Role-based Access Control
Access to data sources is controlled by roles and licenses.
A Data Catalog Entry specifies one or more roles and a license. If a participant has any of the roles, they may access the data source under the specified license.
Scheme-conforming data sources use Scheme Catalog Requirements Resources which specify the Access Rules for data sources which implement APIs agreed by the Scheme.
Note: This document uses US English. To align with W3C and other prevalent standards, IB1 uses US English in its technical specifications and technical documentation.
Changes from Open Energy
This access control specification is a simplification of Open Energy's access control. Open Energy was designed for one-to-many data products, which required the flexibility for each data provider to describe the individual access requirements for each of their products. Data sharing in a Trust Framework is many-to-many, where the access requirements are set by a sector-wide governance process.
This specification will be iterated as use cases emerge. The current expectation, reflected in this specification, is that the governance process will describe the minimum set of roles permitted to access data under a specific license, and the data provider may be allowed to expand this to additional roles.
Data Catalog Entries
Data Catalog Entries specify the Roles and License with the terms:
ib1:roleRequiredToAccess- The URL of an
ib1:Rolein the Registry which may access this data source subject to the License in thedcterms:licenseterm. Where multiple roles are specified, a client must have at least one of the roles to access the dataset. Unless the data has aib1:sensitivityClasswhich allows access without authentication, at least one Role must be specified. - dcterms:license
- The URL of an
ib1:License. All use of this data source is subject to this License.
Scheme Catalog Requirements
Scheme Catalog Requirements resources specify the rules for a resource with the term:
ib1:roleRequiredToPublish- The URL of the
ib1:Rolewhich is permitted to publish a Catalog entry conforming to this standard. If multiple Roles are specified, any of those Roles may publish a catalog entry.
In addition, the ib1:RequiredMetadata bnode will include ib1:roleRequiredToAccess and dcterms:license terms.
Examples
Data Catalog Entry
<https://data.example.com/supply-voltage/v0>
a dcat:DataService ;
# ...
ib1:roleRequiredToAccess <https://registry.core.trust.ib1.org/scheme/electricity/role/report-provider> ;
ib1:roleRequiredToAccess <https://registry.core.trust.ib1.org/scheme/electricity/role/archiver> ;
dcterms:license <https://registry.core.trust.ib1.org/scheme/electricity/license/voltage-reporting/2024-09-12> ;
.
These rules specify that members of either the "Report Provider" and "Archivers" roles may access the data with the Scheme's Voltage Reporting license.
Scheme Catalog Requirements
@prefix dcterms: <http://purl.org/dc/terms/> .
@prefix dcat: <http://www.w3.org/ns/dcat#> .
@prefix ib1: <https://registry.core.trust.ib1.org/ns/1.0#> .
<https://registry.core.trust.ib1.org/scheme/electricity/standard/supply-voltage/2024-10-23>
a ib1:SchemeCatalogRequirements ;
ib1:roleRequiredToPublish <https://registry.core.trust.ib1.org/scheme/electricity/role/generator> ;
ib1:requiredMetadata [ a ib1:RequiredMetadata ;
ib1:roleRequiredToAccess <https://registry.core.trust.ib1.org/scheme/electricity/role/network-operator> ;
ib1:roleRequiredToAccess <https://registry.core.trust.ib1.org/scheme/electricity/role/report-provider> ;
];
.
This API definition requires the "Generator" role to publish an implementation of the API, and one of the "Network operator" or "Report provider" roles to access the API.