docs(annex): add normative Operation-to-RIGHT mapping

[aorzelskiGH]

Summary

Add a normative annex "Operation to RIGHT Mapping" that binds every AAS HTTP/REST API operation to a RIGHT value from IDTA-01004's rightsEnum, together with a compatible ROUTE literal example.

Problem

IDTA-01004 provides an indicative mapping from RIGHTS to HTTP methods, but the per-operation mapping (operationId -> RIGHT) is not defined in either spec. Enforcement points therefore make inconsistent choices, in particular for:

• PUT on client-addressable resources (CREATE vs. UPDATE),
• VIEW vs. READ on registry resources,
• EXECUTE on operation invocation endpoints,
• attachment endpoints (GetFileByPath, PutFileByPath, DeleteFileByPath).

Solution

Add pages/annex/operation-to-right-mapping.adoc with a normative table covering Shell, Submodel, SubmodelElement, attachment, ConceptDescription, Descriptor (AAS / Submodel Registry), Discovery, Description and Query operations. Register the annex in nav.adoc.

Affected files

• documentation/IDTA-01002-3/modules/ROOT/pages/annex/operation-to-right-mapping.adoc (new)
• documentation/IDTA-01002-3/modules/ROOT/nav.adoc

Review notes

• Paired Security PR admin-shell-io/aas-specs-security#... references this annex from the Rights-and-operation-verbs section.
• Please verify the table against the latest OpenAPI documents; any operation added in future PRs MUST append a row here.
• "CREATE or UPDATE" entries are deliberate: the enforcement point resolves the right at request time.

Refs: Review Finding T-10

[github-advanced-security]

QDJVMC found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

[BirgitBoss]

the two "*" are not displayed in html

Suggested change

	| GetSubmodelElementByPath | GET | /submodels/{submodelIdentifier}/submodel-elements/{idShortPath} | READ | "/submodels/*/submodel-elements/*"
	| GetSubmodelElementByPath | GET | /submodels/{submodelIdentifier}/submodel-elements/{idShortPath} | READ | "/submodels/\*/submodel-elements/*"

[BirgitBoss]

better in general to use code formatting and not text

[BirgitBoss]

Suggested change

	| PutSubmodelElementByPath | PUT | /submodels/{submodelIdentifier}/submodel-elements/{idShortPath} | CREATE or UPDATE | "/submodels/*/submodel-elements/*"
	| PutSubmodelElementByPath | PUT | /submodels/{submodelIdentifier}/submodel-elements/{idShortPath} | CREATE or UPDATE | "/submodels/\*/submodel-elements/*"

[BirgitBoss]

Suggested change

	| PatchSubmodelElementByPath | PATCH | /submodels/{submodelIdentifier}/submodel-elements/{idShortPath} | UPDATE | "/submodels/*/submodel-elements/*"
	| PatchSubmodelElementByPath | PATCH | /submodels/{submodelIdentifier}/submodel-elements/{idShortPath} | UPDATE | "/submodels/\*/submodel-elements/*"

[BirgitBoss]

Suggested change

	| DeleteSubmodelElementByPath | DELETE | /submodels/{submodelIdentifier}/submodel-elements/{idShortPath} | DELETE | "/submodels/*/submodel-elements/*"
	| DeleteSubmodelElementByPath | DELETE | /submodels/{submodelIdentifier}/submodel-elements/{idShortPath} | DELETE | "/submodels/\*/submodel-elements/*"

[BirgitBoss]

Suggested change

	| InvokeOperation | POST | /submodels/{submodelIdentifier}/submodel-elements/{idShortPath}/invoke | EXECUTE | "/submodels/*/submodel-elements/*/invoke"
	| InvokeOperation | POST | /submodels/{submodelIdentifier}/submodel-elements/{idShortPath}/invoke | EXECUTE | "/submodels/\*/submodel-elements/*/invoke"

[BirgitBoss]

Suggested change

	| InvokeOperationAsync | POST | /submodels/{submodelIdentifier}/submodel-elements/{idShortPath}/invoke-async | EXECUTE | "/submodels/*/submodel-elements/*/invoke-async"
	| InvokeOperationAsync | POST | /submodels/{submodelIdentifier}/submodel-elements/{idShortPath}/invoke-async | EXECUTE | "/submodels/\*/submodel-elements/*/invoke-async"

[BirgitBoss]

Suggested change

	| GetOperationAsyncStatus | GET | /submodels/{submodelIdentifier}/submodel-elements/{idShortPath}/operation-status/{handleId} | READ | "/submodels/*/submodel-elements/*/operation-status/*"
	| GetOperationAsyncStatus | GET | /submodels/{submodelIdentifier}/submodel-elements/{idShortPath}/operation-status/{handleId} | READ | "/submodels/\*/submodel-elements/*/operation-status/*"

[BirgitBoss]

Suggested change

	| GetFileByPath | GET | /submodels/{submodelIdentifier}/submodel-elements/{idShortPath}/attachment | READ | "/submodels/*/submodel-elements/*/attachment"
	| GetFileByPath | GET | /submodels/{submodelIdentifier}/submodel-elements/{idShortPath}/attachment | READ | "/submodels/\*/submodel-elements/*/attachment"

[BirgitBoss]

Suggested change

	| PutFileByPath | PUT | /submodels/{submodelIdentifier}/submodel-elements/{idShortPath}/attachment | UPDATE | "/submodels/*/submodel-elements/*/attachment"
	| PutFileByPath | PUT | /submodels/{submodelIdentifier}/submodel-elements/{idShortPath}/attachment | UPDATE | "/submodels/\*/submodel-elements/*/attachment"

[BirgitBoss]

Suggested change

	| DeleteFileByPath | DELETE | /submodels/{submodelIdentifier}/submodel-elements/{idShortPath}/attachment | DELETE | "/submodels/*/submodel-elements/*/attachment"
	| DeleteFileByPath | DELETE | /submodels/{submodelIdentifier}/submodel-elements/{idShortPath}/attachment | DELETE | "/submodels/\*/submodel-elements/*/attachment"

[BirgitBoss]

approve but check for correct html representation of the examples with severl "*" in the path