Fiware-Orion: subscription access control

The scenario you suggest could be implemented, if I understood correctly, with Steelskin PEP proxy and multiplayer engine (but with some problems).

In your script, your entire application will be a service (specified in all transactions using the fiware service), and each data provider will own a dedicated subservice (specified with the fiwareservicepath header). All users (both the administrator from the data providers and the end user and applications) will be users of this service. Using XACML, different permissions can be assigned to each action and user in different roles. For example: you can create a dataProvider role with full permissions under your subservice and a dataConsumer role that should be able to just subscribe and read.

There are some issues in this scenario, mainly related to who creates users and roles and assigns roles to users. To use Steelskin, you need to map services to Keystone Domains and Keystone Projects subsystems; and users belong to the domain. This is the domain (service) administrator in charge of creating users, so in your case, data providers won't be able to create new users (and perhaps even designating them as sub-service clients).

If you want an example on how to put these things together to achieve this, take a look at:

https://github.com/telefonicaid/fiware-pep-steelskin/blob/master/keystoneInstallation.md

Hope it helps