FOR SHARE - JULY SNAPSHOT - Identity Management - Two Pages description
Early draft
Please be aware that the Data Spaces Blueprint content shared in these pages are a very early draft published on 2023-07-01. The current draft is incomplete and the content might still change.
SAVE-THE-DATE 01-10/09/2023: We will welcome your feedbacks to future improve the Data Spaces Blueprint during the Public consultation that will open on September the 1st 2023 until September the 10th. Please mark these dates in your calendar and get ready!
Overview
Identity Management refers to the capability within a data space to register, maintain, and use information about various kinds of entities that are relevant to most, if not all, members of a data space. Such entities would typically include members of the data space, IT components that run on their behalf (e.g., connectors), etc. The information that is maintained would typically include identifiers, and data that plays a role in the identification and authentication of such entities, and - if appropriate - assignment of rights and duties (permissions, roles, mandates). Other information may be added and used as needed.
A data space that has an Identity Management capability that its members can rely on to be secure, available and correct, enables them to make decisions, e.g., about from whom to can get (trustworthy) data, to whom to provide (data or other) services, etc. Note that the Identity Management capability of a data space does not prohibit its members to have their own Identity Management capabilities, for their own particular purposes.
The Identity Management capability consists of three views. The governance view is about determining which kinds of entities are to be registered, and setting requirements for associated registries, so as to ensure, e.g., that members can benefit from using such registries. This view is within the scope of the governance building block, but we mention it here for completeness sake. The management layer is about registering such entities, and keeping the registered data up-to-date, in line with the governance requirements. The provisioning layer is about querying a registry, e.g., to help identify and authenticate registered entities, and learn about characteristics that registered entities would have, e.g. rights/permissions. Provisioning, too, is done in accordance with the governance requirements.
Therefore, the scope of this building block is the definition of identity management for data spaces and, thus, will focus on different architectural solutions (centralized, federated, decentralized). Furthermore, there are differences between identities for natural persons, legal entities, and machines & sensors that should be differentiated based on governance decisions of the data spaces. In addition cases will be analysed in which there is an acting on behalf, e.g. when natural persons act on behalf of the company they work for.
Next to the focus on Identity Management for single individual data spaces, we will also adress solutions external from the respective data spaces to consider overarching concepts to foster data space interoperability.
To drill deeper in the future, instruments of Identity Management , such as Identifiers and Attributes and their semantics and features will also be analysed and adressed.
Key elements
The objective of this building block is to provide and manage identities in a data space to enable transactions and other functions. Thus, the following types of stakeholders can be considered:
Participants: Users of the form of Identity management
Identity Provider: The IT component that provide the Identity Management Service
Identity Manager: the party that registers identities and ensures that data is kept up-to-date.
Trust Service Provider: the party that enables an trusted environment grounded in a trust anchor.
Registry: A repository/storage means where the identites are stored.
Key functions
In principle, the following basic functionalities have to be provided (those functionalities will be further developed in during the functional specifications phase):
The first functionality is called Identity Provisioning and is typically provided as a service by an IT component that is run by a particular party. Confusingly, both the party as the IT component are referred to with the term 'Identity Provider'. We will use the term 'Identity Provider Service' to refer to the IT component, and 'Identity Provider' to refer to the party that provides this service.
Authentication, in the context of identity management in data spaces, refers to the process of verifying the identity of an individual or entity accessing a system or resource. It involves confirming the authenticity of the claimed identity by validating credentials such as usernames, passwords, digital certificates, or biometric data. Authentication helps ensure that only authorized users gain access to sensitive information or perform specific actions within a data space, enhancing security and protecting against unauthorized access or fraudulent activities.
Identity Management encompasses the entire lifecycle of user accounts, which includes onboarding, account modification, suspension, and offboarding. During onboarding, new user accounts are created, and initial access privileges and attributes are specified. Account modification includes modifying (creating, updating, or deleting) user roles/permissions, user attributes and other account data. Accounts may be suspended, which means that they are (temporarily) ignored by the IdP service. Offboarding involves the proper handling and removal (or archiving) of user accounts. All these processes must be executed by a person or IT system that is qualified for the tasks at hand, to ensure that the policies and other decisions made in the identity governance process are complied with.
Dependences and relationships
Dependences and relationships (boundaries to be clarified) with other building blocks (meetings would be desirable at some point in time):
Trust Anchors: highly trusted entity or system that serves as a foundational source of trust and integrity, validating and verifying the authenticity of data and ensuring the overall security of the data space ecosystem.
Access and Usage Policy Control: Access to data products and its usage is granted to an identity. Thus, without identity management, it would not work.
Marketplace & Usage Accounting: As Access and Usage is the basis for access and usage of data it is also hightly relevant for marketplaces and accounting. Identites are needed for searching services and products and negotiating access and usage.
Governance of Data Spaces: Identity Management also requires internal as well as perhaps external governance processes. Identity Management creates transparency about the members of Data Spaces as well as their attributes and identifiers. There must be an organization for who does what regarding Identity Management in a Data Space.
Legal Frameworks: There might be regulative requirements for specific classes of identites in different domains, especially in hightly regulated environments such as medical Data Sspaces.
Relevance for the Data Space
Identity Management is a central building block enabling trust mechanisms and interactions within the Data Space. Without identity management data sovereignty could not be established, because access and usage policy enforcement requires any entity in system to be identified.