LogoLogo
How to Build Dataspaces?Main IDSA AssetsOther ResourcesManifesto for International Data Spaces
IDS-G
IDS-G
  • Changelog
  • Code of Conduct
  • Contributing to IDS-G-pre
  • LICENSE
  • International Data Spaces Global (IDS-G)
  • Overview
    • Message Structure/Format
    • Message Types
    • media
    • Communication Protocols
      • IDS REST
        • header
        • IDS Linked Data Notification (IDS-LDN)
          • IDS-REST requests
            • IDS-LDN, send a PUT request
      • IDS Communication Protocol Version 2 (IDSCP2)
        • IDSCP2 Application Layer
          • Examples
        • IDSCP2 Transport Layer
          • Examples
      • multipart
    • sequence-diagrams
      • Message Flows for Connector to Clearing House Communication
      • IDS Connector Communication
        • images
      • IDS Metadata Broker Communication
  • Components
    • IDS App Store (IDS-CH)
    • ClearingHouse
    • IDS Connector
    • IDS Identity Provider
      • Connector Identifiers (Connector IDs)
      • Certificate Authority (CA)
      • Dynamic Attribute Provisioning Service (DAPS)
        • requests
          • DAPS DAT request (root POST)
      • ParIS
        • ParIS requests
          • IDS-ParIS GET root request
    • IDS Meta Data Broker
      • General Overview
      • Introduction
      • Annex
        • HTTP API
        • Removed Requirements
      • Functions and Correlated Messages
        • Messages received by a Broker
        • Messages send by a Broker as Response
      • IDS Meta Data Broker Profiles
        • Advanced Information Profile
        • Usage Control Profile
      • IDS Meta Data Broker Requirements
        • Behavioral Requirements
        • Business Requirements
        • Conditional Requirements
        • Connector Requirements
        • Functional Requirements
        • Informational Requirements
        • Interface Requirements
        • Message Requirements
        • Role of an IDS Meta Data Broker
      • IDS-MDB requests
        • IDS-MDB GET root request
  • Glossary
    • IDS Shortcuts
  • Handbook to IDS-G
    • Specification
  • IDS Information Model
    • ids:Message
      • DescriptionRequestMessage POST
      • Message requests
  • Overview of the IDS Architecture
    • References
    • Relevant Documents
      • IDS Repositories
  • IDS Usage Control
    • IDS Usage Control Contract
      • Policies
      • images
    • IDS Policy Enforcement
      • System Adapter Technical Documentation
      • Concepts
        • Concepts for Data Sharing
    • Specification
      • Concepts
        • Access Control for the Contract Metadata
        • T7_ODRL_policies
        • Interfaces Standardization for Context Information (PIPs) and Actions to be Performed (PXPs)
        • Concepts for Participant-restricted policies and reselling data
  • .github
    • ISSUE_TEMPLATE
      • content-change-request
      • epic
      • feature-request
      • topic--code
      • topic--documentation
      • topic--quickfix
      • topic--structure
Powered by GitBook

Links:

  • IDSA Website
  • IDSA Github
  • Legal Notice
  • Privacy Policy

© 2016 – 2025 | All Rights Reserved | International Data Spaces Association

On this page
Edit on GitHub
  1. IDS Usage Control
  2. Specification
  3. Concepts

Access Control for the Contract Metadata

Policies represent the rules about how to access or use a piece of data and shall be stored securely. The data may be in different formats and sizes and may have different contents. An (Offer) Contract which includes the Usage Control policies and rules can be considered as a piece of data itself. Therefore, we can introduce an Access Control policy for it. This Access Control policy includes a reference to the Contract and must be stored separately and securely. This means that the information about who can access a Contract or not must not be stored inside the Contract. Though, it can be securely attached to it. These attached policies are also known as Sticky policies.

The following policy is a sample Offer Contract with the uid ".../restrict-to-time-and-purpose/987":

{
    "@context": [
        "http://www.w3.org/ns/odrl.jsonld",
        { "dc": "http://purl.org/dc/terms/",
        "ids":"https://w3id.org/idsa/core/",
        "idsc" : "https://w3id.org/idsa/code/" }
    ],
    "@type": "Offer",
    "uid": "http://example.com/policy/offer/restrict-to-time-and-purpose/987",
    "profile": "http://www.w3.org/ns/odrl/2/core",
    "dc:creator": "Data Provider 123",
    "dc:description": "This Offer policy restricts the usage of the data to a specific purpose and a specific time interval.",
    "dc:issued": "2022-05-19T12:00",
    "ids:provider": "http://example.com/ids/party/123",
    "permission": [{
        "target": "http://example.com/ids/data/789",
        "assigner": "http://example.com/ids/party/123",
        "action": "display",
        "constraint": [{
           "leftOperand": "purpose",
           "operator": "eq",
           "rightOperand":  { "@value": "Educational Use", "@type": "xsd:string" },
           "ids:pipEndpoint": [{
              "@type":"ids:PIP",
              "ids:interfaceDescription":{ "@value":"?interfaceURI", "@type":"xsd:anyURI" }, 
              "ids:endpointURI":{ "@value":"?endpointURI", "@type":"xsd:anyURI" } 
           }]
       },{
           "leftOperand": "dateTime",
           "operator": "lteq",
           "rightOperand":  { "@value": "2022-06-01T08:00Z", "@type": "xsd:dateTimeStamp" },
           "ids:pipEndpoint": [{
              "@type":"ids:PIP",
              "ids:interfaceDescription":{ "@value":"?interfaceURI", "@type":"xsd:anyURI" }, 
              "ids:endpointURI":{ "@value":"?endpointURI", "@type":"xsd:anyURI" } 
           }]
       }]
    }]
}

And we may have two parties in our dataspace introduced as follows:

{
   "@type": "vcard:Organization",
   "@id": "http://example.com/organization/org1",
   "vcard:fn": "org 1",
   "vcard:hasEmail": "org1@example.com",
   "odrl:partOf": "http://example.com/ids/partycollection/456456",
   "vcard:hasCountryName": "Germany",
   "vcard:hasGeo": "http://ontologi.es/place/DE"
}

{
   "@type": "vcard:Organization",
   "@id": "http://example.com/organization/org2",
   "vcard:fn": "org 2",
   "vcard:hasEmail": "org2@example.com",
   "odrl:partOf": "http://example.com/ids/partycollection/456456",
   "vcard:hasCountryName": "Germany",
   "vcard:hasGeo": "http://ontologi.es/place/DE"
}

An Access Control policy for the Contract ".../restrict-to-time-and-purpose/987" could be like any of the following policies:

{
    "@context": [
        "http://www.w3.org/ns/odrl.jsonld",
        { "dc": "http://purl.org/dc/terms/",
        "ids":"https://w3id.org/idsa/core/",
        "idsc" : "https://w3id.org/idsa/code/" }
    ],
    "@type": "Policy",
    "uid": "http://example.com/metadatapolicy/456781",
    "profile": "http://www.w3.org/ns/odrl/2/core",
    "dc:creator": "Data Provider 123",
    "dc:description": "This policy restricts the access to a specific contract.",
    "dc:issued": "2022-05-19T12:00",
    "ids:provider": "http://example.com/ids/party/123",
    "permission": [{
        "target": "http://example.com/policy/offer/restrict-to-time-and-purpose/987",
        "assigner": "http://example.com/ids/party/123",
        "assignee": [{
           "@type": [ "Party", "vcard:Organization" ],
           "source": "http://example.com/organization/org1"
        },{
           "@type": [ "Party", "vcard:Organization" ],
           "source": "http://example.com/organization/org2"
        }]
        "action": "read"
    }]
}
{
    "@context": [
        "http://www.w3.org/ns/odrl.jsonld",
        { "dc": "http://purl.org/dc/terms/",
        "ids":"https://w3id.org/idsa/core/",
        "idsc" : "https://w3id.org/idsa/code/" }
    ],
    "@type": "Policy",
    "uid": "http://example.com/metadatapolicy/456782",
    "profile": "http://www.w3.org/ns/odrl/2/core",
    "dc:creator": "Data Provider 123",
    "dc:description": "This policy restricts the access to a specific contract.",
    "dc:issued": "2022-05-19T12:00",
    "ids:provider": "http://example.com/ids/party/123",
    "permission": [{
        "target": "http://example.com/policy/offer/restrict-to-time-and-purpose/987",
        "assigner": "http://example.com/ids/party/123",
        "assignee": ["http://example.com/organization/org1", "http://example.com/organization/org2"]
        "action": "read"
    }]
}
{
    "@context": [
        "http://www.w3.org/ns/odrl.jsonld",
        { "dc": "http://purl.org/dc/terms/",
        "ids":"https://w3id.org/idsa/core/",
        "idsc" : "https://w3id.org/idsa/code/" }
    ],
    "@type": "Policy",
    "uid": "http://example.com/metadatapolicy/456783",
    "profile": "http://www.w3.org/ns/odrl/2/core",
    "dc:creator": "Data Provider 123",
    "dc:description": "This policy restricts the access to a specific contract.",
    "dc:issued": "2022-05-19T12:00",
    "ids:provider": "http://example.com/ids/party/123",
    "permission": [{
        "target": "http://example.com/policy/offer/restrict-to-time-and-purpose/987",
        "assigner": "http://example.com/ids/party/123",
        "assignee": {
           "@type": [ "PartyCollection", "vcard:group" ],
           "source": "http://example.com/ids/partycollection/456456"
        }
        "action": "read"
    }]
}

It is important to notice that the targets in the above mentioned Access policies refer to the uid of the Offer Contract.

Last updated 1 year ago