups to which the Asset Administration Shell Descriptor entity belongs, are shared with the partners.
Example D - Accessing the Asset Administration Shell Descriptor entity as owner
{
"id":"urn:uuid:123e4567-e89b-12d3-a456-426655440000",
"idShort":"Sensor_BNPL001000TS123_377-9efa-67gh023",
"globalAssetId":"urn:uuid:123e4567-e89b-12d3-a456-426655440000",
"displayName":[
{
"language":"de",
"text":"Sensor fuer Auto"
},
{
"language":"en",
"text":"Sensor for car"
}
],
"description":[
{
"language":"de",
"text":"Das ist ein Beispiel."
},
{
"language":"en",
"text":"this is an example"
}
],
"assetKind":"Instance",
"assetType":"urn:uuid:123e4567-e89b-12d3-a456-896655440001",
"specificAssetIds":[
{
"name":"partInstanceId",
"value":"24975539203421"
},
{
"name":"customerPartId",
"value":"231982",
"externalSubjectId":{
"type":"ExternalReference",
"keys":[
{
"type":"GlobalReference",
"value":"BPN_COMPANY_001"
}
]
}
},
{
"name":"manufacturerId",
"value":"123829238",
"externalSubjectId":{
"type":"ExternalReference",
"keys":[
{
"type":"GlobalReference",
"value":"BPN_COMPANY_001"
}
]
}
},
{
"name":"manufacturerId",
"value":"123829238",
"externalSubjectId":{
"type":"ExternalReference",
"keys":[
{
"type":"GlobalReference",
"value":"BPN_COMPANY_002"
}
]
}
},
{
"type":"GlobalReference",
"name":"manufacturerPartId",
"value":"231982",
"externalSubjectId":{
"type":"ExternalReference",
"keys":[
{
"type":"GlobalReference",
"value":"PUBLIC_READABLE"
}
]
}
}
],
"submodelDescriptors":[
{
"id":"sensorEndpoint1",
"idShort":"exampleSubModelShortId",
"description":[
{
"language":"en",
"text":"sensor submodel"
}
],
"endpoints":[
{
"interface":"interfaceName",
"protocolInformation":{
"href":"https://edc.data.plane/sensor/submodel",
"endpointProtocol": "https",
"subprotocol": "DSP",
"subprotocolBody": "id=123;dspEndpoint=http://edc.control.plane/",
"subprotocolBodyEncoding":"plain",
"endpointProtocolVersion":["1.1.0"],
"securityAttributes":[
{
"type":"RFC_TLSA",
"key":"key1",
"value":"mySecurityValue"
}
]
}
}
],
"semanticId":{
"keys":[
{
"value":"abc",
"type":"Blob"
}
],
"value":"urn:samm:net.catenax.vehicle.submodelExample:2.0.0#Parts",
"type":"ExternalReference"
}
}
],
"groups":["sensor_group"],
"labels":["sensor"]
}
Example E - Accessing the Asset Administration Shell Descriptor entity as "BPN_COMPANY_001" BPN
As shown below, the business partner 001 is not aware about the sharing details with other partners.
{
"id":"urn:uuid:123e4567-e89b-12d3-a456-426655440000",
"idShort":"Sensor_BNPL001000TS123_377-9efa-67gh023",
"globalAssetId":"urn:uuid:123e4567-e89b-12d3-a456-426655440000",
"displayName":[...],
"description":[...],
"assetKind":"Instance",
"assetType":"urn:uuid:123e4567-e89b-12d3-a456-896655440001",
"specificAssetIds":[
{
"name":"customerPartId",
"value":"231982",
"externalSubjectId":{
"type":"ExternalReference",
"keys":[
{
"type":"GlobalReference",
"value":"BPN_COMPANY_001"
}
]
}
},
{
"name":"manufacturerId",
"value":"123829238",
"externalSubjectId":{
"type":"ExternalReference",
"keys":[
{
"type":"GlobalReference",
"value":"BPN_COMPANY_001"
}
]
}
},
{
"type":"GlobalReference",
"name":"manufacturerPartId",
"value":"231982",
"externalSubjectId":{
"type":"ExternalReference",
"keys":[
{
"type":"GlobalReference",
"value":"PUBLIC_READABLE"
}
]
}
}
],
"submodelDescriptors":[...],
"groups":[...],
"labels":[...]
}
Example F - Accessing the Asset Administration Shell Descriptor entity as "BPN_COMPANY_002" BPN
As shown below, the business partner 002 is not aware about the sharing details with other partners.
{
"id":"urn:uuid:123e4567-e89b-12d3-a456-426655440000",
"idShort":"Sensor_BNPL001000TS123_377-9efa-67gh023",
"globalAssetId":"urn:uuid:123e4567-e89b-12d3-a456-426655440000",
"displayName":[...],
"description":[...],
"assetKind":"Instance",
"assetType":"urn:uuid:123e4567-e89b-12d3-a456-896655440001",
"specificAssetIds":[
{
"name":"manufacturerId",
"value":"123829238",
"externalSubjectId":{
"type":"ExternalReference",
"keys":[
{
"type":"GlobalReference",
"value":"BPN_COMPANY_002"
}
]
}
},
{
"type":"GlobalReference",
"name":"manufacturerPartId",
"value":"231982",
"externalSubjectId":{
"type":"ExternalReference",
"keys":[
{
"type":"GlobalReference",
"value":"PUBLIC_READABLE"
}
]
}
}
],
"submodelDescriptors":[...],
"groups":[...],
"labels":[...]
}
Example G - Accessing the Asset Administration Shell Descriptor entity using public readable access
As shown below, the business partner 003 has access only to assets marked for public read access, and is not aware about the sharing details with other partners.
Also note that a user accessing a Shell via public readable access has only access to the Shell id, specificAssetIds and submodelDescriptors. Other fields are omitted.
{
"id":"urn:uuid:123e4567-e89b-12d3-a456-426655440000",
"specificAssetIds":[
{
"name":"manufacturerPartId",
"value":"231982",
"externalSubjectId":{
"type":"ExternalReference",
"keys":[
{
"type":"GlobalReference",
"value":"PUBLIC_READABLE"
}
]
}
}
],
"submodelDescriptors":[...],
}