Interoperable policy engines

[woutslabbinck]

Dataspace Participants (providers) wanting to share non-open or non-public data create a policy with rules and constraints about the access to that data.
Such an Access Control Rule thus consists of statements about: Who can perform what action on a particular data/resource.
As an extension, a participant might even add additional constraints about the usage of that resource: Usage Control Rule(s). Such additional constraints include when other participants can access it, what the purpose of usage is, other obligations, ... .

A set of such rules together thus form Usage Control Policies (UCPs).
In IDSA and Gaia-X, the W3C Recommendation Open Digital Rights Language (ODRL) is put forward as candidate to be used as UCP language.

Though neither the ODRL standard, nor above initiatives contain a formal description on how to evaluate these policies, that means that evaluation is up to the implementer. As different implementers can interpret the policies their own way, slight inconsistencies can arrive in their conclusions.
This means that a given UCP can result into an access grant on request in dataspace X, while in dataspace Y using the same policy the access would be denied.

To overcome this issue, there is a need for a formal description/framework on how to systematically evaluate ODRL policies.
Furthermore, a reference implementation that follows this description is required.
Finally, there is a need of a number of examples/test cases that shows and validates the implementation.

Note: several researchers have seen this limitation of ODRL and have formed a community group (ODRL Formal Semantics) to formalise the evaluation of ODRL. However, to this date, no actual implementation conforming to their formalisation exist and it is not standardised yet.

Impact and Importance

• Transparency: Dataspace participants know the exact conditions under which data can be used
• Inter-data space interoperability: if policies are evaluated the same in each dataspace, dataspace participants understand already how to interpret the contracts in other dataspaces regarding the resources
• Accountability: storing all policy evaluation results allows to show which actions on data were allowed and whether the data was indeed used in case of purpose.

Desired Solution

A policy engine that given an ODRL policy, the current state of the world , a request (in case of an access request) can make an evaluation.
This policy engine must follow a specification/formal description on how each rule of a policy must be evaluated. When following that description to the letter, other implementers should be able to get the same result on a given set of example policies.

Note: A request is not necessary for a policy engine in case the evaluation is about monitoring or auditing. Then previous requests (which are part of the state of the world) become essential.

Acceptance Criteria

• An implementation of such policy engine, i.e. an ODRL Evaluator that given a set of policies, the state of the world (and a request in case of an access request) determines which rules are active.
• The above implementation is open source with proper documentation on how to run it
• A set of examples that each consist of an ODRL policy, (request, )state of the world and the expected compliance result.

References and Resources

• IDSA usage control policies
  • https://international-data-spaces-association.github.io/DataspaceConnector/Documentation/v6/UsageControl
  • https://github.com/International-Data-Spaces-Association/IDS-G/tree/main/UsageControl/Contract
• Open Digital Rights Language (ODRL) Information Model: https://www.w3.org/TR/odrl-model/
• ODRL Profile for Access Control: https://besteves4.github.io/odrl-access-control-profile/oac.html
• ODRL Formal Semantics: https://w3c.github.io/odrl/formal-semantics/
• could help the data discovery by clearly indicating what the conditions are in order to get access or to start policy negotiation
• ODRL creator (UI): https://odrl-pap.mydata-control.de/
• Enforcement engines
  • WIP ODRL engine by UPM group: https://github.com/ODRE-Framework/odre-python
    • Output does not contain information why given evaluation has failed or succeeded. Example output {'http://www.w3.org/ns/odrl/2/distribute': None}
  • Open Source Data Usage Control Module: https://github.com/Engineering-Research-and-Development/true-connector-uc_data_app_platoon/tree/master
    • uses IDS (https://w3id.org/idsa/core/) and IDS code (https://w3id.org/idsa/code/) terminology for the policies rather than ODRL (see supported policies)
    • Policy engine is not stand alone, but part of whole usage control solution