Security Metamodel

[gillistephan]

Hi everyone, I have a question / looking for some hints regarding the (1) modeling and implications of the Security Metamodel in order to implement proper authz and (2) scenarios for operation.

Question 1:
To keep it simple, I will not refer to the actual properties in the AAS itself and only use the basic relations (read, write) between Subjects and Objects. Lets assume the case we want to model an AAS with some Submodels and the respective Security. For an easy case that some Subject X has Permission Read on Submodel Y, the evaluation is pretty straight forward when Subject X requests access to Submodel Y. A little more difficult case would be, when Subject X has Permission Read on the AAS Z itself. While there are no further constraints on Submodels, the question is: If Subject X has the Permission Read on the AAS itself, does this implicitly also apply Permission Read to all Submodels? The same holds true for the question: If Subject X has Write Permission on Submodel Y, does this implicitly apply the Permission Read? If Subject X has Read Permission on Submodel Y and Submodel Y references any ConceptDescription, does this implicitly apply the Permission Read to the ConceptDescription?

I hope my point is clear - So the overall question is: Can subjects be recursive (by not only referencing a specific subject but also a set of subjects) or should / must indirections be modeled? Would be good, to get some clarification here, as the implementations of a checker would be considerable different.

Question 2:
Are there any best practices / or implementations going on for AAS-Runtimes?

[BirgitBoss]

"If Subject X has the Permission Read on the AAS itself, does this implicitly also apply Permission Read to all Submodels?"

No, the permission for the AAS just includes access to the references to the submodels, i.e. to their logical IDs. The next step is to get the endpoint of the submodel, e.g. via the digital twin registry. But it is not ensured you will have access, every submodel can have its own access policies.