From ebdeed7aa119b39929d7cebc324005fcf2df2dac Mon Sep 17 00:00:00 2001
From: aorzelskiGH <andreas@orzelski.de>
Date: Fri, 17 Apr 2026 16:48:05 +0200
Subject: [PATCH 1/2] fix(bnf,schema): harmonize SecurityQueryFilter and add
 FILTERLIST

The API and Security specs gave two incompatible definitions for
SecurityQueryFilter, and the API grammar lacked FILTERLIST entirely.

BNF (partials/bnf/grammar.bnf):
- <SecurityQueryFilter> now uses "FRAGMENT:" <FieldIdentifierFragment>
  instead of <FragmentObject>, aligning with aas-specs-security.
- <AccessPermissionRule> now accepts an optional FILTERLIST block.
- Added the <FieldIdentifierFragment> production family (AAS, SM, SME,
  CD, AAS Descriptor, SM Descriptor) together with the supporting
  *Fragment clauses (SpecificAssetIds, SemanticId, Reference, Endpoint,
  SmDescriptor).

JSON Schema (partials/query-json-schema.json and pages/schema.adoc):
- Added FragmentFieldIdentifier definition (regex sibling of
  modelStringPattern, restricted to fragment-legal fields).
- SecurityQueryFilter.FRAGMENT now $refs FragmentFieldIdentifier
  (was: plain string).
- AccessPermissionRule gains FILTERLIST (array of SecurityQueryFilter).

Refs: Review Finding T-02
Made-with: Cursor
---
 .../modules/ROOT/pages/schema.adoc            | 12 +++++++-
 .../modules/ROOT/partials/bnf/grammar.bnf     | 28 +++++++++++++++----
 .../ROOT/partials/query-json-schema.json      | 12 +++++++-
 3 files changed, 44 insertions(+), 8 deletions(-)

diff --git a/documentation/IDTA-01002-3/modules/ROOT/pages/schema.adoc b/documentation/IDTA-01002-3/modules/ROOT/pages/schema.adoc
index 348064ec..038564d7 100644
--- a/documentation/IDTA-01002-3/modules/ROOT/pages/schema.adoc
+++ b/documentation/IDTA-01002-3/modules/ROOT/pages/schema.adoc
@@ -12,6 +12,10 @@
       "type": "string",
       "pattern": "^(?:\\$aas#(?:idShort|id|assetInformation\\.assetKind|assetInformation\\.assetType|assetInformation\\.globalAssetId|assetInformation\\.specificAssetIds\\[[0-9]*\\]\\.(?:name|value|externalSubjectId(?:\\.(?:type|keys\\[[0-9]*\\]\\.(?:type|value)))?)|submodels\\[[0-9]*\\]\\.(?:type|keys\\[[0-9]*\\]\\.(?:type|value)))|\\$sm#(?:semanticId(?:\\.(?:type|keys\\[[0-9]*\\]\\.(?:type|value)))?|idShort|id)|\\$sme(?:\\.[A-Za-z](?:[A-Za-z0-9_-]*[A-Za-z0-9_])?(?:\\[[0-9]*\\])*(?:\\.[A-Za-z](?:[A-Za-z0-9_-]*[A-Za-z0-9_])?(?:\\[[0-9]*\\])*)*)?#(?:semanticId(?:\\.(?:type|keys\\[[0-9]*\\]\\.(?:type|value)))?|idShort|value|valueType|language)|\\$cd#(?:idShort|id)|\\$aasdesc#(?:idShort|id|assetKind|assetType|globalAssetId|specificAssetIds\\[[0-9]*\\]\\.(?:name|value|externalSubjectId(?:\\.(?:type|keys\\[[0-9]*\\]\\.(?:type|value)))?)|endpoints\\[[0-9]*\\]\\.(?:interface|protocolinformation\\.href)|submodelDescriptors\\[[0-9]*\\]\\.(?:semanticId(?:\\.(?:type|keys\\[[0-9]*\\]\\.(?:type|value)))?|idShort|id|endpoints\\[[0-9]*\\]\\.(?:interface|protocolinformation\\.href)))|\\$smdesc#(?:semanticId(?:\\.(?:type|keys\\[[0-9]*\\]\\.(?:type|value)))?|idShort|id|endpoints\\[[0-9]*\\]\\.(?:interface|protocolinformation\\.href)))$"
     },
+    "FragmentFieldIdentifier": {
+      "type": "string",
+      "pattern": "^(?:\\$aas#(?:idShort|assetInformation\\.assetType|assetInformation\\.globalAssetId|assetInformation\\.specificAssetIds\\[[0-9]*\\](?:\\.externalSubjectId(?:\\.keys\\[[0-9]*\\])?)?|submodels\\[[0-9]*\\](?:\\.keys\\[[0-9]*\\])?)|\\$sm#(?:semanticId(?:\\.keys\\[[0-9]*\\])?|idShort|id)|\\$sme(?:\\.[A-Za-z](?:[A-Za-z0-9_-]*[A-Za-z0-9_])?(?:\\[[0-9]*\\])*(?:\\.[A-Za-z](?:[A-Za-z0-9_-]*[A-Za-z0-9_])?(?:\\[[0-9]*\\])*)*)?(?:#(?:semanticId(?:\\.keys\\[[0-9]*\\])?|idShort|value|valueType|language))?|\\$cd#idShort|\\$aasdesc#(?:idShort|description|displayName|extension|administration|assetKind|assetType|globalAssetId|specificAssetIds\\[[0-9]*\\](?:\\.externalSubjectId(?:\\.keys\\[[0-9]*\\])?)?|endpoints\\[[0-9]*\\]|submodelDescriptors\\[[0-9]*\\](?:\\.(?:semanticId(?:\\.keys\\[[0-9]*\\])?|idShort|endpoints\\[[0-9]*\\]))?)|\\$smdesc#(?:semanticId(?:\\.keys\\[[0-9]*\\])?|idShort|endpoints\\[[0-9]*\\]))$"
+    },
     "hexLiteralPattern": {
       "type": "string",
       "pattern": "^16#[0-9A-F]+$"
@@ -653,6 +657,12 @@
         "FILTER": {
           "$ref": "#/definitions/SecurityQueryFilter",
           "additionalProperties": false
+        },
+        "FILTERLIST": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/SecurityQueryFilter"
+          }
         }
       },
       "allOf": [
@@ -705,7 +715,7 @@
       "type": "object",
       "properties": {
         "FRAGMENT": {
-          "type": "string"
+          "$ref": "#/definitions/FragmentFieldIdentifier"
         },
         "CONDITION": {
           "$ref": "#/definitions/logicalExpression"
diff --git a/documentation/IDTA-01002-3/modules/ROOT/partials/bnf/grammar.bnf b/documentation/IDTA-01002-3/modules/ROOT/partials/bnf/grammar.bnf
index dcb67770..0f34cc96 100644
--- a/documentation/IDTA-01002-3/modules/ROOT/partials/bnf/grammar.bnf
+++ b/documentation/IDTA-01002-3/modules/ROOT/partials/bnf/grammar.bnf
@@ -93,17 +93,18 @@
     ( "DEFFORMULAS" <ws> <StringLiteral> <ws> <logicalExpression> <ws> )* 
     ( <AccessPermissionRule> <ws> )*
  
-<AccessPermissionRule> ::= 
+<AccessPermissionRule> ::=
     "ACCESSRULE:" <ws>
-    ( <ACL> | <UseACL> ) <ws> 
-    "OBJECTS:" <ws> 
-    ( <SingleObject> <ws> )* 
-    ( <UseObjectGroup> <ws> )* 
+    ( <ACL> | <UseACL> ) <ws>
+    "OBJECTS:" <ws>
+    ( <SingleObject> <ws> )*
+    ( <UseObjectGroup> <ws> )*
     ( ( "FORMULA:" <ws> <logicalExpression> <ws> ) | ( <UseFormula> <ws> ) )
     ( "FILTER:" <ws> <SecurityQueryFilter> )?
+    ( "FILTERLIST:" <ws> ( <SecurityQueryFilter> <ws> )* )?
 
 <SecurityQueryFilter> ::=
-    <FragmentObject> <ws>
+    ( "FRAGMENT:" <ws> <FieldIdentifierFragment> <ws> )
     ( ( "CONDITION:" <ws> <logicalExpression> <ws> ) | ( <UseFormula> <ws> ) )
 
 <ACL> ::= 
@@ -212,4 +213,19 @@
 <idShortPath> ::= ( <idShort> ("[" ( [0-9]* ) "]" )* ( "." <idShortPath> )* )
 <idShort> ::= ( ( [a-z] | [A-Z] ) (( [a-z] | [A-Z] | [0-9] | "_"   | "-" )* ( [a-z] | [A-Z] | [0-9] | "_" ) )? )
 
+<FieldIdentifierFragment> ::= <FieldIdentifierAASFragment> | <FieldIdentifierSMFragment> | <FieldIdentifierSMEFragment> | <FieldIdentifierCDFragment> | <FieldIdentifierAasDescriptorFragment> | <FieldIdentifierSmDescriptorFragment>
+
+<FieldIdentifierAASFragment> ::= "$aas#" ( "idShort" | "assetInformation.assetType" | "assetInformation.globalAssetId" | "assetInformation." <SpecificAssetIdsClauseFragment> | "submodels" ( "[" ( [0-9]* ) "]" ) ("." <ReferenceClauseFragment>)? )
+<FieldIdentifierSMFragment> ::= "$sm#" ( <SemanticIdClauseFragment> | "idShort" | "id" )
+<FieldIdentifierSMEFragment> ::= "$sme" ( "." <idShortPath> )? ( "#" ( <SemanticIdClauseFragment> | "idShort" | "value" | "valueType" | "language" ))?
+<FieldIdentifierCDFragment> ::= "$cd#" ( "idShort" ) <ws>
+<FieldIdentifierAasDescriptorFragment> ::= "$aasdesc#" ( "idShort" | "description" | "displayName" | "extension" | "administration" | "assetKind" | "assetType" | "globalAssetId" | <SpecificAssetIdsClauseFragment> | <EndpointClauseFragment> |  "submodelDescriptors[" ( [0-9]* ) "]" ("." <SmDescriptorClauseFragment>)? )
+<FieldIdentifierSmDescriptorFragment> ::= "$smdesc#" <SmDescriptorClauseFragment>
+
+<SpecificAssetIdsClauseFragment> ::= "specificAssetIds" ( "[" ( [0-9]* ) "]" ) (".externalSubjectId" | ".externalSubjectId." <ReferenceClauseFragment>)?
+<SmDescriptorClauseFragment> ::= ( <SemanticIdClauseFragment> | "idShort" | <EndpointClauseFragment> )
+<EndpointClauseFragment> ::= "endpoints" ( "[" ( [0-9]* ) "]" )
+<ReferenceClauseFragment> ::= ( "keys" ( "[" ( [0-9]* ) "]" ) )
+<SemanticIdClauseFragment> ::= ( "semanticId" | "semanticId." <ReferenceClauseFragment> )
+
 <ws> ::= ( " " | "\t" | "\r" | "\n" )*
diff --git a/documentation/IDTA-01002-3/modules/ROOT/partials/query-json-schema.json b/documentation/IDTA-01002-3/modules/ROOT/partials/query-json-schema.json
index a5f131d6..e59e04fc 100644
--- a/documentation/IDTA-01002-3/modules/ROOT/partials/query-json-schema.json
+++ b/documentation/IDTA-01002-3/modules/ROOT/partials/query-json-schema.json
@@ -12,6 +12,10 @@
       "type": "string",
       "pattern": "^(?:\\$aas#(?:idShort|id|assetInformation\\.assetKind|assetInformation\\.assetType|assetInformation\\.globalAssetId|assetInformation\\.specificAssetIds\\[[0-9]*\\]\\.(?:name|value|externalSubjectId(?:\\.(?:type|keys\\[[0-9]*\\]\\.(?:type|value)))?)|submodels\\[[0-9]*\\]\\.(?:type|keys\\[[0-9]*\\]\\.(?:type|value)))|\\$sm#(?:semanticId(?:\\.(?:type|keys\\[[0-9]*\\]\\.(?:type|value)))?|idShort|id)|\\$sme(?:\\.[A-Za-z](?:[A-Za-z0-9_-]*[A-Za-z0-9_])?(?:\\[[0-9]*\\])*(?:\\.[A-Za-z](?:[A-Za-z0-9_-]*[A-Za-z0-9_])?(?:\\[[0-9]*\\])*)*)?#(?:semanticId(?:\\.(?:type|keys\\[[0-9]*\\]\\.(?:type|value)))?|idShort|value|valueType|language)|\\$cd#(?:idShort|id)|\\$aasdesc#(?:idShort|id|assetKind|assetType|globalAssetId|specificAssetIds\\[[0-9]*\\]\\.(?:name|value|externalSubjectId(?:\\.(?:type|keys\\[[0-9]*\\]\\.(?:type|value)))?)|endpoints\\[[0-9]*\\]\\.(?:interface|protocolinformation\\.href)|submodelDescriptors\\[[0-9]*\\]\\.(?:semanticId(?:\\.(?:type|keys\\[[0-9]*\\]\\.(?:type|value)))?|idShort|id|endpoints\\[[0-9]*\\]\\.(?:interface|protocolinformation\\.href)))|\\$smdesc#(?:semanticId(?:\\.(?:type|keys\\[[0-9]*\\]\\.(?:type|value)))?|idShort|id|endpoints\\[[0-9]*\\]\\.(?:interface|protocolinformation\\.href)))$"
     },
+    "FragmentFieldIdentifier": {
+      "type": "string",
+      "pattern": "^(?:\\$aas#(?:idShort|assetInformation\\.assetType|assetInformation\\.globalAssetId|assetInformation\\.specificAssetIds\\[[0-9]*\\](?:\\.externalSubjectId(?:\\.keys\\[[0-9]*\\])?)?|submodels\\[[0-9]*\\](?:\\.keys\\[[0-9]*\\])?)|\\$sm#(?:semanticId(?:\\.keys\\[[0-9]*\\])?|idShort|id)|\\$sme(?:\\.[A-Za-z](?:[A-Za-z0-9_-]*[A-Za-z0-9_])?(?:\\[[0-9]*\\])*(?:\\.[A-Za-z](?:[A-Za-z0-9_-]*[A-Za-z0-9_])?(?:\\[[0-9]*\\])*)*)?(?:#(?:semanticId(?:\\.keys\\[[0-9]*\\])?|idShort|value|valueType|language))?|\\$cd#idShort|\\$aasdesc#(?:idShort|description|displayName|extension|administration|assetKind|assetType|globalAssetId|specificAssetIds\\[[0-9]*\\](?:\\.externalSubjectId(?:\\.keys\\[[0-9]*\\])?)?|endpoints\\[[0-9]*\\]|submodelDescriptors\\[[0-9]*\\](?:\\.(?:semanticId(?:\\.keys\\[[0-9]*\\])?|idShort|endpoints\\[[0-9]*\\]))?)|\\$smdesc#(?:semanticId(?:\\.keys\\[[0-9]*\\])?|idShort|endpoints\\[[0-9]*\\]))$"
+    },
     "hexLiteralPattern": {
       "type": "string",
       "pattern": "^16#[0-9A-F]+$"
@@ -637,6 +641,12 @@
         "FILTER": {
           "$ref": "#/definitions/SecurityQueryFilter",
           "additionalProperties": false
+        },
+        "FILTERLIST": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/SecurityQueryFilter"
+          }
         }
       },
       "allOf": [
@@ -689,7 +699,7 @@
       "type": "object",
       "properties": {
         "FRAGMENT": {
-          "type": "string"
+          "$ref": "#/definitions/FragmentFieldIdentifier"
         },
         "CONDITION": {
           "$ref": "#/definitions/logicalExpression"

From afe2ee10e0109e833b4863e0fd970762fd67815b Mon Sep 17 00:00:00 2001
From: Sebastian Bader <s.bader@sap.com>
Date: Wed, 20 May 2026 14:50:17 +0200
Subject: [PATCH 2/2] docs: add changelog entry for SecurityQueryFilter
 harmonization

---
 documentation/IDTA-01002-3/modules/ROOT/pages/changelog.adoc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/documentation/IDTA-01002-3/modules/ROOT/pages/changelog.adoc b/documentation/IDTA-01002-3/modules/ROOT/pages/changelog.adoc
index 05f7bfd0..81e3b4f3 100644
--- a/documentation/IDTA-01002-3/modules/ROOT/pages/changelog.adoc
+++ b/documentation/IDTA-01002-3/modules/ROOT/pages/changelog.adoc
@@ -53,6 +53,7 @@ Major Changes:
 
 Minor Changes:
 
+* fix: Harmonized `SecurityQueryFilter` between API and Security specifications and added missing `FILTERLIST` construct to the BNF grammar and JSON Schema.
 * fix: Wrong ServiceSpecificationProfileEnum values for v3.0 profiles. (https://github.com/admin-shell-io/aas-specs-api/issues/526[#526])
 * removed: Remove TREE. (https://github.com/admin-shell-io/aas-specs-api/issues/537)
 * fix: fixed FILTER object in json schema & fixed inconsistencies in BNF (https://github.com/admin-shell-io/aas-specs-api/issues/547)