-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
updates(documentation): add new content policy management (#78)
- Loading branch information
1 parent
a0c96b2
commit a2600ee
Showing
1 changed file
with
275 additions
and
0 deletions.
There are no files selected for viewing
275 changes: 275 additions & 0 deletions
275
docs/02. Technical Integration/01. Connector Registration/08. Policy Management.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,275 @@ | ||
# Policy Management | ||
|
||
## Overview | ||
|
||
For the following Scenarios, we assume there is a Partner 1 (provider) who wants to provide Data for Partner 2 (consumer). | ||
|
||
Partner 1 (provider) has the Business-Partner-Number BPN12345. | ||
|
||
Partner 2 (consumer) has the Business-Partner-Number BPN6789. | ||
|
||
Partner 2 (consumer) signed the Traceability Framework Agreement and followed all the necessary steps that the Credential appears within Partner 2s identity. | ||
|
||
So for this example, if Partner 2 does a catalogue request to Partner 1, the following summary credential is provided to Partner 1: | ||
|
||
{ | ||
"@context": [ | ||
"https://w3id.org/2023/catenax/credentials/summary/v1" | ||
], | ||
"id": "<credential uid>", | ||
"type": [ | ||
"VerifiableCredential", | ||
"SummaryCredential" | ||
], | ||
"issuer": "<did:web:issuer>", | ||
"issuanceDate": "2023-06-02T12:00:00Z", | ||
"expirationDate": "2022-06-16T18:56:59Z", | ||
"credentialSubject": { | ||
"id": "<did:web:subject>", | ||
"holderIdentifier": "BPN6789", | ||
"items": [ | ||
"MembershipCredential", | ||
"TraceabilityCredential" | ||
], | ||
"contractTemplates": "https://public.catena-x.org/contracts/" | ||
} | ||
} | ||
### Scenario 1 | ||
|
||
Partner 1 wants to create an Access Policy, that Partner 2 can only receive the Contract offer if its BPN matches AND if it has the Traceability Credential (Traceability Contract Signed). If one of those is missing, Partner 2 won't receive a Contract Offer. | ||
|
||
#### Partner 1 - Access Policy Example | ||
|
||
{ | ||
"@context": { | ||
"odrl": "http://www.w3.org/ns/odrl/2/" | ||
}, | ||
"@type": "PolicyDefinitionRequestDto", | ||
"@id": "{{POLICY_ID}}", | ||
"policy": { | ||
"@type": "Policy", | ||
"odrl:permission": [ | ||
{ | ||
"odrl:action": "USE", | ||
"odrl:constraint": { | ||
"@type": "LogicalConstraint", | ||
"odrl:and": [ | ||
{ | ||
"@type": "Constraint", | ||
"odrl:leftOperand": "BusinessPartnerNumber", | ||
"odrl:operator": { | ||
"@id": "odrl:eq" | ||
}, | ||
"odrl:rightOperand": "{{BPN6789}}" | ||
}, | ||
{ | ||
"@type": "Constraint", | ||
"odrl:leftOperand": "FrameworkAgreement.traceability", | ||
"odrl:operator": { | ||
"@id": "odrl:eq" | ||
}, | ||
"odrl:rightOperand": "active" | ||
} | ||
] | ||
} | ||
} | ||
] | ||
} | ||
} | ||
|
||
Be aware, the credential within the Summary Credential is called "TraceabilityCredential", but as the EDC does a mapping, the EDC Access Policy Entry needs to be named "FrameworkAgreement.traceability"! | ||
|
||
All the possible mappings can be found here: https://github.com/eclipse-tractusx/ssi-docu/blob/main/docs/architecture/cx-3-2/edc/policy.definitions.md#0-introduction | ||
|
||
#### Desired Outcome | ||
|
||
Partner 2 receives the Contract Offer because the BPNs are matching and he owns the Traceability Credential. | ||
|
||
### Scenario 2 | ||
|
||
Partner 1 wants to create an Access Policy, that Partner 2 can receive the Contract Offer if its BPN matches. But a Contract Agreement should only be created if Partner 2 also signed the Traceability Framework Agreement. So in this case, Partner 2 should receive the Contract Offer in the first place, regardless if it signed the Traceability Framework Agreement. The signing of the Agreement should be checkt at the time of contract negotiation. | ||
|
||
|
||
#### Partner 1 - Access Policy Example | ||
|
||
{ | ||
"@context": { | ||
"odrl": "http://www.w3.org/ns/odrl/2/" | ||
}, | ||
"@type": "PolicyDefinitionRequestDto", | ||
"@id": "{{POLICY_ID}}", | ||
"policy": { | ||
"@type": "Policy", | ||
"odrl:permission": [ | ||
{ | ||
"odrl:action": "USE", | ||
"odrl:constraint": { | ||
"@type": "LogicalConstraint", | ||
"odrl:and": [ | ||
{ | ||
"@type": "Constraint", | ||
"odrl:leftOperand": "BusinessPartnerNumber", | ||
"odrl:operator": { | ||
"@id": "odrl:eq" | ||
}, | ||
"odrl:rightOperand": "{{BPN6789}}" | ||
} | ||
] | ||
} | ||
} | ||
] | ||
} | ||
} | ||
|
||
#### Partner 1 - Usage/Contract Policy Example | ||
|
||
{ | ||
"@context": { | ||
"odrl": "http://www.w3.org/ns/odrl/2/" | ||
}, | ||
"@type": "PolicyDefinitionRequestDto", | ||
"@id": "{{POLICY_ID}}", | ||
"policy": { | ||
"@type": "Policy", | ||
"odrl:permission": [ | ||
{ | ||
"odrl:action": "USE", | ||
"odrl:constraint": { | ||
"@type": "LogicalConstraint", | ||
"odrl:and": [ | ||
{ | ||
"@type": "Constraint", | ||
"odrl:leftOperand": "FrameworkAgreement.traceability", | ||
"odrl:operator": { | ||
"@id": "odrl:eq" | ||
}, | ||
"odrl:rightOperand": "active" | ||
} | ||
] | ||
} | ||
} | ||
] | ||
} | ||
} | ||
|
||
#### Desired Outcome | ||
Partner 2 receives the Contract Offer and is able to negotiate the contract because he owns the Traceability Credential. | ||
|
||
### Scenario 3 | ||
Partner 1 wants to create an Access Policy that Partner 2 can receive the Contract Offer if the BPN is matching AND Partner 2 is identified as a Dismantler (owns the "DismantlerCredential"). | ||
|
||
#### Partner 1 - Access Policy Example | ||
|
||
{ | ||
"@context": { | ||
"odrl": "http://www.w3.org/ns/odrl/2/" | ||
}, | ||
"@type": "PolicyDefinitionRequestDto", | ||
"@id": "{{POLICY_ID}}", | ||
"policy": { | ||
"@type": "Policy", | ||
"odrl:permission": [ | ||
{ | ||
"odrl:action": "USE", | ||
"odrl:constraint": { | ||
"@type": "LogicalConstraint", | ||
"odrl:and": [ | ||
{ | ||
"@type": "Constraint", | ||
"odrl:leftOperand": "BusinessPartnerNumber", | ||
"odrl:operator": { | ||
"@id": "odrl:eq" | ||
}, | ||
"odrl:rightOperand": "{{BPN6789}}" | ||
}, | ||
{ | ||
"@type": "Constraint", | ||
"odrl:leftOperand": "Dismantler", | ||
"odrl:operator": { | ||
"@id": "odrl:eq" | ||
}, | ||
"odrl:rightOperand": "active" | ||
} | ||
] | ||
} | ||
} | ||
] | ||
} | ||
} | ||
|
||
#### Desired Outcome | ||
Partner 2 does not receive the Contract Offer as he does not own the Dismantler Credential and is therefore not able to negotiate the contract or request the data. | ||
|
||
|
||
|
||
### Scenario 4 | ||
Partner 1 wants to create an Access Policy that Partner 2 can receive the Contract Offer if the BPN is matching. Further, Partner 1 only wants to create an Agreement if Partner 2 is identified as a Dismantler (owns the "DismantlerCredential"). Otherwise the Negotiation has to fail. | ||
|
||
#### Partner 1 - Access Policy Example | ||
|
||
{ | ||
"@context": { | ||
"odrl": "http://www.w3.org/ns/odrl/2/" | ||
}, | ||
"@type": "PolicyDefinitionRequestDto", | ||
"@id": "{{POLICY_ID}}", | ||
"policy": { | ||
"@type": "Policy", | ||
"odrl:permission": [ | ||
{ | ||
"odrl:action": "USE", | ||
"odrl:constraint": { | ||
"@type": "LogicalConstraint", | ||
"odrl:and": [ | ||
{ | ||
"@type": "Constraint", | ||
"odrl:leftOperand": "BusinessPartnerNumber", | ||
"odrl:operator": { | ||
"@id": "odrl:eq" | ||
}, | ||
"odrl:rightOperand": "{{BPN6789}}" | ||
} | ||
] | ||
} | ||
} | ||
] | ||
} | ||
} | ||
|
||
|
||
#### Partner 1 - Usage/Contract Policy Example | ||
|
||
{ | ||
"@context": { | ||
"odrl": "http://www.w3.org/ns/odrl/2/" | ||
}, | ||
"@type": "PolicyDefinitionRequestDto", | ||
"@id": "{{POLICY_ID}}", | ||
"policy": { | ||
"@type": "Policy", | ||
"odrl:permission": [ | ||
{ | ||
"odrl:action": "USE", | ||
"odrl:constraint": { | ||
"@type": "LogicalConstraint", | ||
"odrl:and": [ | ||
{ | ||
"@type": "Constraint", | ||
"odrl:leftOperand": "Dismantler", | ||
"odrl:operator": { | ||
"@id": "odrl:eq" | ||
}, | ||
"odrl:rightOperand": "active" | ||
} | ||
] | ||
} | ||
} | ||
] | ||
} | ||
} | ||
|
||
#### Desired Outcome | ||
Partner 2 receives the Contract Offer in the first place. | ||
|
||
The contract negotiation, startet by Partner 2 fails because he has not been identified as Dismantler and therefore does not own the Dismantler Credential. | ||
|