Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate Access Grant Registry to Data Consent Registry #173

Closed
2 tasks
justinwb opened this issue Sep 8, 2021 · 6 comments · Fixed by #180
Closed
2 tasks

Migrate Access Grant Registry to Data Consent Registry #173

justinwb opened this issue Sep 8, 2021 · 6 comments · Fixed by #180
Assignees
@justinwb

Comments

@justinwb
Copy link
Member

justinwb commented Sep 8, 2021

  • Define new class / properties / shapes for data consent
  • Split Data Grants out of Access Grants and Store them both in the Agent Registry
@justinwb justinwb self-assigned this Sep 9, 2021
@justinwb
Copy link
Member Author

Rough breakdown of approach, plus a few open questions:

  • Is there a benefit or detriment to organizing Access Consents or Access Grants flatly?
  • What is the cost / benefit of copying access needs into the consent registry, and referencing them in the Application Profile?
    • Originally we stored these in the (likely) event that the Application Profile changed its Access Needs. Having a local copy gave us the ability to compare what was originally authorized vs. the new set. I think that we can offload this instead to the Application's profile, and make them maintain a historical set, so that when changes are made, it's clear and the authorization agent can compare one set to another.
    • A hash (e.g. URDNA2015) could be maintained to look for cases where the application changes an existing set.
    • Generally the problem would be that if the application stops publishing these needs at some point, the links would break, and that would impact the auditing trail. Maybe we could leave it as a recommendation that implementations cache in the consent registry if an audit trail is necessary.
  • Have proposed in the example below that we can avoid AccessGrantSubject by linked to the Agent Registration directly instead? We could always include some metadata in the Agent Registration on whether the app is piloted vs. authenticates on its own (or both). May still want to include the registeredAgent in the Consent / Grant record.
  • Should we specify that inheritsFromConsent back links should go into the primary documents, or perhaps include some non-normative language about it as an optimization?
  • When we are dealing with applications, and want to capture access to both local and remote data, should we use a combined scope, multiple scopes, or properties and scopes for local vs. remote? In the example below they're jammed together in "AllInstances" but not sure that feels right.
  • Should Agents be given access to their corresponding AgentRegistration resource in someone's pod, or only the AccessGrant inside of it? (For now, assuming they have access to the whole AgentRegistration)
  • How and where do we cleanly reduce duplication of information (and management overhead) between consents and grants?
  • Should delegated data grants have their own sub-class (e.g. DelegatedDataGrant)? Have included that in the example below.

Access Consent from Alice for the Projectron Application for Projects and Tasks

PREFIX alice <https://alice.example>
PREFIX jarvis <https://jarvis.alice.example>
PREFIX projectron <https://projectron.example/>
PREFIX alice-consents <https://alice.example/consents/>
PREFIX alice-agents <https://alice.example/agents/>

alice-consents:e2765d6c
  a interop:AccessConsent ;
  interop:registeredBy alice:\#id ;
  interop:registeredWith jarvis:\#id ;
  interop:registeredAt "2020-09-05T06:15:01Z"^^xsd:dateTime ;
  interop:updatedAt "2020-09-05T06:15:01Z"^^xsd:dateTime ;
  interop:hasApplicationRegistration alice-agents:a788ebe\/ ;
  interop:hasAccessNeedGroup projectron:\#d8219b1f ;
  interop:hasDataConsent
    alice-consents:54a1b6a0,
    alice-consents:0e4cb692 .

Data Consent for Projectron to access Projects

PREFIX alice <https://alice.example>
PREFIX projectron <https://projectron.example/>
PREFIX alice-consents <https://alice.example/consents/>
PREFIX alice-agents <https://alice.example/agents/>

alice-consents:54a1b6a0
  a interop:DataConsent ;
  interop:registeredShapeTree pm-shapetrees:ProjectTree ;
  interop:dataOwner alice:\#id ;
  interop:satisfiesAccessNeed projectron:\#ac54ff1e ;
  interop:accessMode acl:Read, acl:Write ;
  interop:creatorAccessMode acl:Control ;
  interop:scopeOfConsent interop:AllInstances .

Data Consent for Projectron to access Tasks

PREFIX alice <https://alice.example>
PREFIX projectron <https://projectron.example/>
PREFIX alice-consents <https://alice.example/consents/>
PREFIX alice-agents <https://alice.example/agents/>


alice-consents:54a1b6a0
  a interop:DataConsent ;
  interop:registeredShapeTree pm-shapetrees:TaskTree ;
  interop:dataOwner alice:\#id ;
  interop:satisfiesAccessNeed projectron:\#9462959c ;
  interop:accessMode acl:Read, acl:Write ;
  interop:creatorAccessMode acl:Control ;
  interop:scopeOfConsent interop:InheritInstances ;
  interop:inheritsFromConsent
    alice-consents:54a1b6a0 .

Alice's Agent Registration for Projectron

PREFIX alice <https://alice.example>
PREFIX jarvis <https://jarvis.alice.example>
PREFIX projectron <https://projectron.example/>
PREFIX alice-agents <https://alice.example/agents/>


alice-agents:a788ebe\/
  a interop:ApplicationRegistration  
  interop:registeredBy alice:\#id ;
  interop:registeredWith jarvis:\#id ;
  interop:registeredAt "2020-04-04T20:15:47.000Z"^^xsd:dateTime ;
  interop:updatedAt "2020-04-04T21:11:33.000Z"^^xsd:dateTime ;
  interop:registeredAgent projectron:\#id .
  interop:hasAccessGrant alice-agents:a788ebe\/27eae14b

Alice's Access Grant for Projectron, stored in her Agent Registration for Projectron

PREFIX alice <https://alice.example>
PREFIX projectron <https://projectron.example/>
PREFIX alice-projectron <https://alice.example/agents/a788ebe/>

alice-projectron:27eae14b
  a interop:AccessGrant ;  
  interop:registeredBy alice:\#id ;
  interop:registeredAt "2020-04-04T20:15:47.000Z"^^xsd:dateTime ;
  interop:updatedAt "2020-04-04T21:11:33.000Z"^^xsd:dateTime ;
  interop:registeredAgent projectron:\#id ;
  interop:hasAccessNeedGroup projectron:\#d8219b1f ;
  interop:hasDataGrant
    alice-projectron:40d038ea ,
    alice-projectron:0945218b ,
    alice-projectron:fe818190 ,
    alice-projectron:017d6a07 .

Data Grant from Alice for Projectron to access Alice's Work Projects

PREFIX alice <https://alice.example>
PREFIX projectron <https://projectron.example/>
PREFIX alice-projectron <https://alice.example/agents/a788ebe/>
PREFIX alice-work-data <https://work.alice.example/data/>

alice-projectron:40d038ea
  a interop:DataGrant ;  
  interop:dataOwner alice:\#id ;
  interop:registeredShapeTree pm-shapetrees:ProjectTree ;
  interop:hasDataRegistration alice-work-data:12dd3d32\/
  interop:satisfiesAccessNeed projectron:\#ac54ff1e ;
  interop:accessMode acl:Read, acl:Write ;
  interop:creatorAccessMode acl:Control ;
  interop:scopeOfGrant interop:AllInstances .

Data Grant from Alice for Projectron to access Alice's Work Tasks

PREFIX alice <https://alice.example>
PREFIX projectron <https://projectron.example/>
PREFIX alice-projectron <https://alice.example/agents/a788ebe/>
PREFIX alice-work-data <https://work.alice.example/data/>

alice-projectron:0945218b
  a interop:DataGrant ;  
  interop:dataOwner alice:\#id ;
  interop:registeredShapeTree pm-shapetrees:TaskTree ;
  interop:hasDataRegistration alice-work-data: f0f04f3e\/
  interop:satisfiesAccessNeed projectron:\#9462959c ;
  interop:accessMode acl:Read, acl:Write ;
  interop:creatorAccessMode acl:Control ;
  interop:scopeOfGrant interop:InheritInstances ;
  interop:inheritsFromGrant alice-projectron:40d038ea .

Delegated Data Grant from Alice to Projectron to access Bob's Work Projects shared with Alice

PREFIX bob <https://bob.example>
PREFIX projectron <https://projectron.example/>
PREFIX alice-projectron <https://alice.example/agents/a788ebe/>
PREFIX alice-bob <https://alice.example/agents/723ea3ec/>
PREFIX bob-work-data <https://work.alice.example/data/>

alice-projectron:fe818190
  a interop:DelegatedDataGrant ;  
  interop:dataOwner bob:\#id ;
  interop:registeredShapeTree pm-shapetrees:ProjectTree ;
  interop:hasDataRegistration bob-work-data:08a99a10\/
  interop:satisfiesAccessNeed projectron:\#ac54ff1e ;
  interop:accessMode acl:Read, acl:Write ;
  interop:creatorAccessMode acl:Control ;
  interop:scopeOfGrant interop:AllInstances ;
  interop:delegationOfGrant
    alice-bob:b2b6a645 .

Delegated Data Grant from Alice to Projectron to access Bob's Work Tasks shared with Alice

PREFIX bob <https://bob.example>
PREFIX projectron <https://projectron.example/>
PREFIX alice-projectron <https://alice.example/agents/a788ebe/>
PREFIX alice-bob <https://alice.example/agents/723ea3ec/>
PREFIX bob-work-data <https://work.alice.example/data/>

alice-projectron:017d6a07
  a interop:DelegatedDataGrant ;  
  interop:dataOwner bob:\#id ;
  interop:registeredShapeTree pm-shapetrees:TaskTree ;
  interop:hasDataRegistration bob-work-data:45e092cf\/
  interop:satisfiesAccessNeed projectron:\#9462959c ;
  interop:accessMode acl:Read, acl:Write ;
  interop:creatorAccessMode acl:Control ;
  interop:scopeOfGrant interop:InheritInstances ;
  interop:inheritsFromGrant alice-projectron:fe818190 ;
  interop:delegationOfGrant
    alice-bob:d5b5760c .

@elf-pavlik
Copy link
Member

What is the cost / benefit of copying access needs into the consent registry, and referencing them in the Application Profile?

Good question! I would prefer to defer answering it and start by creating tracking issue and linking to it inline in the spec.

When we are dealing with applications, and want to capture access to both local and remote data, should we use a combined scope, multiple scopes, or properties and scopes for local vs. remote? In the example below they're jammed together in "AllInstances" but not sure that feels right.

Let's use #155 to figure it out, I already captured some thoughts there.

Should Agents be given access to their corresponding AgentRegistration resource in someone's pod, or only the AccessGrant inside of it? (For now, assuming they have access to the whole AgentRegistration)

I think this is a good starting point, especially if we also define Access Grant as immutable (which can still reuse immutable data grants from previous Access Grant).

How and where do we cleanly reduce duplication of information (and management overhead) between consents and grants?

Since they are made for different audiences we probably can't avoid all the duplication. consent is the source of information, data grants are derived from it all known data registrations (we end up with one grant per data registration in scope).

As for snippets, as i mentioned on chat i would prefer to not prematurely introduce control mode and instead look into delegation. I created https://solid.github.io/authorization-panel/authorization-ucr/#uc-delegation-subset in big part with that in mind. As I mention there effectively anyone who has access can share that access (relying on impersonation), this renders control access mode in many ways naive. Formalizing delegation is IMO a way to go. I can create tracking issue for it.

To showcase interop:creatorAccessmode I would just not put update and delete in interop:AccessMode and give them only for creator.

Should we specify that inheritsFromConsent back links should go into the primary documents, or perhaps include some non-normative language about it as an optimization?

I'll take a look on how we implemented in sai-js and will get back to you.

One thing I know is that we also rely on embedding statement about interop:iriPrefix from DataRegistration into data gratnt. This is mostly for symetry with a case of 'InheritInstances' where we can create new child instances but don't have access to Data Registration itself. See https://solid.github.io/data-interoperability-panel/primer/#access-grant

This was referenced Sep 10, 2021
Closed
Closed
@justinwb
Copy link
Member Author

Good question! I would prefer to defer answering it and start by creating tracking issue and linking to it inline in the spec.

Issued created at #177

As for snippets, as i mentioned on chat i would prefer to not prematurely introduce control mode and instead look into delegation. I created https://solid.github.io/authorization-panel/authorization-ucr/#uc-delegation-subset in big part with that in mind. As I mention there effectively anyone who has access can share that access (relying on impersonation), this renders control access mode in many ways naive. Formalizing delegation is IMO a way to go. I can create tracking issue for it.

Agree with establishing an elegant approach for re-sharing. I believe that it could be a more common use case, so we should have a good pathway for it.

To showcase interop:creatorAccessmode I would just not put update and delete in interop:AccessMode and give them only for creator.

As of yet we haven't branched out in the spec from the existing acl:modes. At this point I think it makes sense to do that. Add acl:create, acl:delete, and acl:update into the mix, and cite solid/authorization-panel#253

One thing I know is that we also rely on embedding statement about interop:iriPrefix from DataRegistration into data gratnt. This is mostly for symetry with a case of 'InheritInstances' where we can create new child instances but don't have access to Data Registration itself.

Should iriPrefix always be included or optional and employed only when needed?

@elf-pavlik
Copy link
Member

Should iriPrefix always be included or optional and employed only when needed?

Current implementation expects it to always be included. It doesn't come with any extra cost and it just streamlines consumption of data grants, we don't need to handle different scopes differently when it comes to getting the iriPrefix.
I'm about to start writing generation of data grants but I think it will also be easier to generate them if we simply include that information no matter the scope of the data grant.

@justinwb
Copy link
Member Author

An approach for what's been (to date) Trusted Grants, that avoids additional classes (Trusted Grant, Trusted Consent, Trusted Need), and instead uses a few new properties in Data Consents, Data Grants, Access Needs.

Examples below are for an Application (Jarvis - Alice's Authorization Agent), and a Social Agent (Sarah - Alice's Sister).

On whether or not an Authorization Agent should have a consent record - I provided an argument in Gitter, quoted here again for convenience:

i think it’s a critical piece of the audit trail. if the data owner wants to look at a full set of who/what has received consent to work with their data, the authorization agent should be part of that set without having to query it separately. if the data owner switches to another authorization agent, there should be a record along with the other consents. i think its important to look at consent not only as something that is providing input to authorization workflows in the moment, but also as a historical record.

Access Consent from Alice for Jarvis her Trusted Authorization Agent

PREFIX alice <https://alice.example>
PREFIX jarvis <https://jarvis.alice.example>
PREFIX alice-consents <https://alice.example/consents/>
PREFIX alice-agents <https://alice.example/agents/>

alice-consents:47e07897
  a interop:AccessConsent ;
  interop:registeredBy alice:\#id ;
  interop:registeredWith jarvis:\#id ;
  interop:registeredAt "2020-09-05T06:15:01Z"^^xsd:dateTime ;
  interop:updatedAt "2020-09-05T06:15:01Z"^^xsd:dateTime ;
  interop:hasApplicationRegistration alice-agents:5f5156fd\/ ;
  interop:hasAccessNeedGroup jarvis:\#4fd1482d ;
  interop:hasDataConsent
    alice-consents:55363f56 ,
    alice-consents:935458cf .
PREFIX alice <https://alice.example>
PREFIX jarvis <https://jarvis.alice.example>
PREFIX alice-consents <https://alice.example/consents/>
PREFIX alice-agents <https://alice.example/agents/>

alice-consents:55363f56
  a interop:DataConsent ;
  interop:dataOwner alice:\#id ;
  interop:satisfiesAccessNeed jarvis:\#3fb5f9a6 ;
  interop:accessMode acl:Read, acl:Write, acl:Control ;
  interop:registeredShapeTree interop:SocialAgentTree ;
  interop:hasDataResource alice: ;
  interop:scopeOfGrant interop:SelectedInstances .
PREFIX alice <https://alice.example>
PREFIX jarvis <https://jarvis.alice.example>
PREFIX alice-consents <https://alice.example/consents/>
PREFIX alice-agents <https://alice.example/agents/>

alice-consents:935458cf
  a interop:DataConsent ;
  interop:dataOwner alice:\#id ;
  interop:satisfiesAccessNeed jarvis:\#fde6805e ;
  interop:accessMode acl:Read, acl:Write, acl:Control ;
  interop:registeredShapeTree interop:RegistrySetTree ;
  interop:hasDataResource alice:registries ;
  interop:scopeOfGrant interop:SelectedInstances .

Agent Registration and Access Grant for Jarvis

PREFIX alice <https://alice.example>
PREFIX jarvis <https://jarvis.alice.example>
PREFIX alice-agents <https://alice.example/agents/>

alice-agents:b5eea7bb\/
  a interop:ApplicationRegistration
  interop:registeredBy alice:\#id ;
  interop:registeredwith jarvis:\#id ;
  interop:registeredAt "2020-04-04T20:15:47.000Z"^^xsd:dateTime ;
  interop:updatedAt "2020-04-04T21:11:33.000Z"^^xsd:dateTime ;
  interop:registeredAgent jarvis:\#id .
  interop:hasAccessGrant alice-agents:b5eea7bb\/5ad22737
PREFIX alice <https://alice.example>
PREFIX jarvis <https://jarvis.example/>
PREFIX alice-jarvis <https://alice.example/agents/b5eea7bb/>

alice-jarvis:5ad22737
  a interop:AccessGrant ;
  interop:registeredBy alice:\#id ;
  interop:registeredAt "2020-04-04T20:15:47.000Z"^^xsd:dateTime ;
  interop:updatedAt "2020-04-04T21:11:33.000Z"^^xsd:dateTime ;
  interop:registeredAgent jarvis:\#id ;
  interop:hasAccessNeedGroup jarvis:\#4fd1482d ;
  interop:hasDataGrant
    alice-jarvis:b0dc6c78 ,
    alice-jarvis:6ef722af .
PREFIX alice <https://alice.example>
PREFIX jarvis <https://jarvis.example/>
PREFIX alice-jarvis <https://alice.example/agents/b5eea7bb/>

alice-jarvis:b0dc6c78
  a interop:DataGrant ;
  interop:dataOwner alice:\#id ;
  interop:satisfiesAccessNeed jarvis:\#3fb5f9a6 ;
  interop:accessMode acl:Read, acl:Write, acl:Control ;
  interop:registeredShapeTree interop:SocialAgentTree ;
  interop:hasDataResource alice: ;
  interop:scopeOfGrant interop:SelectedInstances .
PREFIX alice <https://alice.example>
PREFIX jarvis <https://jarvis.example/>
PREFIX alice-jarvis <https://alice.example/agents/b5eea7bb/>

alice-jarvis:6ef722af
  a interop:DataGrant ;
  interop:dataOwner alice:\#id ;
  interop:satisfiesTrustedNeed jarvis:\#fde6805e ;
  interop:accessMode acl:Read, acl:Write, acl:Control ;
  interop:registeredShapeTree interop:RegistrySetTree ;
  interop:hasDataResource alice:registries ;
  interop:scopeOfGrant interop:SelectedInstances .

Access Consent from Alice for her sister Sarah who she trusts to operate on her behalf

PREFIX alice <https://alice.example>
PREFIX sarah <https://sarah.example>
PREFIX jarvis <https://jarvis.alice.example>
PREFIX alice-consents <https://alice.example/consents/>
PREFIX alice-agents <https://alice.example/agents/>

alice-consents:d577d117
  a interop:AccessConsent ;
  interop:registeredBy alice:\#id ;
  interop:registeredWith jarvis:\#id ;
  interop:registeredAt "2020-09-05T06:15:01Z"^^xsd:dateTime ;
  interop:updatedAt "2020-09-05T06:15:01Z"^^xsd:dateTime ;
  interop:hasSocialAgentRegistration alice-agents:b49afcdf\/ ;
  interop:hasAccessNeedGroup jarvis:\#4fd1482d ;
  interop:hasDataConsent
    alice-consents:2d1568fb ,
    alice-consents:5ca4692b .
PREFIX alice <https://alice.example>
PREFIX alice-consents <https://alice.example/consents/>
PREFIX alice-agents <https://alice.example/agents/>

alice-consents:2d1568fb
  a interop:DataConsent ;
  interop:dataOwner alice:\#id ;
  interop:satisfiesAccessNeed jarvis:\#fde6805e ;
  interop:accessMode acl:Read, acl:Write, acl:Control ;
  interop:registeredShapeTree interop:SocialAgentTree ;
  interop:hasDataResource alice: ;
  interop:scopeOfGrant interop:SelectedInstances .
PREFIX alice <https://alice.example>
PREFIX alice-consents <https://alice.example/consents/>
PREFIX alice-agents <https://alice.example/agents/>

alice-consents:5ca4692b
  a interop:DataConsent ;
  interop:dataOwner alice:\#id ;
  interop:satisfiesAccessNeed jarvis:\#fde6805e ;
  interop:accessMode acl:Read, acl:Write, acl:Control ;
  interop:registeredShapeTree interop:RegistrySetTree ;
  interop:hasDataResource alice:registries ;
  interop:scopeOfGrant interop:SelectedInstances .

Agent Registration and Access Grant for Sarah

PREFIX alice <https://alice.example>
PREFIX jarvis <https://jarvis.alice.example>
PREFIX sarah <https://sarah.example>
PREFIX alice-agents <https://alice.example/agents/>
PREFIX sarah-agents <https://sarah.example/agents/>

alice-agents:b49afcdf\/
  a interop:SocialAgentRegistration
  interop:registeredBy alice:\#id ;
  interop:registeredWith jarvis:\#id ;
  interop:registeredAt "2020-04-04T20:15:47.000Z"^^xsd:dateTime ;
  interop:updatedAt "2020-04-04T21:11:33.000Z"^^xsd:dateTime ;
  interop:registeredAgent sarah:\#id .
  interop:reciprocalRegistration sarah-agents:efba320e\/
  interop:hasAccessGrant alice-agents:b49afcdf\/731b43ec
PREFIX alice <https://alice.example>
PREFIX sarah <https://jarvis.example/>
PREFIX alice-sarah <https://alice.example/agents/b49afcdf/>

alice-sarah:731b43ec
  a interop:AccessGrant ;
  interop:registeredBy alice:\#id ;
  interop:registeredAt "2020-04-04T20:15:47.000Z"^^xsd:dateTime ;
  interop:updatedAt "2020-04-04T21:11:33.000Z"^^xsd:dateTime ;
  interop:registeredAgent sarah:\#id ;
  interop:hasAccessNeedGroup jarvis:\#4fd1482d ;
  interop:hasDataGrant
    alice-sarah:d85fd1f5 ,
    alice-sarah:8fac3576 .
PREFIX alice <https://alice.example>
PREFIX sarah <https://sarah.example/>
PREFIX alice-sarah <https://alice.example/agents/b49afcdf/>

alice-sarah:d85fd1f5
  a interop:DataGrant ;
  interop:dataOwner alice: ;
  interop:satisfiesAccessNeed jarvis:\#3fb5f9a6 ;
  interop:accessMode acl:Read, acl:Write, acl:Control ;
  interop:registeredShapeTree interop:SocialAgentTree ;
  interop:hasDataResource alice: ;
  interop:scopeOfGrant interop:SelectedInstances .
PREFIX alice <https://alice.example>
PREFIX sarah <https://sarah.example/>
PREFIX alice-sarah <https://alice.example/agents/b49afcdf/>

alice-sarah:8fac3576
  a interop:DataGrant ;
  interop:dataOwner alice: ;
  interop:satisfiesAccessNeed jarvis:\#3fb5f9a6 ;
  interop:accessMode acl:Read, acl:Write, acl:Control ;
  interop:registeredShapeTree interop:RegistrySetTree ;
  interop:hasDataResource alice:registries ;
  interop:scopeOfGrant interop:SelectedInstances .

@elf-pavlik
Copy link
Member

Ok, let's start with that and once we get to implementing it we will see if any issues come up.

@justinwb justinwb mentioned this issue Sep 16, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@justinwb justinwb

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Migrate access grant registry to access consent registry solid/data-interoperability-panel
2 participants
@justinwb @elf-pavlik