Access control for Data Spaces
Nikos Fotiou, Vasilios A. Siris, George C. Polyzos
TL;DR
The paper tackles fine-grained, semantics-aware access control in Data Spaces to support data sharing without compromising sovereignty or subscription-based updates. It introduces a modular architecture with IdP, PAP, PEP, PDP, and PIP, and leverages Verifiable Credentials and Presentations to distribute policy administration and proof of capabilities. The authors implement a prototype using FIWARE Orion, Keycloak, and iSHARE, and provide security, privacy, and availability analyses including revocation-based usage control. The work demonstrates a scalable approach for continuous policy evaluation across distributed owners, enabling secure subscriptions and fine-grained data access with strong sovereignty guarantees.
Abstract
Data spaces represent an emerging paradigm that facilitates secure and trusted data exchange through foundational elements of data interoperability, sovereignty, and trust. Within a data space, data items, potentially owned by different entities, can be interconnected. Concurrently, data consumers can execute advanced data lookup operations and subscribe to data-driven events. Achieving fine-grained access control without compromising functionality presents a significant challenge. In this paper, we design and implement an access control mechanism that ensures continuous evaluation of access control policies, is data semantics aware, and supports subscriptions to data events. We present a construction where access control policies are stored in a centralized location, which we extend to allow data owners to maintain their own Policy Administration Points. This extension builds upon W3C Verifiable Credentials.