From 0b7ac922ed45dd1c1ed9a03dc6a2e084ae644668 Mon Sep 17 00:00:00 2001 From: aorzelskiGH Date: Fri, 17 Apr 2026 17:12:11 +0200 Subject: [PATCH] docs(access-rules): clarify Descriptor FieldIdentifier applicability MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit $aasdesc / $smdesc address Registry metadata. In deployments without a Registry profile, access rules that use these prefixes have no data to evaluate against. This PR documents: - the data is only available in Registry profiles (per IDTA-01002 "FieldIdentifier Applicability per Profile"); - rules that reference $aasdesc / $smdesc in non-Registry deployments are treated as "not applicable" — neither grant nor deny — and MUST NOT cause evaluation to fail; - implementations SHOULD scope Descriptor-based rules to deployments where at least one Registry profile is supported. Refs: Review Finding T-07 Made-with: Cursor --- .../IDTA-01004/modules/ROOT/pages/access-rule-model.adoc | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/documentation/IDTA-01004/modules/ROOT/pages/access-rule-model.adoc b/documentation/IDTA-01004/modules/ROOT/pages/access-rule-model.adoc index 82e4493..d54a704 100644 --- a/documentation/IDTA-01004/modules/ROOT/pages/access-rule-model.adoc +++ b/documentation/IDTA-01004/modules/ROOT/pages/access-rule-model.adoc @@ -273,6 +273,15 @@ For HTTP/REST APIs the examples in xref:annex/route-examples.adoc[] show how ROU An Object Group defines a list of single objects and/or a list of names of other object groups. +[[descriptor-applicability]] +===== Descriptor FieldIdentifier Applicability + +Descriptor-based FieldIdentifiers (`$aasdesc`, `$smdesc`) address metadata that is only available when the deployment implements a Registry profile according to IDTA-01002 (for example `AssetAdministrationShellRegistryServiceSpecification/SSP-001` or `SubmodelRegistryServiceSpecification/SSP-001`). + +In deployments that do not expose Registry endpoints (pure Repository profiles such as `AssetAdministrationShellRepositoryServiceSpecification/SSP-002`), access rules that reference `$aasdesc` or `$smdesc` are *not applicable*: the referenced metadata does not exist in the deployment, so the rule neither grants nor denies access. Evaluation MUST NOT fail because of such a rule; the rule is skipped for that request and any other applicable rules continue to apply. + +Implementations SHOULD therefore scope Descriptor-based rules to deployments in which at least one Registry profile is supported. The concrete applicability per IDTA-01002 profile is listed in IDTA-01002 § "Service Specifications and Profiles", sub-section xref:IDTA-01002:http-rest-api/service-specifications-and-profiles.adoc#fieldidentifier-applicability[FieldIdentifier applicability per profile]. + ==== Formulas [source,bnf,linenums]