document resource centered authorization workflows

[elf-pavlik]

To my understanding applications will be able to delegate to Authorization Agent sharing specific resource with specific audiences. I see need to document this workflow including 'share with' screens similar to consent screens we currently have in the spec.

It seems that it will require an operation for Authorization Agent to update / create data grants based on this sharing activity.

[justinwb]

@elf-pavlik i think that this would fall in the realm of how trusted grants are presented / managed - with the authorization becoming a trusted agent upon receipt of a trusted grant. Does that sound right?

[elf-pavlik]

I didn't think about trusted grants here. So far we take agent centered approach when we grant access. I think we should also go over resource based approach. For example we want to share specific event with certain agents, event management app would send us to authorization agent with reference to that resource. There AA would most likely made our address book available to us to select with who we want to share the event with. In the end for each of those agents we share that event with, access grants would need to be updated to accommodate addition of access to that event (eg. new SelectedInstances grants created).

[justinwb]

Ah I totally misread that initially. You're right - we should support simple / resource-based sharing. I guess this would be akin to google drive / dropbox style sharing. The real question is how to make sure this still fits nicely with the data reg / data instance pattern.

[elf-pavlik]

I think data registrations wouldn't get surfaced to the user in that workflow. They would share specific Data Instance and possibly some inheritance related to it. I think in most cases if some agent haven't already had access to that Data Instance, new SelectedInstances Data Grant would be issued for them.

[elf-pavlik]

I think #253 looks relevant, it initiates flow from an app but instead of passing just a resource IRI, it creates an Access Need Group.

[elf-pavlik]

#299 notes:

@justinwb: In an access need group there is an access scenario. It allows expressing that this is a general use case. There is also a case that someone asks directly point-to-point. We have two access scenarios, "shared access" and "personal access". For most apps, that still can be modeled. You can make an access need group for that context and set the scenario as a personal access, which allows for adding more detail.