Skip to content

Protect and/or hide sensitive data elements #1376

Description

@danielskovli

Description

Certain apps require the ability to store and interact with data elements that should be hidden or otherwise restricted from the active user. The primary use case is to provide the receiving system and case owner with enough information to answer the case. Some of that information may be information not available to the active user, but available to the service owner owning the service.

The app should be able to create these data elements without the user gaining access to read the content.

Proposed implementation

With the current app authorization infrastructure, the app itself does not have an identity. For this reason, we cannot allow the app to read back the data of sensitive data elements without an appropriate token. Should the app require to read this data after initially writing it, an org-token (via Maskinporten) will be required.

  1. Create new properties for Storage.DataType:
    • ActionRequiredToRead: An optional user-action that is required to read (get) data elements of this type. In addition to instance.read, which always required
    • ActionRequiredToWrite: An optional user-action that is required to write (post/put/del) data elements of this type. In addition to instance.write, which is always required
  2. The new properties are specified in applicationmetadata.json along with the existing configuration in the dataTypes section
  3. The relevant user-actions are assigned to matching users in policy.xml
  4. App.DataController and Storage.DataController adds the following auth checks:
    • Get: Requires ActionRequiredToRead
    • Post/put/patch/del: Required ActionRequiredToWrite
  5. Every time the app returns a list of data elements, it should filter out items the current user does have read access to. This filtration will occur in the following general areas:
    • Instance endpoint
    • Process endpoint
    • Datacontroller/Patch endpoints
      • This filtration will incur additional calls to authorization, in order to determine if the user can read objects of certain types. However, these calls will only need to be performed if data elements of restricted types are found for a given task
  6. The filtration of data elements happens in the App not in Storage, so the element IDs are more readily accessible for backend hooks (validators, etc) should they need to read this data.
    • However, should the app need to read a restricted data element outside of an appropriate user context, an org-token must be generated with the IMaskinportenClient to be used for this purpose
      • This will come with additional setup requirements for the app developer
  7. Because of the abovemention filtration, the frontend code does not need to be adjusted to support this feature

Notes/questions

The Altinn Receipt app runs queries directly to Storage, which will in turn return a list of unfiltered data elements. If any of these elements are restricted in a way that prohibits the current user from reading them, how does the app respond or otherwise present this to the user? Should we implement filtering in this app as well?

Update: The Altinn Receipt app only queries the instance object for a given instance, which contains metadata for all data elements. This includes sensitive data elements. However, it only displays data elements without appLogic, and even then only provides a list the user may click to view the attachment.

The mere existence of a sensitive data element is not a secret, and the Storage service will continue to gatekeep read-access to these elements regardless of which front-end app is used.

In summary: This seems like non-issue from my perspective.

Affected libs and services

Metadata

Metadata

Assignees

Labels

backport-ignoreThis PR is a new feature and should not be cherry-picked onto release branches

Fields

No fields configured for Feature.

Projects

Status
✅ Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions