Jump to Table of Contents Collapse Sidebar

ODRL Profile for Data Sovereignty

, edited in place

More details about this document
Latest published version:
https://w3id.org/ods/
History:
Commit history
Editors:
Arghavan Hosseinzadeh ( )
Robin Brandstädter ( )
Jessica Chwalek ( )
Feedback:
GitHub Fraunhofer-IESE/ODS (pull requests, new issue, open issues)
Download Serialization
License

Copyright © 2024 World Wide Web Consortium. W3C® liability, trademark and permissive document license rules apply.

Abstract

The Open Digital Rights Language (ODRL) is a policy expression language that provides a flexible and interoperable information model, vocabulary, and encoding mechanisms for representing statements about the usage of content and services. The ODRL Vocabulary and Expression describes the terms used in ODRL policies and how to encode them.

The ODRL Profile for Data Sovereignty extends the core information model of ODRL by defining the terms to express usage restrictions, obligations and modifications. These policies can then be translated into technology-dependent policy languages (e.g., MYDATA Control Technologies Policy Language) to technically enforce the restrictions within the systems.

Status of This Document

This document is merely a W3C-internal document. It has no official standing of any kind and does not represent consensus of the W3C Membership.

1. Introduction

This section is non-normative.

Data sovereignty is a key success factor for data-driven business models. As defined by Usage Control in International Data Spaces, data sovereignty has the goal of providing data providers with full control over their data.

Data Usage Control is known as a conceptual and technical solution to cope with the challenges of data sovereignty. Data Usage Control Technologies aim to enforce usage restrictions and obligations once data access is granted.

MYDATA Control Technologies is developed at Fraunhofer IESE as a technical implementation for Data Usage Control. It offers both businesses and private individuals more transparency and self-determination in the use of their data by intercepting events or data flows and enforcing a security decision based on policies. MYDATA Control Technologies can interpret and enforce its own XML-based policy language.

To support users in specifying their policies in the ODRL policy language and translating it into technology-dependent policy languages, a Policy Administration Point and a Policy Transformation Service have been implemented and are available here.

Note

2. ods Vocabulary

The figure below illustrates the concepts defined by the ODRL Profile for Data Sovereignty.

ods concepts

2.1 Data Usage Control Concepts

Data Usage Control can be defined as an extension of attribute-based Access Control. At Fraunhofer IESE, an architecture for Data Usage Control is introduced that extends the XACML architecture for enfocing usage control policies. According to this architecture, a Policy Information Point (PIP) can provide any required information from defined sources. Moreover, Policy Execution Point (PXP) is added to the architecture. PXP can be used to specify and execute an action of a duty in order to fulfill an obligation.

2.1.1 Usage Control Component

Definition:A data usage control component
Label:Usage Control Component
Identifier:https://w3id.org/ods/UsageControlComponent
Note:It is optional to explicitly specify a data usage control component that is responsible for providing context information or executing a duty action.
Properties: Interface Description, Endpoint URI
Instances: Policy Information Point, Policy Execution Point

2.1.2 has Policy Information Point

Definition:A Usage Control Component that provides needed information for evaluating a constraint.
Label:has Policy Information Point
Identifier:https://w3id.org/ods/hasPIP
Domain: Constraint
Range: Usage Control Component

2.1.3 has Policy Execution Point

Definition:A Usage Control Component that executes an action.
Label:has Policy Execution Point
Identifier:https://w3id.org/ods/hasPXP
Domain: Action
Range: Usage Control Component

2.1.4 Interface Description

Definition:The reference to a URI that provides the interface description of a usage control endpoint.
Label:Interface Description
Identifier:https://w3id.org/ods/interfaceDescription
Domain: Usage Control Component
Range: Usage Control Component

2.1.5 Endpoint URI

Definition:The reference to a URI that expresses an exact endpoint of that usage control endpoint.
Label:Endpoint URI
Identifier:https://w3id.org/ods/endpointURI
Domain: Usage Control Component
Range: Usage Control Component

2.2 Constraint Operators

2.2.1 In

Definition:This operator is used to express the membership of an individual element in a set.
Label:In
Identifier: https://w3id.org/ods/in
Class: odrl:Operator

2.2.2 Subset

Definition:This operator is used to indicate that one set is entirely contained within another set.
Label:Subset
Identifier: https://w3id.org/ods/subset
Class: odrl:Operator

2.3 Actions for Rules

2.3.1 Add

Definition:To modify a number by adding a given value to it.
Label:Add
Identifier: https://w3id.org/ods/add
Note:The field to be modified can be specified using ods:jsonPath or ods:xPath and the given value can be specified using ods:operand.
Included In: odrl:use
Class: odrl:Action

2.3.2 Divide

Definition:To modify a number by dividing it by a given value.
Label:Divide
Identifier: https://w3id.org/ods/divide
Note:The field to be modified can be specified using ods:jsonPath or ods:xPath and the given value can be specified using ods:operand.
Included In: odrl:use
Class: odrl:Action

2.3.3 Drop

Definition:To drop the value of a field.
Label:Drop
Identifier: https://w3id.org/ods/drop
Note:The field to be modified can be specified using ods:jsonPath or ods:xPath.
Included In: odrl:use
Class: odrl:Action

2.3.4 Encrypt

Definition:To encrpyt a data artifact or parts of it to secure it during transmission and to prevent unauthorized access. The encryption algorithm might be specified by a constraint.
Label:Encrypt
Identifier: https://w3id.org/ods/encrypt
Note:The encryption algorithm can be specified using ods:encryptionAlgorithm (eg. AES).
Included In: odrl:use
Class: odrl:Action

2.3.5 Hash

Definition:To modify a value by replacing it with a hash of the value.
Label:Hash
Identifier: https://w3id.org/ods/hash
Note:The field to be modified can be specified using ods:jsonPath or ods:xpath and the hash algorithm can be specified using ods:hashAlgorithm (eg. SHA256).
Included In: odrl:use
Class: odrl:Action

2.3.6 Log

Definition:To log information about data usage. It is used to create transparency.
Label:Log
Identifier: https://w3id.org/ods/log
Note:The log level can be specified using ods:logLevel left operand.
Included In: odrl:use
Class: odrl:Action

2.3.7 Multiply

Definition:To modify a number by multiplying it to a given value.
Label:Multiply
Identifier: https://w3id.org/ods/multiply
Note:The field to be modified can be specified using ods:jsonPath or ods:xPath and the given value can be specified using ods:operand.
Included In: odrl:use
Class: odrl:Action

2.3.8 Multiparty Computation

Definition:Secure Multiparty Computation (MPC) is a cryptographic protocol that enables a defined set of parties, each party owning a secret value, to compute a function collaboratively while preserving the privacy of their individual inputs.
Label:Multiparty Computation
Identifier: https://w3id.org/ods/mpc
Included In: odrl:use
Class: odrl:Action

2.3.9 Notify

Definition:To notify a party with information about data usage.
Label:Notify
Identifier: https://w3id.org/ods/notify
Note:The notification level can be specified using ods:notificationLevel left operand.
Included In: odrl:use
Class: odrl:Action

2.3.10 Query

Definition:To request for a piece of information or data from an information system or a database.
Label:Query
Identifier: https://w3id.org/ods/query
Included In: odrl:use
Class: odrl:Action

2.3.11 Replace

Definition:To replace a field by a given value.
Label:Replace
Identifier: https://w3id.org/ods/replace
Note:The field to be modified can be specified using ods:jsonPath or ods:xpath and the given value can be specified using ods:replaceWith.
Included In: odrl:use
Class: odrl:Action

2.3.12 Shuffle

Definition:To replace a field with an anagram of it's value.
Label:Shuffle
Identifier: https://w3id.org/ods/shuffle
Note:The field to be modified can be specified using ods:jsonPath or ods:xPath.
Included In: odrl:use
Class: odrl:Action

2.4 Usage Control Components

2.4.1 Policy Information Point

Definition:A Policy Information Point is a Usage Control Component that provides a specific piece of information.
Label:Policy Information Point
Identifier:https://w3id.org/ods/PIP
Parent Class: ods:UsageControlComponent

2.4.2 Policy Execution Point

Definition:A Policy Execution Point is a Usage Control Component that executes a specific action.
Label:Policy Execution Point
Identifier:https://w3id.org/ods/PXP
Parent Class: ods:UsageControlComponent

2.5 Constraint Left Operands

2.5.1 Application

Definition:An application is a program or piece of software designed to fulfill a particular purpose.
Label:Application
Identifier: https://w3id.org/ods/application
Class: odrl:LeftOperand

2.5.2 Artifact State

Definition:It refers to the status of a data asset.
Label:Artifact State
Identifier: https://w3id.org/ods/artifactState
Note:This operand accepts the following values: ods:anonymized, ods:combined, ods:encrypted, ods:pseudonymized.
Class: odrl:LeftOperand

2.5.3 Endpoint

Definition:An endpoint refers to a specific address or connection point.
Label:Endpoint
Identifier: https://w3id.org/ods/endpoint
Class: odrl:LeftOperand

2.5.4 Function

Definition:A function encapsulates a reusable logic.
Label:Function
Identifier: https://w3id.org/ods/function
Note:In mathematical contexts, examples include ods:maximum, ods:minimum, and ods:sum.
Class: odrl:LeftOperand

2.5.5 Hash Algorithm

Definition:It indicates the hash value to be used.
Label:Hash Algorithm
Identifier: https://w3id.org/ods/hashAlgorithm
Note:For example, SHA256.
Class: odrl:LeftOperand

2.5.6 Encryption Algorithm

Definition:It indicates the encryption algorithm to be used.
Label:Encryption Algorithm
Identifier: https://w3id.org/ods/encryptionAlgorithm
Note:For example, AES.
Class: odrl:LeftOperand

2.5.7 JSONPath

Definition:An expression that refers to a part of a JSON structured data.
Label:JSONPath
Identifier: https://w3id.org/ods/jsonPath
Class: odrl:LeftOperand

2.5.8 JSON String Path

Definition:An expression that refers to a part of a JSON structured data.
Label:JSON String Path
Identifier: https://w3id.org/ods/jsonStringPath
Note:It is used by Rego policy language.
Class:odrl:LeftOperand

2.5.9 Log Level

Definition:It refers to the log level.
Label:Log Level
Identifier: https://w3id.org/ods/logLevel
Note:This operand accepts the following values: ods:onActionOperated, ods:onAllow, ods:onDeny, ods:onDutyExercised.
Class: odrl:LeftOperand

2.5.10 Notification Level

Definition:It refers to the notification level.
Label:Notification Level
Identifier: https://w3id.org/ods/notificationLevel
Note:This operand accepts the following values: ods:onActionOperated, ods:onAllow, ods:onDeny, ods:onDutyExercised.
Class: odrl:LeftOperand

2.5.11 Operand

Definition:An operand is a required element within an arithmetic or logical operation.
Label:Operand
Identifier: https://w3id.org/ods/operand
Note:Operands can be numeric values or expressions.
Class: odrl:LeftOperand

2.5.12 Path

Definition:An expression that refers to a file within a system, or an element within a hierarchical structure.
Label:Path
Identifier: https://w3id.org/ods/path
Class: odrl:LeftOperand

2.5.13 Replace With

Definition:It specifies a new value for a specific field.
Label:Replace With
Identifier: https://w3id.org/ods/replaceWith
Note:It gives a value for ods:replace action.
Class: odrl:LeftOperand

2.5.14 Role

Definition:Role refers to an end user's role.
Label:Role
Identifier: https://w3id.org/ods/role
Class: odrl:LeftOperand

2.5.15 State

Definition:It refers to an environment state.
Label:State
Identifier: https://w3id.org/ods/state
Note:Not be confused with artifact state.
Class: odrl:LeftOperand

2.5.16 User

Definition:It refers to a particular end user.
Label:User
Identifier: https://w3id.org/ods/user
Class: odrl:LeftOperand

2.5.17 XPath

Definition:An expression that refers to specific elements of an XML document.
Label:XPath
Identifier: https://w3id.org/ods/xPath
Class: odrl:LeftOperand

2.6 Constraint Right Operands

2.6.1 Anonymized

Definition:Indicates that the asset is anonymized.
Label:Anonymized
Identifier: https://w3id.org/ods/anonymized
Class: odrl:RightOperand

2.6.2 Combined

Definition:Indicates that the asset is combined.
Label:Combined
Identifier: https://w3id.org/ods/combined
Class: odrl:RightOperand

2.6.3 Encrypted

Definition:Indicates that the asset is encrypted.
Label:Encrypted
Identifier: https://w3id.org/ods/encrypted
Class: odrl:RightOperand

2.6.4 Maximum

Definition:The maximum function to determine the largest value among a set of numbers.
Label:Maximum
Identifier: https://w3id.org/ods/maximum
Class: odrl:RightOperand

2.6.5 Minimum

Definition:The minimum function to determine the smallest value among a set of numbers.
Label:Minimum
Identifier: https://w3id.org/ods/minimum
Class: odrl:RightOperand

2.6.6 On action operated

Definition:Log usage information or notify a party when the action of the rule is operated.
Label:On action operated
Identifier: https://w3id.org/ods/onActionOperated
Class: odrl:RightOperand

2.6.7 On allow

Definition:Log usage information or notify a party when performing the action of the rule is permitted.
Label:On allow
Identifier: https://w3id.org/ods/onAllow
Class: odrl:RightOperand

2.6.8 On deny

Definition:Log usage information or notify a party when performing the action of the rule is prohibited.
Label:On deny
Identifier: https://w3id.org/ods/onDeny
Class: odrl:RightOperand

2.6.9 On duty exercised

Definition:Log usage information or notify a party when the action of the duty is executed.
Label:On duty exercised
Identifier: https://w3id.org/ods/onDutyExercised
Class: odrl:RightOperand

2.6.10 Pseudonymized

Definition:Indicates that the asset is pseudonymized.
Label:Pseudonymized
Identifier: https://w3id.org/ods/pseudonymized
Class: odrl:RightOperand

2.6.11 Sum

Definition:The sum function to determine the total sum of a set of numbers.
Label:Sum
Identifier: https://w3id.org/ods/sum
Class: odrl:RightOperand

3. Examples

3.1 Modify data

3.2 Notify data provider

3.3 Allow data usage on emergency

4. Conformance

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

This is required for specifications that contain normative material.

4.1 Namespaces

The ODRL Vocabulary references the following Namespaces:

Prefix Namespace Description
odrl http://www.w3.org/ns/odrl/2/ ODRL Vocabulary
rdf http://www.w3.org/1999/02/22-rdf-syntax-ns# [rdf11-concepts]
rdfs http://www.w3.org/2000/01/rdf-schema# [rdf-schema]
owl http://www.w3.org/2002/07/owl# [owl2-overview]
xsd http://www.w3.org/2001/XMLSchema# [xmlschema11-2]
skos http://www.w3.org/2004/02/skos/core# [skos-reference]
dcterms http://purl.org/dc/terms/ [dcterms]
vcard http://www.w3.org/2006/vcard/ns# [vcard-rdf]
foaf http://xmlns.com/foaf/0.1/ [foaf]
schema http://schema.org/ schema.org
cc https://creativecommons.org/ns# creativecommons.org
ods https://w3id.org/ods/ ODRL Profile for Usage Control

A. References

A.1 Normative references

[dcterms]
DCMI Metadata Terms. DCMI Usage Board. DCMI. 20 January 2020. DCMI Recommendation. URL: https://www.dublincore.org/specifications/dublin-core/dcmi-terms/
[foaf]
FOAF Vocabulary Specification 0.99 (Paddington Edition). Dan Brickley; Libby Miller. FOAF project. 14 January 2014. URL: http://xmlns.com/foaf/spec
[owl2-overview]
OWL 2 Web Ontology Language Document Overview (Second Edition). W3C OWL Working Group. W3C. 11 December 2012. W3C Recommendation. URL: https://www.w3.org/TR/owl2-overview/
[rdf-schema]
RDF Schema 1.1. Dan Brickley; Ramanathan Guha. W3C. 25 February 2014. W3C Recommendation. URL: https://www.w3.org/TR/rdf-schema/
[rdf11-concepts]
RDF 1.1 Concepts and Abstract Syntax. Richard Cyganiak; David Wood; Markus Lanthaler. W3C. 25 February 2014. W3C Recommendation. URL: https://www.w3.org/TR/rdf11-concepts/
[skos-reference]
SKOS Simple Knowledge Organization System Reference. Alistair Miles; Sean Bechhofer. W3C. 18 August 2009. W3C Recommendation. URL: https://www.w3.org/TR/skos-reference/
[vcard-rdf]
vCard Ontology - for describing People and Organizations. Renato Iannella; James McKinney. W3C. 22 May 2014. W3C Working Group Note. URL: https://www.w3.org/TR/vcard-rdf/
[xmlschema11-2]
W3C XML Schema Definition Language (XSD) 1.1 Part 2: Datatypes. David Peterson; Sandy Gao; Ashok Malhotra; Michael Sperberg-McQueen; Henry Thompson; Paul V. Biron et al. W3C. 5 April 2012. W3C Recommendation. URL: https://www.w3.org/TR/xmlschema11-2/