At runtime, the usage control enforcement prevents IDS connectors from treating data in an undesired way, for example by forwarding personal data to public endpoints.
For enforcing usage restrictions, data flows need to be monitored and potentially intercepted by control points (i.e., PEPs). These intercepted data flows are given to the decision engine (i.e., the PDP) for requesting permission or denial of the data flow. In addition to just allowing or denying the data flow, the decision can also require a modification of data.
More information: Usage Control in the International Data Spaces
Enforcement Layers
- Connector/Container Layer
- Route/Interceptor Layer
- Application Layer
Use case: The Data App is allowed to use (process, display, etc.) the data
Usage Control tasks:
- Check the conditions (Time interval, Data App, Events, etc.)
Condition:
- Data App inside a connector
- UC app inside a Connector
Use case: The Data App is allowed to use (process, display, etc.) and store the data
Usage Control tasks:
- Check the conditions (Time interval, Data App, Events, etc.)
- Log usage information
- Inform a Party about the usage
- Setting up a Delete Data PXP
Condition:
- Data App inside a connector
- Data sink inside a Connector
- UC app inside a Connector
Use case: The Data App is allowed to use (process, display, etc.) the data and distribute it outside the connector
Usage Control tasks:
- Check the conditions (Time interval, Data App, Events, etc.)
- Log usage information
- Inform a Party about the usage
Condition:
- Data App inside a connector
- System Adapter inside a Connector
- UC app inside a Connector
Characteristics:
- Data format must be json compatible
- Hooking points must be known and implemented
Advantages:
- One UC service can be used by many Data Apps (reusable)
- Easier Policy Management
Use case: The Data App is restricted to use (process, print, display and store) the data
Usage Control tasks:
- Check the conditions (Time interval, Data App, Events, etc.)
- Log usage information
- Inform a Party about the usage
- Hook into the data flow (for fine-grained actions)
- Modify in transit
- Count usage
Condition:
- Data App inside a connector
- UC app inside a Connector
- JSON data exchange
Use case: The Data App shall read and store the data via System Adapter App
- System Adapter App encrypts and decrypts data that is stored/retrieved from a database outside a connector.
Usage Control tasks:
- Check the conditions (Time interval, Data App, Events, etc.)
- Log usage information
- Inform a Party about the usage
- Hook into the data flow in the System Adapter App
- Modify in transit
- Setting up a Delete Data PXP
Condition:
- Data App inside a connector
- System Adapter inside a Connector
- UC app inside a Connector
- Data Storage outside a Connector
Characteristics:
- It can be MYDATA or any other implementation.
- Data format depends on the implementation of the Usage Control technology
- Hooking points must be known and implemented
Advantages:
- More independent solution (wrt. Programming language, data format, etc.)
Disadvantages:
- Higher implementation effort
- Higher effort for Policy Management
Use case: The Data App is allowed to use (print and display) the data
Usage Control tasks:
- Check the conditions (Time interval, Data App, Events, etc.)
- Log usage information
- Inform a Party about the usage
- Hook into the data flow (for fine-grained actions)
- Modify in transit
- Count Usage
Condition:
- Data App inside a connector
- UC app inside a Data App
