Accessing Participant Roles in Policy Extension

[lesile231]

As you may know, when creating a participant through the '/api/identity/v1alpha/participants' API, there are properties roles available.

I want to use these values for comparison in policies realtimely, so I've been trying to inject 'ParticipantContextService' into a policy extension. However, it doesn't seem to be working properly.

Am I attempting something that's not feasible?

I tried to add the following code to 'DcpPatchExtension.java' in the /extensions/dcp-impl path of my existing MVD codebase,

public class DcpPatchExtension implements ServiceExtension {
 ...
 @Inject
    private ParticipantContextService participantContextService;

 ...

 @Override
    public void initialize(ServiceExtensionContext context) {
        // register service
        context.registerService(ParticipantContextService.class, participantContextService);
 ...

and then added to the 'build.gradle.kts' file for injection.

 implementation(libs.edc.ih.spi.credentials)
 implementation(libs.edc.ih.spi) 

Then I attempted to use it in
'MembershipCredentialEvaluationFunction.java' as shown below, but it failed.

public class MembershipCredentialEvaluationFunction<C extends ParticipantAgentPolicyContext> extends AbstractCredentialEvaluationFunction implements AtomicConstraintRuleFunction<Permission, C> {
private ServiceExtensionContext context;
private ParticipantContextService participantContextService;

    private MembershipCredentialEvaluationFunction(Monitor monitor, ServiceExtensionContext context, ParticipantContextService participantContextService) {
        this.monitor = monitor;
        this.context = context;
        this.participantContextService = participantContextService;
    }
 public static <C extends ParticipantAgentPolicyContext> MembershipCredentialEvaluationFunction<C> create(Monitor monitor, ServiceExtensionContext context, ParticipantContextService participantContextService) {
        return new MembershipCredentialEvaluationFunction<>(monitor, context, participantContextService) {
        };
    }
...

If there's any alternative approach, please let me know.
Sorry for the lengthy long-winded question.
I always appreciate your help. Thank you

[paullatzelsperger]

the roles of a ParticipantContext are an internal concept of IdentityHub that is not exposed to external clients, and that is to be used only for authn/authz, and not for policy evaluation.

For policy eval, only claims of a VC can be used. If a "role" is a first-level concept in your data space, then you will have to issue VerifiableCredentials that contain role information in their credentialSubject.