Jump to Table of Contents Collapse Sidebar

ODRL Profile for Access Control in Solid

Release

Latest editor's draft:
https://w3id.org/oac/
Editors:
(Ontology Engineering Group, Universidad Politécnica de Madrid)
(ADAPT Centre, Trinity College Dublin)
(Ontology Engineering Group, Universidad Politécnica de Madrid)
Participate:
GitHub profile
File a bug
Commit history
Pull requests

Abstract

This document presents a new profile, the ODRL Profile for Access Control in Solid, that extends Solid's ACL mechanism by using the ODRL Vocabulary and Expression specification to define ‘sticky policies’ that express permissions and / or prohibitions associated with data stored in a Solid pod and utilises DPV as a controlled vocabulary for invoking privacy and data protection-specific terms.

In particular, the introduced elements will serve one of these purposes:

(i) define actions supporting enforcement of current ACL verbs,

(ii) define data protection-related actions and restrictions defined in GDPR,

(iii) any vocabulary element needed to support policy patterns that can be anticipated to be common, and

(iv) elements necessary to support the authorization reasoning decision.

1. Acknowledgments

This research has been supported by European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 813497 (PROTECT) and `Datos 4.0 Retos y Soluciones' (TIN2016-78011-C4-3-R). Harshvardhan J. Pandit is funded by the Irish Research Council Government of Ireland Postdoctoral Fellowship Grant#GOIPD/2020/790; European Union's Horizon 2020 research and innovation programme under NGI TRUST Grant#825618 for Project#3.40 Privacy-as-Expected: Consent Gateway; and by the ADAPT SFI Centre for Digital Media Technology which is funded by Science Foundation Ireland through the SFI Research Centres Programme and is co-funded under the European Regional Development Fund (ERDF) through Grant#13/RC/2106_P2.

2. Introduction

Solid is a specification [solid-protocol] for decentralised personal data stores (called `Pods') that uses linked data and Web standards to achieve user control and interoperability. The access to data stored within Solid Pods is governed by the Web Access Control (WAC) specification [wac] which uses IRIs to represent resources and agents, and stores authorisation statements within Access Control Lists (ACL) defined per resource or inherited from the parent resource. Therefore, in Solid, the user controlling the ACL is the entity responsible for deciding who has access to the data.

Given that Solid provides a way for personal data to be stored and managed by individuals, it is important to consider the impact and application of data protection and privacy laws such as the European General Data Protection Regulation (GDPR) that define specific concepts and obligations for how personal data can be collected, stored, used, and shared. In addition, such laws also specify various rights and the legal basis used to justify using the data and the conditions for their validity. In particular, GDPR's Articles 13 and 14 require controllers to provide information such as identity, purpose, personal data categories, legal basis, and recipients where they collect personal data directly or indirectly from individuals.

Applied to Solid, this information can be presented using conventional methods, such as a notice provided on the data requester's website, and the resulting authorisation decision made by the individual stored within the ACL. However, for individuals to control their data practices, the Solid Pod must contain this information as well so that the individual has the opportunity to:

(i) inspect their personal data within an environment under their control;

(ii) store it for accountability purposes;

(iii) determine their data sharing preferences; and

(iv) be assisted in expressing and enforcing their data sharing preferences.

To achieve these goals, the following requirements motivate our approach to extend Solid’s existing ACL mechanism using the ODRL Vocabulary and Expression specification to define ‘sticky policies’ that express permissions and / or prohibitions associated with data stored in a Solid Pod and utilises DPV as a controlled vocabulary for invoking privacy and data protection-specific terms.

R1. Support specifying user preferences as policies.

R2. Incorporate vocabulary specifying or aligned to legal concepts.

R3. Support specifying permissions and prohibitions at arbitrary granularity.

R4. Support identifying and resolving conflicts based on scope.

R5. Record (store) policies used to authorise access.

R6. Support querying policies and authorisations for introspection of data use.

2.1 Ontology Requirement Specification Document

ODRL Profile for Access Control in Solid
1. Purpose
The purpose of this profile of ODRL is to support policies determining the access control to personal data stored in Solid Pods.
2. Scope
The scope of this profile is limited to the definition of an ODRL Profile for Access Control in Solid. In particular, the introduced elements will serve one of these purposes: (i) define actions supporting enforcement of current ACL verbs, (ii) define data protection-related actions and restrictions defined in GDPR, (iii) any vocabulary element to support policy patterns that can be anticipated to be common, and (iv) elements necessary to support the authorization reasoning decision.
3. Implementation Language
OWL
4. Intended End-Users
Developers of Solid servers and Solid clients.
5. Intended Uses
Use 1. Declaration of a policy by an individual storing personal data in a Pod.
Use 2. Request of data made by a person or application to gain access to the data in different modalities.
Use 3. Contextual elements to be considered in the authorization decision.
Use 4. Explanation of the authorization decision.
6. Ontology Requirements
a. Non-Functional Requirements
NFR 1. The ontology shall be published online with standard documentation.
b. Functional Requirements: Groups of Competency Question
CQG1. Related to authorization CQG2. Related to GDPR
CQ1. Which actions are to be authorized?
CQ2. Which requirements are to be authorized?
CQ3. Who are the parties intervening in policy?
CQ4. Which is the priority of a certain policy?
CQ5. Which are the contextual elements to be considered in the authorization decision?
CQ6. Which obligations and requirements, and information about personal data and its processing are necessary?
CQ7. Which is the legal identification of the policy parties?

2.2 Profile diagram

The concepts specified by the ODRL Profile for Access Control in Solid are shown in the figure below.

ODRL Profile for Access Control in Solid

2.3 Document Conventions

Prefix Namespace Description
odrl http://www.w3.org/ns/odrl/2/ [odrl-vocab] [odrl-model]
rdf http://www.w3.org/1999/02/22-rdf-syntax-ns# [rdf11-concepts]
rdfs http://www.w3.org/2000/01/rdf-schema# [rdf-schema]
owl http://www.w3.org/2002/07/owl# [owl2-overview]
dct http://purl.org/dc/terms/ [dct]
ns1 http://purl.org/vocab/vann/ [ns1]
xsd http://www.w3.org/2001/XMLSchema# [xsd]
skos http://www.w3.org/2004/02/skos/core# [skos]
cert http://www.w3.org/ns/auth/cert# [cert]
dpv http://www.w3.org/ns/dpv# [dpv]
acl http://www.w3.org/ns/auth/acl# [acl]
oac https://w3id.org/oac/ [oac]

3. Profile specification

This ODRL profile relies on the invocation of legal concepts using DPV and ACL for the reference to access mode operations. Its core concepts are Purpose, Personal Data Categories, Processing, Access and Legal Entities.

3.1 Access

Definition: Operations for resource access
Label: oac:Access
Instance of: odrl:Action, acl:Access

3.2 Processing

Definition: Processing of personal data
Label: oac:Processing
Instance of: odrl:Action, dpv:Processing

3.3 Personal Data Category

Definition: Categories of personal data
Label: oac:PersonalDataCategory
Instance of: odrl:Asset, dpv:PersonalDataCategory

3.4 Purpose

Definition: Purposes for personal data processing
Label: oac:Purpose
Instance of: odrl:LeftOperand, dpv:Purpose

3.5 Recipient

Definition: Entities receiving personal data
Label: oac:Recipient
Instance of: odrl:LeftOperand, dpv:Recipient

3.6 Legal Entity

Definition: Legally defined entities e.g. data controllers
Label: oac:LegalEntity
Subclass of: odrl:Party, dpv:LegalEntity

4. Examples

4.1 User Preference 1 - Read-only policy for Contact for R&D Purposes

Anne, as identified by her WebID https://anne.databox.me/profile/card#me, permits read access operations over her contact data for the purpose of research and development.

Example 4.1
        
          :example-4-1 a odrl:Policy ;
            odrl:profile oac: ;
            odrl:permission [
              a odrl:Permission ;
              odrl:assigner :anne ;
              odrl:target oac:Contact ;
              odrl:action oac:Read ;
              odrl:constraint [
                odrl:leftOperand oac:Purpose ;
                odrl:operator odrl:isA ;
                odrl:rightOperand dpv:ResearchAndDevelopment
              ] 
            ] .
      
          :anne a oac:DataSubject ;
            cert:key "https://anne.databox.me/profile/card#me" .
        
      

4.2 User Preference 2 - Prohibition to share resource /docs/file1 with third parties

Anne, as identified by her WebID https://anne.databox.me/profile/card#me, prohibits the sharing of a resource stored on her Pod, located at https://anne.databox.me/docs/file1, with more than 3 recipients.

Example 4.2
        
          :example-4-2 a odrl:Policy ;
            odrl:profile oac: ;
            odrl:prohibition [
              a odrl:Prohibition ;
              odrl:assigner :anne ;
              odrl:target "https://beatriz.databox.me/docs/file1" ;
              odrl:action oac:Share ;
              odrl:constraint [
                odrl:leftOperand oac:Recipient ;
                odrl:operator odrl:gt ;
                odrl:rightOperand "3"^^xsd:integer
              ]
            ] .
      
          :anne a oac:DataSubject ;
            cert:key "https://anne.databox.me/profile/card#me" .
        
      

4.3 App Policy 1 - Request to use data for Registration purposes

App 1, as identified by their URL https://example-app-1.com, requests permission to use and store the email address and social network information of users for the purpose of registering and authenticating to their service.

Example 4.3
        
          :example-4-3 a odrl:Policy ;
            odrl:profile oac: ;
            odrl:permission [
              a odrl:Permission ;
              odrl:assignee :app-1-controller ;
              odrl:target oac:EmailAddress, oac:SocialNetwork ;
              odrl:action oac:Use, oac:Store ;
              odrl:constraint [
                odrl:leftOperand oac:Purpose ;
                odrl:operator odrl:isA ;
                odrl:rightOperand dpv:RegistrationAuthentication
              ]
            ] .
    
          :app-1-controller a oac:DataController ;
            cert:key "https://example-app-1.com" .
        
      

4.4 App Policy 2 - Request to collect and share anonymised Health Records

App 2, as identified by their URL https://example-app-2.com, requests permission to collect and produce a copy of the health records, medical prescriptions and health history of users for the purpose of performing academic research and make the anonymised information available to third parties.

Example 4.4
        
          :example-4-4 a odrl:Policy ;
            odrl:profile oac: ;
            odrl:assignee :app-2-controller ;
            odrl:target oac:HealthRecord, oac:Prescription, oac:HealthHistory ;
            odrl:permission [
              a odrl:Permission ;
              odrl:action oac:Collect, oac:Copy ;
              odrl:constraint [
              odrl:leftOperand oac:Purpose ;
                odrl:operator odrl:isA ;
                odrl:rightOperand dpv:AcademicResearch 
              ]
            ] ;
            odrl:permission [
              a odrl:Permission ;
              odrl:action oac:Anonymise, oac:MakeAvailable ;
              odrl:constraint [
                odrl:leftOperand oac:Recipient ;
                odrl:operator odrl:isA ;
                odrl:rightOperand dpv:ThirdParty
              ]
            ] .
        
          :app-2-controller a oac:DataController ;
            cert:key "https://example-app-2.com" .
        
      

A. References

A.1 Informative references

[acl]
Basic Access Control ontology . 2009. URL: http://www.w3.org/ns/auth/acl#
[cert]
The Cert Ontology 1.0 . Henry Story. 13 November 2008. URL: http://www.w3.org/ns/auth/cert#
[dct]
DCMI Metadata Terms . DCMI Usage Board. DCMI. 20 January 2020. DCMI Recommendation. URL: https://www.dublincore.org/specifications/dublin-core/dcmi-terms/
[dpv]
Data Privacy Vocabulary (DPV) version 0.2 . Axel Polleres; Beatriz Esteves; Bert Bos; Bud Bruegger; Elmar Kiesling; Eva Schlehahn; Fajar J. Ekaputra; Georg P. Krog; Harshvardhan J. Pandit; Javier D. Fernández; Mark Lizar; Paul Ryan; Piero Bonatti; Ramisa Gachpaz Hamed; Rigo Wenning; Rob Brennan; Simon Steyskal. 21 June 2021. URL: http://www.w3.org/ns/dpv#
[ns1]
VANN: A vocabulary for annotating vocabulary descriptions . Ian Davis. 1 April 2005. URL: http://purl.org/vocab/vann/
[odrl-model]
ODRL Information Model 2.2 . Renato Iannella; Serena Villata. W3C. 15 February 2018. W3C Recommendation. URL: https://www.w3.org/TR/odrl-model/
[odrl-vocab]
ODRL Vocabulary & Expression 2.2 . Renato Iannella; Michael Steidl; Stuart Myles; Víctor Rodríguez-Doncel. W3C. 15 February 2018. W3C Recommendation. URL: https://www.w3.org/TR/odrl-vocab/
[owl2-overview]
OWL 2 Web Ontology Language Document Overview (Second Edition) . W3C OWL Working Group. W3C. 11 December 2012. W3C Recommendation. URL: https://www.w3.org/TR/owl2-overview/
[rdf-schema]
RDF Schema 1.1 . Dan Brickley; Ramanathan Guha. W3C. 25 February 2014. W3C Recommendation. URL: https://www.w3.org/TR/rdf-schema/
[rdf11-concepts]
RDF 1.1 Concepts and Abstract Syntax . Richard Cyganiak; David Wood; Markus Lanthaler. W3C. 25 February 2014. W3C Recommendation. URL: https://www.w3.org/TR/rdf11-concepts/
[skos]
SKOS Simple Knowledge Organization System Reference . Alistair Miles; Sean Bechhofer. W3C. 18 August 2009. W3C Recommendation. URL: https://www.w3.org/TR/skos-reference/
[xsd]
W3C XML Schema Definition Language (XSD) 1.1 Part 2: Datatypes . David Peterson; Sandy Gao; Ashok Malhotra; Michael Sperberg-McQueen; Henry Thompson; Paul V. Biron et al. W3C. 5 April 2012. W3C Recommendation. URL: https://www.w3.org/TR/xmlschema11-2/
[solid-protocol]
Solid Protocol . Sarven Capadisli; Tim Berners-Lee; Ruben Verborgh; Kjetil Kjernsmo; Justin Bingham; Dmitri Zagidulin. 7 July 2021. URL: https://solidproject.org/TR/protocol
[wac]
Web Access Control . Sarven Capadisli. 11 July 2021. URL: https://solid.github.io/web-access-control-spec/