[UC] Grant access to (business) data

[uvdsl]

Status: Draft

As a data provider, e.g. user of a business application,
I want to be able share data (instances) with business partners,
So that business processes can progress.

Preconditions:

What conditions must be in place or assumed before this use case can begin?

• data available on storage
• data provider is able to modify access rights
• data consumer does not yet have access

Trigger:

What (user or system) event or action initiates this use case?

Data provider wants to share data with data consumer.

Actors:

Describe the primary actor, and any other relevant actors involved in this use case

• data provider
• data consumer
• data storage

Distinction:

What unique challenges or distinguishing factors (like technical issues, user experience needs, workflow integration, etc.) are associated with this use case?

• data provider requires means to define access rules on the data on the data storage
• data storage needs to enforce these access rules

Scenario:

Describe an ideal or happy-case scenario where this use case would play out as intended.

Using some authorization application, the data provider is able to modify the storage's access rules such that the data consumer is allowed to access the data.

Alternative case(s):

What alternative flows or variations should the system handle for this use case?

Error scenario:

What unexpected issues or errors might arise, and how should the system handle them?

The data provider themself is not authorized to define access rights on specific data.
The data consumer cannot be authorized by the data provider to access the data.

Acceptance Criteria:

What conditions or criteria must be met for this use case to be considered successfully handled? What limitations are acceptable?

References:

List any relevant resources or examples that could inform this use case, possibly from other domains or solutions.

Solid Community:

• Web Access Control (WAC)
• Access Control Policy (ACP)
• Solid Application Interoperability

Publications:

• Hadrien Bailly, Anoop Papanna, Rob Brennan:
  Prototyping an End-User User Interface for the Solid Application Interoperability Specification Under GDPR. ESWC 2023: 557-573
  (received best in-use paper award)

• Andreas Both, Thorsten Kastner, Dustin Yeboah, Christoph Braun, Daniel Schraudner, Sebastian Schmid, Tobias Käfer, Andreas Harth:
  AuthApp - Portable, Reusable Solid App for GDPR-Compliant Access Granting. ICWE 2024: 199-214
  (received best research paper award)

Research projects:

• MANDAT Project: In a nutshell, MANDAT is about researching methods for exchange of company-related data (in data ecosystems where a data fiduciary may exist) and solving the problems that arise on the way, using the Solid protocol.
  MANDAT is supported by the German Ministry for Education and Research (BMBF) under grant 16DTM107, specifically FKZn 16DTM107A, 16DTM107B, and 16DTM107C, which are funded by the European Union -- NextGenerationEU.

[hzbarcea]

References are behind paywalls. Is there a point in listing them if they are not freely accessible?

[uvdsl]

Even if not directly accessible, I very much think so.

The listed publications show that

• related work exists, and we do not need to start from scratch.
• it is peer-reviewed rather than just a blog post or some random white paper
• it is of interest to the community, even finding attention and being awarded
• there are specific individuals that already put significant effort into this topic and might want to contribute / share their knowledge if reached out to

In my experience authors love to share their work when you reach out to them via email.

In the meantime, I will check if there is a pre-print of our paper available somewhere.

[pchampin]

The ESWC paper by Baily et al. is available here: https://2023.eswc-conferences.org/wp-content/uploads/2023/05/paper_Bailly_2023_Prototyping.pdf