Issues with policies using Summary Credentials constraints

[ds-jhartmann]

What is the correct way of creating Access Policies based on Consumer Summary Credentials?

These are the steps I tried to create the offer:

1. Create an asset
2. create a policy with Constraint Traceability eq active
3. create a contract definition with this policy applied to the asset.
4. request the catalog from a consumer

I expect that offer should not be displayed to the consumer, if the consumer does not have the SC TraceabilityCredential in their wallet.

However, when testing this, I can still see the offer in the catalog, even though I do not have the SC TraceabilityCredential in the wallet of my consumer.

Context Informations

I could not create the policies as described here: https://github.com/eclipse-tractusx/ssi-docu/blob/main/docs/architecture/cx-3-2/edc/policy.definitions.md#4-policy-example
Using the example policy payload resulted in a Bad Request
Other examples either lead to a creation of policies without constraints or to more bad requests.

This is the policy I created which is then also displayed correctly in the catalog:

{
  "@context": {
    "odrl": "http://www.w3.org/ns/odrl/2/"
  },
  "@id": "trace",
  "policy": {
    "odrl:permission": [
      {
        "odrl:action": "USE",
        "odrl:constraint": {
          "@type": "AtomicConstraint",
          "odrl:or": [
            {
              "@type": "Constraint",
              "odrl:leftOperand": "Traceability",
              "odrl:operator": {
                "@id": "odrl:eq"
              },
              "odrl:rightOperand": "active"
            }
          ]
        }
      }
    ]
  }
}

[paullatzelsperger]

one problem here is, that during expansion, the entire policy object gets stripped out. The reason for this is, that there is no @vocab, which would be sort of a "default" namespace.
Adding {"@vocab": "https://w3id.org/edc/v0.0.1/ns/"} to the @context object will produce better results:

"@context": [
    {
    "odrl": "http://www.w3.org/ns/odrl/2/"
  	},
    {"@vocab": "https://w3id.org/edc/v0.0.1/ns/"}
  ]
//...

I can highly recommend trying out the JSON-LD Playground to see what's happening. Inputting the example you posted, the expansion yields an empty array [].

[edit]: please note also this issue which may be related.
[edit2]: we do have automatic @vocab injection, but only when the mgmt API is used.

[wolf4ood]

Hi @ds-jhartmann

can you try with FrameworkAgreement.traceability as leftOperand instead of Traceability The framework agreement policy docs should be here

https://github.com/eclipse-tractusx/ssi-docu/blob/main/docs/architecture/cx-3-2/edc/policy.definitions.md#35-traceability

Let us know if this works

Thanks

[ds-jhartmann]

Thanks a lot for your quick responses!
Changing the leftOperand to FrameworkAgreement.traceability did the trick and I was able to limit the access of my offers based on the Credential.
Policy creation did already work the way I initially did it, but thanks for the hint regarding the JSON-LD playground!