Discussions on authorization mechanisms for decentralized (data) spaces exhibit a certain tension between high-level conceptual (legal or economic) requirements and low-level technical mechanisms, precluding the emergence of a broadly accepted integration between the two. New authorization frameworks are typically developed in the context of emerging data (exchange) technologies, which focus predominantly on the resource level (i.e., the data plane), rather than on interoperability in policy management and enforcement (i.e., the control plane). New conceptual frameworks, formulated in a corporate or political context using non-technical terminology, often fail to gain a foothold in technical implementation. Together, this results in a plethora of non-interoperable systems and proposals, between which development and interaction are a costly afair.

This tension is particularly visible in recent attempts at streamlining private data exchange on the Web, including i) several parallel eforts shaping Data Spaces (e.g., by IDSA, DSSC, Gaia-X, and Eclipse [ 1, 2, 3, 4 ]), which struggle to suficiently align their conceptual visions into concrete interoperable technical specifications 1; ii) numerous new regulations that impose data processing and governance requirements without much of a technical stack ready to facilitate them (e.g., in European Union law [6, 7, 8, 9]); and iii) multiple independent technical frameworks for (personal) data exchange, including the Solid and Fedora projects [10, 11]2, which fail to provide a foundation for many of the use cases formulated by the other endeavours.

In [18], the authors highlight the lack of orthogonality between the data plane and the control plane in existing technical solutions3, and their hierarchical, document-centric view of data, since it forms an inflexible dependency between internal and external interfaces for data and access management, and thus precludes the organic formation of an interoperable and scalable ecosystem in which Digital Trust flows from a variety of mutually beneficial relationships.

In this paper, we introduce LOAMA, a user interface designed to manage policies in an UMA Authorization Server (AS). LOAMA simplifies the complexity of policy management, ofering an intuitive experience for users, while the underlying API supports the exchange of complete and detailed policies. To demonstrate the functionality of our implementation, we also provide a screencast.

These issues are partially addressed by the Solid Application Interoperability (SAI) specification [20, 21], 4 which proposes to combine a registration-based policy model with more ifne-grained, declarative resource description languages (e.g., SHACL [ 22], SHEX [ 23 ]), and User-Managed Access (UMA) [ 24, 25 ] – an OAuth 2.0 extension enabling asynchronous and delegated multi-user access control, dynamic grant negotiation, and federation over multiple protection domains.

Still, SAI’s policy language lacks any legal or corporate semantics and expressivity, forming only a technical interoperability layer on top of WAC or ACP. Several authors highlight this shortcoming (with demo implementations in [ 26, 27 ]), stating that since "[WAC and ACP] cannot represent more complex rules nor invoke regulation-specific concepts," [ 28 ], Solid still lacks "the necessary vocabulary and processes for ensuring transparency and accountability [...] to deal with the obligations and requirements required by [them]," [ 29 ], as well as "the granularity and contextual awareness needed to enforce these regulatory requirements" [ 27 ]. Each of these papers emphasizes the importance of usage control over mere access control;5 and suggests an integration with the Open Digital Rights Language (ODRL) and the Data Privacy 1E.g., Eclipse’s Dataspace Protocol [5] merely mentions that "requests [...] SHOULD use the Authorization header to include an authorization token [the semantics of which] are not part of this specification." 2Their core texts [12, 13], based on the Linked Data Platform (LDP), Web Access Control (WAC), and Access Control Policy (ACP) specifications [ 14, 15, 16], now inform W3C’s Linked Web Storage (LWS) Working Group [17].

3This separation of concerns between resource servers (data management) and authorization servers (access management) is ubiquitous in modern access control mechanisms, such as OAuth 2.0 [19].

4Surprisingly, the SAI specification has not been taken up as input by the W3C LWS WG (cf. 2). Vocabulary (DPV) [ 30, 31, 32 ].

A key piece often overlooked in these architectural designs is how policies should be concretely managed by the resource owner [ 33 ]. As [21] succinctly put: "Solid’s use of [WAC and ACP] is tedious and prone to errors"; "little attention has been given to how users [...] would actually exert their control." Although the paper discusses a prototype implementation of a user interface based on SAI and DPV, the authors identify several limitations and open issues. Other similar applications [ 34, 35 ] restrict themselves to SAI and WAC or ACP, ignoring the important insights from previous work around ODRL and DPV.

The whitepaper From Resource Control to Digital Trust with User-Managed Access [18] builds on this earlier work around Solid and ODRL, and identifies several requirements that a technical solution for access and usage control should fulfill in order to form a strong connection to legal and corporate conceptual frameworks. The authors suggest a number of modifications to UMA, which they integrate in the UMA-extension Authorization for Data Spaces (A4DS) [36]. In line with the attempts of [ 21, 35 ], this demo paper will discuss and showcase the foundations of a third authorization application, which communicates through ODRL messages with an authorization server following the A4DS UMA extension.

The choice for a RESTful API for ODRL policy management for an UMA AS empowers ROs with fine-grained, low-level control over how usage of their data is enforced. At the same time, the LOAMA interface demonstrates how this complexity can be abstracted away, enabling ROs to understand and manage ODRL policies without requiring detailed knowledge of either ODRL or the API interactions. The implementation of the policy management API led to insights on open issues. First, there is a security consideration, namely the need for a mechanism to prevent unauthorized applications from altering policies. For instance, when a Resource Owner authenticates through a generic application to access data, the resulting authentication token 8LOAMA with UMA: https://github.com/SolidLabResearch/loama/tree/feat/odrl 9LOAMA demonstration with the UMA AS policy management API: https://zenodo.org/records/16640205 could be exploited by malicious code to modify policies. To address this risk, it is advisable to restrict policy changes to certified applications only. This concern has also been noted in research on decentralized data sharing solutions [ 35 ]. Another open issue is the need for semantic validation in the AS to prevent contradicting ODRL rules, such as a permission and a prohibition for the same asset, action, and party. If such validation cannot be enforced, an additional safeguard is required: efective conflict resolution strategies must be in place to support consistent decision-making within the UMA AS policy engine. Finally, there is a need for a mechanism to request specific permissions from a RO, which is currently missing in the implementation. However, the existing AS can serve as a foundation for further research; perhaps it can be used to compare existing decentralized negotiation strategies, including the Dataspace Negotiation Protocol10 [43], SAI [20], or Authapp [ 35 ].

In this paper, we introduce an ODRL policy management API for a UMA Authorization Server along with LOAMA, a web-based user interface that enables Resource Owners to manage their policies more easily. Future research includes conflict resolution in policy management and decentralized access negotiation mechanisms.

This research was funded by SolidLab Vlaanderen (Flemish Government, EWI and RRF project VV023/10), and the European Union’s Horizon Europe research and innovation program under grant agreement no. 101058682 (Onto-DESIDE).

During the preparation of this work, the author(s) used Grammarly in order to: Grammar and spelling check. After using this tool/service, the author(s) reviewed and edited the content as needed and take(s) full responsibility for the publication’s content. [5] P. Koen, M. Kollenstart, J. Marino, J. Pampus, A. Turkmayali, S. Steinbuss, A. Weiß, Dataspaces Protocol 2025-1-RC4, Technical Report, Eclipse Foundation, 2025. [6] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016. URL: ttp://data.europa.eu/eli/reg/2016/679/oj. [7] Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act), 2022. URL: http://data.europa.eu/eli/reg/2022/868/oj/eng. [8] Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act), 2022. URL: http://data.europa.eu/eli/reg/2022/2065/oj/eng. [9] Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act), 2023. URL: http://data.europa.eu/eli/ reg/2023/2854/oj. [10] Open Data Initiative, Solid Project, https://solidproject.org/, 2025. Accessed: 2025-07-31. [11] Fedora Governance Group, Fedora Repository, https://fedorarepository.org/, 2025. Accessed: 2025-07-31. [12] W3C Solid Community Group, Solid Protocol, Editor’s Draft, W3C, 2025. [13] Fedora Governance Group, Fedora API, Candidate Recommendation, Fedora, 2018. [14] W3C Linked Data Platform Working Group, Linked Data Platform 1.0, Recommendation,

W3C, 2015. [15] W3C Solid Community Group, Web Access Control, Draft Community Group Report,

W3C, 2025. [16] W3C Solid Community Group, Access Control Policy, Editor’s Draft, W3C, 2022. [17] A. Coburn, L. Debackere, E. Prud’hommeaux, Linked Web Storage Working Group Charter, Working Group Charter, W3C, 2024. URL: https://www.w3.org/2024/09/ linked-web-storage-wg-charter.html. [18] W. Termont, R. Dedecker, W. Slabbinck, B. Esteves, B. De Meester, R. Verborgh, From Resource Control to Digital Trust with User-Managed Access, Technical Report, SolidLab (IDLab, Ghent University – imec), 2024. [19] D. Hardt, The OAuth 2.0 Authorization Framework, Technical Report 6749, IETF, 2012.

URL: https://www.rfc-editor.org/info/rfc6749. doi:10.17487/RFC6749. [20] W3C Solid Community Group, Solid Application Interoperability, Draft Community Group

Report, W3C, 2025. [21] H. Bailly, A. Papanna, R. Brennan, Prototyping an End-User User Interface for the Solid Application Interoperability Specification Under GDPR, in: C. Pesquita, E. Jimenez-Ruiz, J. McCusker, D. Faria, M. Dragoni, A. Dimou, R. Troncy, S. Hertling (Eds.), The Semantic Web: 20th International Conference, ESWC 2023, May 28–June 1, Proceedings, volume 13870 of Lecture Notes in Computer Science, Springer, Cham, Switzerland, 2023, pp. 557–573. doi:10.1007/978-3-031-33455-9_33. [22] W3C RDF Data Shapes Working Group, Shapes Constraint Language (SHACL), Recommendation, W3C, 2017. URL: https://www.w3.org/TR/shacl/. in Computer Science, Springer, Cham, Switzerland, 2024, pp. 199–214. doi:10.1007/ 978-3-031-62362-2_14. [36] W. Termont, Authorization for Data Spaces, Technical Report, KNoWS (IDLab, Ghent

University – imec), 2025. [37] B. Parducci, H. Lockhart, E. Rissanen, eXtensible Access Control Markup Language (XACML) Version 3.0 – OASIS Standard, 2013. URL: http://docs.oasis-open.org/xacml/3.0/ xacml-3.0-core-spec-en.html. [38] Open Policy Agent - Policy API, 2025. URL: https://www.openpolicyagent.org/docs/ rest-api#policy-api. [39] R. T. Fielding, R. N. Taylor, Principled design of the modern Web architecture, ACM Trans.

Internet Technol. 2 (2002) 115–150. URL: https://dl.acm.org/doi/10.1145/514183.514185. doi:10.1145/514183.514185. [40] W. Slabbinck, R. Dedecker, W. Termont, B. Esteves, P. Colpaert, R. Verborgh, From Access Control to Usage Control with User-Managed Access, Solid Symposium 2025, Leiden, The Netherlands, 2025. Forthcoming. [41] W. Slabbinck, J. Rojas Meléndez, B. Esteves, P. Colpaert, R. Verborgh, Interoperable Interpretation and Evaluation of ODRL Policies, in: E. Curry, M. Acosta, M. Poveda-Villalón, M. van Erp, A. Ojo, K. Hose, C. Shimizu, P. Lisena (Eds.), The Semantic Web, Springer Nature Switzerland, Cham, 2025, pp. 192–209. doi:10.1007/978-3-031-94578-6_11. [42] W3C Solid Community Group, Solid-OIDC, Draft Community Group Report, W3C, 2022. [43] S. Yumusak, S. Gheisari, J. O. Salas, L.-D. Ibáñez, G. Konstantinidis, Data Sharing Negotiation and Contracting (2024). URL: https://ceur-ws.org/Vol-3828/paper39.pdf.