Authentication and authorization in Data Spaces: A relationship-based access control approach for policy specification based on ODRL

TL;DR

This paper introduces an extension of the ODRL standard, called ODRL Data Spaces, to enable fine-grained, relationship-based access control in distributed Data Spaces, supported by a policy execution engine and validated with a real-world use case.

Contribution

It proposes the ODRL Data Spaces profile for enhanced authorization in Data Spaces and a policy engine for enforcement, addressing the need for secure, fine-grained access control.

Findings

Validated with OpenFGA in a real-world use case

Demonstrated effective policy translation and enforcement

Showed applicability to relationship-based access control scenarios

Abstract

Data has become a crucial resource in the digital economy, fostering initiatives for secure and sovereign data sharing frameworks such as Data Spaces. However, these distributed environments require fine-grained access control mechanisms that balance openness with sovereignty and security. This paper proposes an extension of the Open Digital Rights Language (ODRL) standard, the ODRL Data Spaces (ODS) profile, aimed at supporting authorization and complementing existing authentication mechanisms throughout the data lifecycle. Additionally, a policy execution engine is introduced to translate ODRL policies into executable formats, enabling effective enforcement. The approach is validated through a use case involving OpenFGA, demonstrating its applicability to relationship-based access control scenarios.