Created question in FIWARE Q/A platform on 29-08-2022 at 22:08
Please, ANSWER this question AT https://stackoverflow.com/questions/73535332/fiware-context-broker-access-control-rules-by-entity-type

Question:
Fiware context broker access control rules by entity type

Description:
Is it possible to configure access-control rules for Orion-LD/the FIWARE context broker based on the entity type? Or, alternatively, on the presence of some attributes in the entities?
A similar question was asked here:
Get a list of all resources accessible to users in FIWARE. The answer seems to imply that in the so-called Advanced Authorization scenario it is possible to achieve something like this by means of XACML filters for broker endpoints, allowing for instance GET access to the endpoint /entities?type=SomeEntityType for certain users. However, this appears like a very brittle solution, since the type query parameter may be preceded by other params in a real-world request. Furthermore, there are other ways to filter resources returned by the /entities endpoint, e.g. by means of parameters q or attrs (according to the NGSI-LD spec, https://www.etsi.org/deliver/etsi_gs/CIM/001_099/009/01.06.01_60/gs_CIM009v010601p.pdf, see 6.4.3.2), hence separate rules would be needed for all of these and it seems impossible to keep them consistent. Ideally, I would also like GET requests to /entites/

to be evaluated against the type of the entity, without configuring this individually for every entity.
Am I missing a simple solution to this problem?