The Solid framework for decentralized and self-sovereign data management proposed by Berners-Lee enables dynamically binding an identity to a Solid application and a user-specific Solid data store, thus enabling interoperability within the Solid ecosystem. We evaluated Solid in the context of a typical B2B use case, the granting of a loan between a bank and a receiving company, and thereby identified two business functionalities that are particularly relevant in the B2B context: The need to provide secure and easy access to internal data between companies and the need for employees to be able to take on diferent roles in business processes depending on whether they are acting internally or externally (i.e., on behalf of the company). We transferred these business requirements into two separate applications, the “Authorization App” and the “Rights Delegation Proxy”, and evaluated them based on our use case.
CEUR ceur-ws.org
Solid1 (Social Linked Data) intends to change the way web applications work today, aiming
for true data ownership and improved privacy, establishing data sovereignty in web-based
data-driven ecosystem [
Figure 1 outlines our motivating example. A small- or medium-sized enterprise (SME) applies for a loan from a bank. The bank, in turn, requests additional internal data from the SME (business assessment reports) in order to prepare a loan ofer to the SME. However, loan ofers nEvelop-O
Lisa (Bank Clerk) Acts on behalf of the bank
Processes loan applications for the bank
BANK and loan applications are not issued by the companies themselves. Rather, employees act on behalf of their companies. Two aspects are of particular relevance in this scenario and need to be solved on a technical level. Secure and simple sharing of information through mutual access to internal data (annual reports and loan ofers) and the diferent roles of the involved employees in this business process, both internally and in relation to external partners. We propose a solution that consists of two independent components. An application for secure and easy data sharing, and an application/service that allows people to perform actions on behalf of others.
Data sovereignty in a web-based ecosystem is the goal of the Solid movement [
One of the key principles of the Solid concept, the ability to dynamically bind an identity to a Solid application and a Solid Pod, means that users must frequently process data access requests on demand and grant or deny them or revoke existing access rights to data. Processing and managing such access requests and access rights in a Solid environment requires a comparatively high number of HTTP requests.
To enable eficient handling of these tasks and to prevent the need to re-implement this functionality for new use cases, we developed a prototype of a reusable web-based user interface to grant access to data in a Solid Pod, the Authorization App, short AuthApp. The application allows both the monitoring and processing of received, existing, rejected, and revoked requests for data sharing. By design, the AuthApp is not integrated directly into the business applications. The Authorization Agent, resp. the application, for a given Social Agent can be discovered by de-referencing the identity of that Social Agent, and extracting the object value of the interop:hasAuthorizationAgent statement defined in the W3C Solid Community Group’s Application Interoperability Specification 2 from the Social Agent graph in the returned identity profile document. Further, we designed the application to avoid the need to copy or store data outside the personal / company context, meaning all data remains under the user’s / company’s control. By this, any business app just needs to redirect the web browser to the corresponding IRI to provide the user with the functionality of data sharing.
In our use case, agents have to act on behalf of others, here especially natural persons on behalf of organizations e.g. an employee signs the loan contract on behalf of their employer. The transfer of rights from one agent to another is a so-called delegation or power of attorney. In
SME needs a loan from the bank
Loan is granted to the SME
Yes
SME creates a loan demand in the
bank's Solid Pod
Bank requests read access for business data in SME's
Solid Pod
Offer accepted ?
No No business relationship established
SME decides on the loan offer
Bank creates a loan offer based on shared business data
Yes employees acting on behalf of Lisa Tom their corresponding company
SME evaluates access request via AuthApp
Access rights granted ?
No No business relationship established a delegation, a delegator defines policies for a delegate that state the rights and transactions that may be exercised in the delegator’s name toward an afiliate. We use Solid to realize dataspaces between agents to share data and also delegations to act on data, but for rights delegation, the current process is based, e.g., on Access Control Lists3 (ACL) or the membership in vCard groups4. When considering privacy, issues arise quickly, as the delegate’s identity and the delegation are revealed to an afiliate who has to set the corresponding ACLs, despite the delegate’s potential interest to stay hidden. Still, a delegator needs to keep control over defined policies. To solve the questions of privacy and business secrets while realizing more complex policies (that go beyond ACLs), we propose the Rights Delegation Proxy (RDP) as an approach for private and legitimate data sharing and delegations. As the delegation of rights among agents occurs frequently and still has far-reaching implications in terms of the power of attorney, e.g., along hierarchies or only between individual citizens [13], and is often similar in terms of basic roles (delegator, delegate, afiliate), we opted for a general, reusable form that may be used across diferent organizations. As a component, the RDP receives all requests the delegate makes, checks that the delegate’s WebID is authenticated, and extracts the requested web resource. The RDP looks up suiting policies as defined by the delegator depending on the WebID or web resource and evaluates if the delegate’s request is valid concerning the policies. Such policies can, e.g., be defined as Shape Expressions (ShEx) 5 or SPARQL6 ASK queries. If the policy is valid, the RDP logs and forwards the delegate’s request to the resource authenticated as a delegator, s.t., a separation between delegate and afiliate is made. From the afiliate’s perspective, only the delegator was involved.
In this paper, we addressed reusable components in the Solid ecosystem. Our approach is driven by the potential of the Solid technology stack that is enabling web components that can safely interact. Motivated by the demands in the B2B world, we identified two processing steps that have a high potential to be reused in most B2B use cases: Rights Delegation Proxy (RDP) and Authorization App (AuthApp). We designed and implemented these components as pure Solid apps, s.t., they can be reused by design. With our contributions, we follow our long-term agenda of providing the required standard functionality for B2B data-driven ecosystems as Solid apps. Hence, we envision a future environment where Solid apps for business can be implemented rapidly while still meeting the highest demands in relation to GDPR, security, traceability, and protecting business secrets. AuthApp — Flexible, Reusable Solid App for GDPR-compliant Access Granting, in: International Conference on Web Engineering (ICWE 2024), 2024. [11] S. Schmid, D. Schraudner, A. Harth, The Rights Delegation Proxy: An Approach for Delegations in the Solid Dataspace, in: Proceedings of the 2nd International Workshop on Semantics in Dataspaces (SDS 2024) co-located with the 21st Extended Semantic Web Conference (ESWC 2024), 2024. [12] S. Schmid, D. Schraudner, A. Harth, The Rights Delegation Proxy: An Approach for Delegations in the Solid Dataspace, in: Proceedings of the 2nd Solid Symposium, 2024. URL: https://solid.iis.fraunhofer.de/SCS-DS-IoT/public/2024/solid%20symposium/preprint/ 1_the_rights_delegation_proxy_an.pdf, preprint. [13] M. M. Hughes, Remedying financial abuse by agents under a power of attorney for finances, Marquette Elder’s Advisor 2 (2012) 39. URL: https://api.semanticscholar.org/CorpusID: 37730572.