Usage Control / Policy Requirements

[juliapampus]

As decided yesterday, this discussion should provide the possibility to collect requirements for further usage control implementations. We talked about the XAMCL data flow illustration and took a short look at existing IDS policy classes. For further details, please see the following links:

• Usage Control in the International Data Spaces
• IDS-G-pre document
• Introduction to XACML
• eXtensible Access Control Markup Language v3.0

Before being able to refine implementation details, requirements need to be derived from existing use cases and prioritized.

How to collaborate

For each needed policy, please create a new comment. This way, it is possible to discussion different topics in different threads.
To prevent duplicates, please first check if a policy request already exists and add your information, ideas, use cases.

Prioritization

• MUST: Must have this requirement to meet the business needs
• SHOULD: Should have this requirement if possible, but project success does not rely on it
• COULD: Could have this requirement if it does not affect anything else on the project
• WOULD: Would like to have this requirement later, but delivery won't be this time around

Stick to the following template by copying the following lines and replacing the cursive words.

Title (e.g., restrict data usage to geo-location)

• Type: access control or usage control
• Impact: if known, e.g., data provisioning, data processing, data transfer
• Priority: must, should, could, or would (see above for explanation)

Use Cases

Please describe use cases that should and will be implemented with the EDC to understand the context of the desired policy - brief but clearly comprehensible.

More Information

Add further information that is not covered by this template.

[antoniolm23]

Dear Julia, unfortunately the IDS-G link seems to be broken, it returns 404

[juliapampus]

It's not broken, it is an IDSA-member-restricted link, so I was not sure who has access and who not. Just didn't want to drop it.

[bscholtes1A]

[MUST] Policy use-case for EONA-X

Context

EONA-X is a mobility data space which is gathering partners from the travel industry. A demonstrator for EONA-X is under development and centered around a fictive company, which develops web application enabling users to build and manage multi-modal (i.e. working with multiple transportation modes such as flights, trains, bus...) journeys.

Initial setup

• Three partners are already exposing assets in the context of this demonstrator.
• As of now, assets exposed by these partners does not have any usage restriction meaning that can be consume by any other partner from the dataspace.

In order to showcase the policy enforcement capabilities offered by the EDC, we would like to add a geographic usage restriction on some assets currently exposed by the partners in order to limit their consumption to partners located in EU.

Demo

• Log as a partner located in EU, shows that all assets can be consumed.
• Logout
• Log as a partner not located in EU, shows that data request is refused for assets having the geographic usage restriction.

Technical aspect

• At first glance, the location of a given partner should be attested by a central entity (e.g. government...).
• An option could be to materialize this information in a Verifiable Credentials, but this seems specific to the decentralized --> what about if we are using a centralized authorization server for example?
• In the case DID is used (which is sufficient for a first demo), policy check could then be plugged within the CredentialsVerifier implementation.

[amjadKhalifah]

I am adding some inputs we collected. I will add them in several comments here. The first comment (this) will describe a use-case and some general preliminary requirements (may not be necessarily all related to the EDC). The following comments will contain user-stories according to the template above.

Use-case: Sovereign health Dataspace
In a sovereign digital health dataspace, participants exchange data exchange data for purposes of treatment, research, and reporting. Health data may include private data of patients or their homes that can be provided to certain principles of a hospital but not to others. An important scenario in this system concerns protecting the rights of data subjects, e.g., patients, by enforcing constraints on the data share, e.g., obtaining the patient consent before transferring data to a research institute.
Actors:

• Citizens: their data are collected using IoT devices (e.g., glucose levels sensors). These include patients in hospitals, or staying at home, and volunteers in research studies.
• Hospitals: admit/treat patients; follow-up on patients at home; organize trials and studies; store data on the cloud.
• Doctors: treat patients in hospitals, or in their clinics; authorize other doctors to access medical records on the cloud while main doctor is on vacation.
• Research institutes: use patients data stored upon individual approvals
• Pharma: access stats on prescriptions; arrange medical trials
• Official health agencies: collect input for reports of seasonal diseases or pandemics (infection cycles)

Similar Gaia-X use-case
General Requirements:

• Continuous (different phases of the EDC state-machine) ABAC policy evaluator ---> End to end control (even after transfer?) (must)
• Data-Subject Consent
• Privacy-preserving obligations and their proofs (should)
• Conflict resolution (would)
• Recognition of authority and delegation (would)

[amjadKhalifah]

User-story 1: constrained data-transfer

Type: usage control
Impact: data processing
Priority: must

Use Cases

As a home patient, I want to send my continuous vitals readings to the hospital to have my personal doctor review them only from the hospital lab (within the hospital IP range) and within working hours. (usage control, data-processing, must)

[amjadKhalifah]

User-story 2: Delegation of authority

Type: usage control
Impact: data processing
Priority: would

Use Cases

As a home patient, I want to send my continuous vitals readings to the hospital to have my personal doctor review them only from the As an admitted patient, in emergency cases, I want to authorize (delegate) my emergency contact to allow/deny usage requests on my medical data. (usage control, data-processing, would)

[amjadKhalifah]

User-story 3: Consent + privacy-preserving obligations

Type: usage control and access control
Impact: ?
Priority: should

Use Cases

As a home patient, I want to give (or deny) consent for requests by pharmaceutical companies to process my data, and revoke this access whenever I wish.

As a hospital patient, I want my medical data to be anonymized before being shared with local officials.

[amjadKhalifah]

User-story 4: Consent + privacy-preserving obligations

Type: usage control after transfer
Impact: data-processing
Priority: must

Use Cases

As a volunteer, I want to participate in research clinical trials only if my data is stored on a secure hardware in my city, and the data is deleted after 3 months. (control after transfer) (access control, data-processing, must)

[sebplorenz]

Block an offer or resource from being consumed

Type: access control
Impact: data transfer
Priority: should

Use Cases

As an Organzational Operator I want to block a data offering if the data e.g. is illegal or appears to be stolen.

Further information

The organizational operator is legally responsible for data shared in the IDS. By providing the platform, the operator is also forced to supress certain illegal data from being exchanged.

[sebplorenz]

Meta-data access control

Type: access control
Impact: meta-data transfer
Priority: should

Use Cases

As a Data Provider I want my data to be found only by specific participants of the data space since the knowledge that I own the data tells others which technical processes I use.

Further information

Policies should be available for meta-data as well. Participants don't want their competitors to see what data they offer.

[sebplorenz]

Usage Policies for down-stream (third-party) Data Consumers

Type: usage control
Impact: data transfer
Priority: must

Use case

As a Data Provider I want to be able to create Usage Policies for third-party Data Consumers in case the Data Consumer transfers data to them to control the usage of my data by third-party Data Consumers.

As a Data Provider I want to add a contract to my resource that must be used by Data Consumers if they want to further sell my data or derivatives of the data to others to make sure this happens to my conditions.

[SebastianOpriel]

I would like to add the requirement, that these third-party-consumer policies must be same or narrowing down the scope of the first (direct) consumer of the data.
Additionally it shall be configurable how often the data can be shared further (depth of sharing). Thus: Is it allowed that the third-party shares these data as well?

[SebastianOpriel]

@sebplorenz for me this is more a usage control policy, than an access control aspect. The consumer is not allowed to share these data with others, thus usage control.

[sebplorenz]

Yes. Sounds like usage control. I change it.

[sebplorenz]

Allow access to individuals

Type: access control
Impact: data transfer
Priority: must

Use case

As a Data Owner I want to share my data only with certain individuals from another company (or scientific instititute) to keep my data secret.

Further information

Especially in domains with sensitive data it is crucial for participants to know that they can restrict the data access to trusted individuals from another company and not to the whole company or business unit.

[SebastianOpriel]

I would like to add the aspect, that this policy might require a ConnectorRestrictedPolicy above to specify firstly the company and then specifying the individual

[sebplorenz]

Allow access to groups

Type: access control
Impact: data transfer
Priority: must

Use case

As a Data Owner I want to share my data only with a team or organizational group from another company (or scientific instititute) to keep my data secret.

[sebplorenz]

Access policies on graph data structure

Type: access control
Impact: data transfer
Priority: should

Use case

As a Data Provider I need authorization profiles for partial graphs stored in triple-store/graph-databases to describe access policies to my stored data.

Further information

E.g. In the field of materials research, data is stored in graph databases. There is a need to define access rules that allows access to certain parts of that graph.
Also meta-data is described in graphs. The should also be rules for accessing meta-data that comes from a structured graph.

[sebplorenz]

Multiple Usage Policies for a resource

Type: access control
Impact: data transfer
Priority: must

Use case

As a Data Provider I want to add multiple Usage Policies to a resource.

[SebastianOpriel]

Such a set of policies shall support basic boolean algebra. (P1 AND P2) OR (P2 AND P3)

[sebplorenz]

Usage Policies using vocabularies

Type: access control
Impact: data transfer
Priority: must

Use case

As a Data Provider I want to write Usage Policies based on a vocabulary (Usage Policies that might not be able to express with the means of the Infomodel).

[ticapix]

Hi,

Are there already hint on the vocabulary to be used ?

[sebplorenz]

Request certified processing

Type: access control
Impact: data transfer
Priority: should

Use case

As a Data Provider I want my data to be processable by certified apps only.

[fvolz]

For our AAS use-cases, this is a must: As a Data Provider I want my data only to be processed by a specific app (digital twin app)

[sebplorenz]

Remote Attestation

Type: access control
Impact: data transfer
Priority: should

Use case

As a Data Provider I want a "Remote Attestation Result" for the integrity of the IDS instance that processes my data (also if processed in a chain with many pocessors). If the Remote Attestation fails I want to deny usage of/access to my data.

[sebplorenz]

Restrict access to specific participants

Type: access control
Impact: data transfer
Priority: must

Use case

As a Data Provider I want to restrict the access to a resource to a specificly named participant.

[sebplorenz]

Restrict to specific User Roles

Type: access control
Impact: data transfer
Priority: should

Use case

As a Data Provider I want to restrict the access to a resource to a specific role in an organization.

[sebplorenz]

Location-based Usage

Type: usage control
Impact: data transfer
Priority: should

Use case

As a Data Provider I want to offer my resource within a specified region for legal reasons.

[SebastianOpriel]

Correlates to #878 (comment) right?

[sebplorenz]

Share data for a specific computation

Type: usage control
Impact: data transfer
Priority: should

Use case

As a Data Provider I want to offer my CO2 data to downstream users in the production line only for the use of calculating the CO2 footprint of a product to follow regulations.

[SebastianOpriel]

This example might be a construct of Third-party-sharing (#878 (comment)) and a specific app (#878 (comment))