Solid,
the emerging technology for organizing data in decentralized stores,
relies on a simple authorization mechanism for granting access to data.
Solid's personal online datastores (Pods) are ideal
for keeping personal data, as they allow individuals to represent the
access permissions in a very simple manner using
Access Control Language (ACL)
expressions. Whereas these expressions suffice for yes/no
and read/write permissions, they cannot represent more complex rules
nor invoke regulation-specific concepts.
This work describes an extension of the ACL language and the algorithm to implement consent
and data requests. This extension is based on the
Open Digital Rights Language (ODRL)
policy language, which allows expressing rich rules, and the
Data Privacy Vocabulary (DPV),
which permits invoking privacy and data protection-specific terms.
ODRL Profile for Access Control in Solid | |
---|---|
1. Purpose | |
The purpose of this profile of ODRL is to support policies determining the access control to personal data stored in Solid pods. | |
2. Scope | |
The scope of this profile is limited to the definition of an ODRL Profile for Access Control in Solid. In particular, the introduced elements will serve one of these purposes: (i) define actions supporting enforcement of current ACL verbs, (ii) define data protection-related actions and restrictions defined in GDPR, (iii) any vocabulary element to support policy patterns that can be anticipated to be common, and (iv) elements necessary to support the authorization reasoning decision. | |
3. Implementation Language | |
OWL | |
4. Intended End-Users | |
Developers of Solid servers and Solid clients. | |
5. Intended Uses | |
Use 1. Declaration of a policy by an individual storing personal data in a pod. Use 2. Request of data made by a person or application to gain access to the data in different modalities. Use 3. Contextual elements to be considered in the authorization decision. Use 4. Explanation of the authorization decision. |
|
6. Ontology Requirements | |
a. Non-Functional Requirements | |
NFR 1. The ontology shall be published online with standard documentation. | |
b. Functional Requirements: Groups of Competency Question | |
CQG1. Related to authorization | CQG2. Related to GDPR |
CQ1. Which actions are to be authorized? CQ2. Which requirements are to be authorized? CQ3. Who are the parties intervening in policy? CQ4. Which is the priority of a certain policy? CQ5. Which are the contextual elements to be considered in the authorization decision? |
CQ6. Which obligations and requirements, and information about personal data and its processing are necessary? CQ7. Which is the legal identification of the policy parties? |
Solid is a specification and implementation of decentralized data stores, which decouples data from applications, based on interoperable data formats and protocols.
Solid Technical ReportsRights expression language that provides a model and vocabulary to express information about permissions, prohibitions and duties related to digital assets.
Information Model Vocabulary & ExpressionData privacy vocabulary that provides a taxonomy of terms to annotate and categorize the handling of personal data in accordance with established data protection regulations.
DPV specification DPV-GDPR extensionThis research has been supported by European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 813497 (PROTECT).