From Access Control to Usage Control with User-Managed Access

TL;DR

This paper presents a new architecture that enhances data governance by integrating usage control policies using W3C ODRL with UMA authorization, enabling flexible, interoperable, and legally compliant data management in decentralized ecosystems.

Contribution

It introduces an UMA-based architecture replacing Solid's native access control with ODRL-enabled policies, bridging gaps between authorization standards and legal, usage-aware data governance.

Findings

Decoupling authorization from storage improves flexibility and interoperability.

Prototype demonstrates compatibility with existing Solid infrastructure.

Operationalizes usage control using Web standards for policy enforcement.

Abstract

Recent data protection and data governance regulations have intensified the demand for interoperable, decentralized data ecosystems that can support not only access control but also legally-aligned governance over data use. Existing Web-based data storage platforms increasingly struggle to meet these regulatory and practical requirements, as their authorization mechanisms rely on tightly coupled, document-centric access control models that lack expressiveness for legal constraints and fail to separate data management from authorization concerns. In parallel, widely adopted authorization standards remain poorly aligned with decentralized, semantically rich usage-control scenarios. To bridge this gap, this work introduces an architecture that replaces Solid's native access control mechanisms with a UMA authorization flow, enabling the enforcement of usage control policies expressed with the W3C ODRL standard. This article details the conceptual background motivating this approach, presents the proposed UMA-based architecture, and describes a prototype implementation that integrates an ODRL-enabled Authorization Server with a Solid-compatible Resource Server. The prototype demonstrates that decoupling authorization from storage enables more flexible, interoperable, and legally expressive control over data use, while remaining compatible with existing Solid infrastructure. It also highlights practical design choices required to evaluate ODRL policies in the absence of a fully standardized evaluation semantics. Moreover, this work shows how usage control can be operationalized using existing Web standards, offering a concrete path beyond permission-based access control toward policy-aware, legally informed data governance. Future research will focus on policy management interfaces, richer claim verification mechanisms, and techniques for communicating and enforcing obligations over time.