| RFC 9670 | JMAP Sharing | November 2024 |
| Jenkins | Standards Track | [Page] |
This document specifies a data model for sharing data between users using the JSON Meta Application Protocol (JMAP). Future documents can reference this document when defining data types to support a consistent model of sharing.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9670.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
The JSON Meta Application Protocol (JMAP)[RFC8620] is a generic protocol for synchronizing data, such as mail, calendars, or contacts, between a client and a server. It is optimized for mobile and web environments and provides a consistent interface to query, read, and modify different data types, including comprehensive error handling.¶
This specification defines a data model to represent entities in a collaborative environment and a framework for sharing data between them that can be used to provide a consistent sharing model for different data types. It does not definewhat may be shared or the granularity of permissions, as this will depend on the data in question.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14[RFC2119][RFC8174] when, and only when, they appear in all capitals, as shown here.¶
Type signatures, examples, and property descriptions in this document follow the conventions established inSection 1.1 of [RFC8620]. Data types defined in the core specification are also used in this document.¶
Examples of API exchanges only show the methodCalls array of the Request object or the methodResponses array of the Response object. For compactness, the rest of the Request/Response object is omitted.¶
The same terminology is used in this document as in the core JMAP specification. See[RFC8620],Section 1.6.¶
The terms "Principal" and "ShareNotification" (with this specific capitalization) are used to refer to the data types defined in this document and instances of those data types.¶
A Principal (seeSection 2) represents an individual, team, or resource (e.g., a room or projector). The object contains information about the entity being represented, such as a name, description, and time zone. It may also hold domain-specific information. A Principal may be associated with zero or more Accounts (see[RFC8620],Section 1.6.2) containing data belonging to the Principal. Managing the set of Principals within a system is out of scope for this specification, as it is highly domain specific. It is likely to map directly from a directory service or other user management system.¶
Data types may allow users to share data with others by assigning permissions to Principals. When a user's permissions are changed, a ShareNotification object is created for them so a client can inform the user of the changes.¶
Permissions determine whether a usermay access data but not whether theywant to. Some shared data is of equal importance as the user's own, while other data is just there should the user wish to explicitly go find it. Clients will often want to differentiate the two. For example, a company may share mailing list archives for all departments with all employees, but a user may only generally be interested in the few they belong to. They would havepermission to access many mailboxes but cansubscribe to just the ones they care about. The client would provide separate interfaces for reading mail in subscribed mailboxes and browsing all mailboxes they have permission to access in order to manage those that they are subscribed to.¶
The JMAP Session object (see[RFC8620],Section 2) is defined to include an object in the "accounts" property for every Account that the user has access to. Collaborative systems may share data between a very large number of Principals, most of which the user does not care about day to day. For servers implementing this specification, the Session objectMUST only include Accounts where either the user is subscribed to at least one record (see[RFC8620],Section 1.6.3) in the Account or the Account belongs to the user. StateChange events ([RFC8620],Section 7.1) for changes to dataSHOULD only be sent for data the user has subscribed to andMUST NOT be sent for any Account where the user is not subscribed to any records in the Account, except where that Account belongs to the user.¶
The serverMAY reject the user's attempt to subscribe to some resources even if they have permission to access them (e.g., a calendar representing a location).¶
A user can query the set of Principals they have access to with "Principal/query" (seeSection 2.4). The Principal object will contain an Account object for all Accounts where the user has permission to access data for that Principal, even if they are not yet subscribed.¶
The capabilities object is returned as part of the JMAP Session object; see[RFC8620],Section 2. This document defines two additional capability URIs.¶
Theurn:ietf:params:jmap:principals capability represents support for the Principal and ShareNotification data types and associated API methods.¶
The value of this property in the JMAP Session "capabilities" property is an empty object.¶
The value of this property in an Account's "accountCapabilities" property is an object thatMUST contain the following information on server capabilities and permissions for that Account:¶
Id|nullThe URIurn:ietf:params:jmap:principals:owner is solely used as a key in an Account's "accountCapabilities" property. It does not appear in the JMAP Session capabilities -- support is indicated by theurn:ietf:params:jmap:principals URI being present in the session capabilities.¶
Ifurn:ietf:params:jmap:principals:owner is a key in an Account's "accountCapabilities" property, that Account (and the data therein) is owned by a Principal. Some Accounts may not be owned by a Principal (e.g., the Account that contains the data for the Principals themselves), in which case this property is omitted.¶
The value of this property is an object with the following properties:¶
A Principal represents an individual, a group, a location (e.g., a room), a resource (e.g., a projector), or another entity in a collaborative environment. Sharing in JMAP is generally configured by assigning rights to certain data within an Account to other Principals. For example, a user may assign permission to read their calendar to a Principal representing another user or their team.¶
In a shared environment, such as a workplace, a user may have access to a large number of Principals.¶
In most systems, the user will have access to a single Account containing Principal objects. In some situations, for example, when aggregating data from different places, there may be multiple Accounts containing Principal objects.¶
APrincipal object has the following properties:¶
Id (immutable; server-set)StringThisMUST be one of the following values:¶
StringString|nullString|nullnull if no email is available. If given, the valueMUST conform to the "addr-spec" syntax, as defined in[RFC5322],Section 3.4.1.¶String|nullnull, the valueMUST be a time zone name from the IANA Time Zone Database[IANA-TZDB].¶String[Object] (server-set)Id[Account]|null (server-set)null if none.¶This is a standard "/get" method as described in[RFC8620],Section 5.1.¶
This is a standard "/changes" method as described in[RFC8620],Section 5.2.¶
Note: Implementations backed by an external directory may be unable to calculate changes. In this case, they will always return a "cannotCalculateChanges" error as described in the core JMAP specification.¶
This is a standard "/set" method as described in[RFC8620],Section 5.3.¶
Managing Principals is likely tied to a directory service or some other vendor-specific solution. This management may occur out of band or via an additional capability defined elsewhere. Allowing direct user modification of properties has security considerations, as noted inSection 6. A serverMUST reject any change it doesn't allow with a "forbidden" SetError.¶
Where a server does support changes via this API, itSHOULD allow an update to the "name", "description", and "timeZone" properties of the Principal with the same id as the "currentUserPrincipalId" in the Account capabilities. This allows the user to update their own details.¶
This is a standard "/query" method as described in[RFC8620],Section 5.5.¶
AFilterCondition object has the following properties, all of which are optional:¶
String[]StringStringStringStringStringAll given conditions in the FilterCondition object must match for the Principal to match.¶
Text matches for "contains"SHOULD be simple substring matches.¶
This is a standard "/queryChanges" method as described in[RFC8620],Section 5.6.¶
Note: Implementations backed by an external directory may be unable to calculate changes. In this case, they will always return a "cannotCalculateChanges" error as described in the core JMAP specification.¶
The ShareNotification data type records when the user's permissions to access a shared object changes. ShareNotifications are only created by the server; users cannot create them explicitly. They are stored in the same Account as the Principals.¶
Clients may present the list of notifications to the user and allow the user to dismiss them. To dismiss a notification, use a standard "/set" call to destroy it.¶
The serverSHOULD create a ShareNotification whenever the user's permissions change on an object. ItMAY choose not to create a notification for permission changes to a group Principal, even if the user is in the group, if this is more likely to be overwhelming than helpful, or if it would create excessive notifications within the system.¶
The serverMAY limit the maximum number of notifications it will store for a user. When the limit is reached, any new notification will cause the previously oldest notification to be automatically deleted.¶
The serverMAY coalesce notifications if appropriate or remove notifications after a certain period of time or that it deems are no longer relevant.¶
AShareNotification object has the following properties:¶
String (immutable; server-set)UTCDate (immutable; server-set)Entity (immutable; server-set)Who made the change. AnEntity object has the following properties:¶
String (immutable; server-set)Id (immutable; server-set)Id (immutable; server-set)String[Boolean]|null (immutable; server-set)String[Boolean]|null (immutable; server-set)String (immutable; server-set)This is a standard "/get" method as described in[RFC8620],Section 5.1.¶
This is a standard "/changes" method as described in[RFC8620],Section 5.2.¶
This is a standard "/set" method as described in[RFC8620],Section 5.3.¶
Only destroy is supported; any attempt to create/updateMUST be rejected with a "forbidden" SetError.¶
This is a standard "/query" method as described in[RFC8620],Section 5.5.¶
AFilterCondition object has the following properties, all of which are optional:¶
UTCDate|nullUTCDate|nullStringIdAll given conditions in the FilterCondition object must match for the ShareNotification to match.¶
This is a standard "/queryChanges" method as described in[RFC8620],Section 5.6.¶
Shareable data typesMUST define the following three properties:¶
Booleantrue indicates that the user wishes to subscribe to see this data. The valuefalse indicates that the user does not wish to subscribe to see this data. The initial value for this property when data is shared by another user is implementation dependent, although data types may give advice on appropriate defaults.¶String[Boolean]true if the user has the permission orfalse if they do not.¶Id[String[Boolean]]|nullThe value of this property isnull if the data is not shared with anyone. Otherwise, it is a map where each key is the id of a Principal with which this data is shared, and the value associated with that key is the rights to give that Principal, in the same format as the "myRights" property. The Account id for the Principal id can be found in the capabilities of the Account this object is in (seeSection 1.5.2).¶
Users with appropriate permission may set this property to modify who the data is shared with. The Principal that owns the Account that this data is inMUST NOT be in the map, since the owner's rights are implicit.¶
Suppose we are designing a data model for a very simple to-do list. There is a Todo data type representing a single item to do, each of which belongs to a single TodoList. The specification makes the TodoLists shareable by referencing this document and defining the common properties.¶
First, it would define a set of domain-specific rights. For example, a TodoListRights object may have the following properties:¶
BooleanBooleanBooleanThen in the TodoList data type, we would include the three common properties described inSection 4, in addition to any type-specific properties (like "name" in this case):¶
Id (immutable; server-set)StringBooleanfalse, clients should not display this TodoList with the user's other TodoLists but should provide a means for users to see and subscribe to all TodoLists that have been shared with them.¶TodoListRightsId[TodoListRights]|nullnull. Otherwise, it's a map where the keys are Principal ids and the values are the rights given to those Principals. Users with the "mayAdmin" right may set this property to modify who the data is shared with. The Principal that owns the Account that this data is inMUST NOT be in the map; their rights are implicit.¶We would also define a new Principal capability with two properties:¶
Id|nullBooleanA client wishing to let the user configure sharing would look at the "capabilities" for the Account containing the user's Todo data and find the "urn:ietf:params:jmap:principals:owner" property, as perSection 1.5.2. For example, the JMAP Session object might contain:¶
{ "accounts": { "u12345678": { "name": "jane.doe@example.com", "isPersonal": true, "isReadOnly": false, "accountCapabilities": { "urn:com.example:jmap:todo": {}, "urn:ietf:params:jmap:principals:owner": { "accountIdForPrincipal": "u33084183", "principalId": "P105aga511jaa" } } }, ... }, ...}From this, the client now knows which Account has the Principal data, and it can fetch the list of Principals and offer to share it with the user by making an API request like this:¶
[[ "Principal/get", { "accountId": "u33084183", "ids": null}, "0" ]]Here's an example response (where "Joe Bloggs" is another user that this user could share their TodoList with; Joe has not shared any of their own data with this user, so the "accounts" property isnull):¶
[[ "Principal/get", { "accountId": "u33084183", "state": "7b8eff5zz", "list": [{ "id": "P2342fnddd20", "type": "individual", "name": "Joe Bloggs", "description": null, "email": "joe.bloggs@example.com", "timeZone": "Australia/Melbourne", "capabilities": { "urn:com.example:jmap:todo": { "accountId": null, "mayShareWith": true } }, "accounts": null }, { "id": "P674pp24095qo49pr", "name": "Board room", "type": "location", ... }, ... ], "notFound": []}, "0" ]]A TodoList can be shared with "Joe Bloggs" by updating its shareWith property, as in this example request:¶
[[ "TodoList/set", { "accountId": "u12345678", "update": { "tl01n231": { "shareWith": { "P2342fnddd20": { "mayRead": true, "mayWrite": true, "mayAdmin": false } } } }}, "0" ]]Experience has shown that unrestricted use of Unicode can lead to problems such as inconsistent rendering, users reading text and interpreting it differently than intended, and unexpected results when copying text from one location to another. ServersMAY choose to mitigate this by restricting the set of characters allowed in otherwise unconstrainedString fields. The FreeformClass, as documented in[RFC8264],Section 4.3, might be a good starting point for this.¶
Attempts to set a value containing code points outside of the permissible set can be handled in a few ways by the server. The first option is to simply strip the forbidden characters and store the resulting string. This is likely to be appropriate for control characters, for example, where they can end up in data accidentally due to copy-and-paste issues and are probably invisible to the end user. JMAP allows the server to transform data on create/update, as long as any changed properties are returned to the client in the "/set" response so it knows what has changed, as per[RFC8620],Section 5.3. Alternatively, the serverMAY just reject the create/update with an "invalidProperties" SetError.¶
All security considerations of JMAP[RFC8620] apply to this specification. Additional considerations are detailed below.¶
Allowing users to edit their own Principal's name (and, to a lesser extent, email, description, or type) could allow a user to change their Principal to look like another user in the system, potentially tricking others into sharing private data with them. Servers may choose to forbid this andSHOULD keep logs of such changes to provide an audit trail.¶
Note that simply forbidding the use of a name already in the system is insufficient protection, as a malicious user could still change their name to something easily confused with the existing name by using trivial misspellings or visually similar Unicode characters.¶
Sharing data with another user allows someone to turn a transitory account compromise (e.g., brief access to an unlocked or logged-in client) into a persistent compromise (by setting up sharing with a user that is controlled by the attacker). This can be mitigated by requiring further authorization for configuring sharing or sending notifications to the sharer via another channel whenever a new permission is added.¶
By creating many changes to the sharing status of objects, a user can cause many ShareNotifications to be generated, which could lead to resource exhaustion. Servers can mitigate this by coalescing multiple changes to the same object into a single notification, limiting the maximum number of notifications it stores per user and/or rate-limiting the changes to sharing permissions in the first place. Automatically deleting older notifications after reaching a limit can mean the user is not made aware of a sharing change, which can itself be a security issue. For this reason, it is better to coalesce changes and use other mitigation strategies.¶
The set of Principals within a shared environmentMUST be strictly controlled. If adding a new Principal is open to the public, risks include:¶
IANA has registered "principals" in the "JMAP Capabilities" registry as follows:¶
IANA has registered "principals:owner" in the "JMAP Capabilities" registry as follows:¶
IANA has registered "Principal" in the "JMAP Data Types" registry as follows:¶