# App-based Permissioning for Resource Sharing ## Pitch The user will not want to be burdened with having to express their complex access control preferences such as time-limited access and access to specific data segments using reasoning rules. The proposal is to build an extension on the server-side that enables this kind of permissioning by abstracting away the specific reasoning implementation from the user. This challenge is to answer these 2 questions, mainly: 1. How do we give access to only a selected segment of an RDF resource stored on our pod? * Stages in which it works: a) We need to have a pop-up UI that translates the RDF resource in question into a user friendly format and the user can then select what segments(based on the subject and their properties) they want to give access to, b) The selected segment can then probably be translated into preference rules, c) We then mention modes of access on these rules using reasoning(based on [this](https://github.com/SolidLabResearch/Challenges/issues/53)), and d) Our extension-service enforces these policy rules by interfacing with the eye reasoner in the case of reasoning based permissioning. 2. How do we selectively allow an app access to resources put by another app? a) We are logged into app A(fitness app that shows my activity in the past week) using our Webid and we want it to have access to a portion of the data put by app B(the past week's raw location data excluding certain readings that we want to keep private). b) Our extension checks if the app A is already registered in the log by its app ID and if the access to the data, it is currently requesting, has already been granted. If not then the user will be redirected by our extension to the pod where a notification from app A requesting app B's data is waiting to be addressed. c) The user clicks on it and a UI pops up on top of the resources of app B in the pod for the user to select the segments(using the feature described in 1.) they want made visible to app A along with what modes of access they want to enable and the duration for which they want these resources made available. d) The selections made are then translated into our policy preference rules and enforced by our extension. e) The user is then returned to app A and now app A has the access to the data of app B as enabled by the user. Ideally after completion of this challenge the following things should be possible: 1. Enable access control between users and apps. * Apps can request access to certain data, which can be granted by the user * This access grant can be with temporal or spatial permissions * temporal permission of a resource: time-limited access on a resource (e.g. 15 minutes starting from timestamp “2022-10-05T00:00:00Z”) * spatial permission of a resource: access to specific data segment of a resource (e.g. only give the location point, but not how it was created) 2. The Policy Rules should be traversable trough time, making it possible to know which rules applied to a resource/pod at time t: * This can be made possible by having an event log that keeps track of the changes whithin a solid pod ## Desired solution * An extension that can direct the user to a UI on top of the resources on the pod and once they have made their selection of resources that they want to give access to, redirect them back to the app they were using. * The extension must be able to translate the UI selection to declarative rules that will reside on the pod which it will use to enforce the access control as imposed by the user. * An application that visualizes data generated from another application * This visualisation can only happen through access granted by the data generating application (through the Solid Policy UI) ## Acceptance criteria * An extension that the user can download that has been given the authority to work conjointly with the server to manage its resources and handle resource permissioning and sharing. * A specific use-case would be: * App A can request our extension for App B's lat-long data for the last week of the user from the pod. * Our extension checks if App A is registered with relevant permissions to access this data. * If yes, it is shared based on existing policy preference rules. * Else, it prompts the user with requested permissions by App A and redirects them to the pod. * User then decides the segment of data and the duration of permission(say, 1 month) to be granted to App A through our UI. * Extension then grants the data access to App A, registers it for future requests. * Finally, the extension shares the requested data back to App A. ## Pointers The proposal is for the extension to be built on the reasoning-based permissioning enabled by [this](https://github.com/SolidLabResearch/Challenges/issues/53) challenge The extension can also be used to create a declarative policy log that serves as an events source of past access. For reference: * https://docs.inrupt.com/ess/latest/security/auditing/ Policies with reasoning: * https://github.com/phochste/Notation3-By-Example/tree/main/log/blogic/policy * https://github.com/Dexagod/solid-query-policy-surfaces Creating location data: * https://github.com/SolidLabResearch/Challenges/issues/10 * https://github.com/woutslabbinck/SolidEventSourcing ## Scenarios This challenge can be applied to these scenarios: * [As a graduate I want to be able to share my diploma with my (future) employer #73](https://github.com/SolidLabResearch/Challenges/issues/73) * [Trusted query and reasoning over permissioned versioned data #57](https://github.com/SolidLabResearch/Challenges/issues/57)