IDS-G

IDS Knowledge Base How to Build Data Spaces?IDS-RAM 4 Dataspace Protocol IDSA Rulebook IDS Reference Testbed ODRL Profile for IDS IDS-G IDS Deployment Scenarios OPEN DEI Building Blocks Catalog Working Groups and Task Forces of IDSA

How to Build Dataspaces?

Step 1: Gather Knowledge Step 2: Define Your Use Case Step 3: Build Components Step 4: Prepare for Go-Live Step 5: Share

Main IDSA Assets

IDS RAM IDSA Rulebook Dataspace Protocol IDS-G IDS Reference Testbed Minimum Viable Data Space Data Connector Report Data Spaces Radar

Other Resources

ODRL Profile OPEN DEI Building Blocks IDS Deployment Scenarios

How to Build Dataspaces?Main IDSA Assets Other Resources

Changelog
Code of Conduct
Contributing to IDS-G-pre
LICENSE
International Data Spaces Global (IDS-G)
Overview
Components
Glossary
- IDS Shortcuts
Handbook to IDS-G
- Specification
IDS Information Model
- ids:Message
  DescriptionRequestMessage POST
  Message requests
Overview of the IDS Architecture
- References
- Relevant Documents
  IDS Repositories
IDS Usage Control
.github
- ISSUE_TEMPLATE
  content-change-request
  epic
  feature-request
  topic--code
  topic--documentation
  topic--quickfix
  topic--structure

Powered by GitBook

On this page

Usage Control Enforcement
Usage Control Enforcement via Route/Interceptor
Usage Control Aware External Apps (http-based Web Services)
Usage Control Aware Internal Apps

IDS Policy Enforcement

Last updated 1 year ago

Links:

IDSA Website IDSA Github Imprint Privacy Policy

© 2016 – 2024 | All Rights Reserved | International Data Spaces Association

Usage Control Enforcement

At runtime, the usage control enforcement prevents IDS connectors from treating data in an undesired way, for example by forwarding personal data to public endpoints.

For enforcing usage restrictions, data flows need to be monitored and potentially intercepted by control points (i.e., PEPs). These intercepted data flows are given to the decision engine (i.e., the PDP) for requesting permission or denial of the data flow. In addition to just allowing or denying the data flow, the decision can also require a modification of data.

More information: Usage Control in the International Data Spaces

Enforcement Layers

Connector/Container Layer
Route/Interceptor Layer
Application Layer

Usage Control Enforcement via Route/Interceptor

Use case: The Data App is allowed to use (process, display, etc.) the data

Usage Control tasks:

Check the conditions (Time interval, Data App, Events, etc.)

Condition:

Data App inside a connector
UC app inside a Connector

Use case: The Data App is allowed to use (process, display, etc.) and store the data

Usage Control tasks:

Check the conditions (Time interval, Data App, Events, etc.)
Log usage information
Inform a Party about the usage
Setting up a Delete Data PXP

Condition:

Data App inside a connector
Data sink inside a Connector
UC app inside a Connector

Use case: The Data App is allowed to use (process, display, etc.) the data and distribute it outside the connector

Usage Control tasks:

Check the conditions (Time interval, Data App, Events, etc.)
Log usage information
Inform a Party about the usage

Condition:

Data App inside a connector
System Adapter inside a Connector
UC app inside a Connector

Usage Control Aware External Apps (http-based Web Services)

Characteristics:

Data format must be json compatible
Hooking points must be known and implemented

Advantages:

One UC service can be used by many Data Apps (reusable)
Easier Policy Management

Use case: The Data App is restricted to use (process, print, display and store) the data

Usage Control tasks:

Check the conditions (Time interval, Data App, Events, etc.)
Log usage information
Inform a Party about the usage
Hook into the data flow (for fine-grained actions)
Modify in transit
Count usage

Condition:

Data App inside a connector
UC app inside a Connector
JSON data exchange

Use case: The Data App shall read and store the data via System Adapter App

System Adapter App encrypts and decrypts data that is stored/retrieved from a database outside a connector.

Usage Control tasks:

Check the conditions (Time interval, Data App, Events, etc.)
Log usage information
Inform a Party about the usage
Hook into the data flow in the System Adapter App
Modify in transit
Setting up a Delete Data PXP

Condition:

Data App inside a connector
System Adapter inside a Connector
UC app inside a Connector
Data Storage outside a Connector

Usage Control Aware Internal Apps

Characteristics:

It can be MYDATA or any other implementation.
Data format depends on the implementation of the Usage Control technology
Hooking points must be known and implemented

Advantages:

More independent solution (wrt. Programming language, data format, etc.)

Disadvantages:

Higher implementation effort
Higher effort for Policy Management

Use case: The Data App is allowed to use (print and display) the data

Usage Control tasks:

Check the conditions (Time interval, Data App, Events, etc.)
Log usage information
Inform a Party about the usage
Hook into the data flow (for fine-grained actions)
Modify in transit
Count Usage

Condition:

Data App inside a connector
UC app inside a Data App