Delegated authority & authentication - how to achieve it?

Hello - I posted this question 2 1/2 years ago about delegated authority - Delegated Managing of permissions - would this work? . There seems to have been huge & impressive progress since then, and lots more resources. I still have a central question about delegating authority over data. I wonder if you can point me to what I should be reading about this?

A bit more detail to the question

There is this sentence in an intro to Solid: “The premise behind Solid is a simple one: for every single piece of data you create online, you can choose where you store it” seems to me to be very clear and very important. The fact that you can choose should impose real discipline over app providers, which the walled gardens do not have.

But does “can” entail “must”?

Specifically, my online life generates vast amounts of data and I do not want, for most of it, to be handling questions of where to store, and what access permissions are, myself. Ideally, I’d like to delegate all those choices to an institution (a company or a charity or an AI) that I trust. Does the Solid architecture allow this? Does it envisage this as a standard use case? Is anyone working on the apps that would make Solid work for delegated authorities? Is there discussion about this feature that anyone can point me to?


By visiting, i have created the data that “I am interested in Solid solutions”. Maybe someone finds that data useful. For example, Inrupt might want to get in touch to see if one of their solutions could work for me. And I’d probably welcome that approach. Imagine that I don’t know that Inrupt is out there as a SOLID solution provider. However, I’m not going to spend the time setting up permissions to that piece of information that I’ve just created. However, let’s say that information ends up in one of my pods, and my pod is run by the Data Steward that I have authorised. They are professionals who do data permission management at industrial scale through their automated tools. I have signed up to one of their products which includes a term that says: “make my browsing data available to companies on your whitelist for use in advertising targeting, and if our algorithms find a very high degree of match between a company and your interests, we will give them access to a direct channel of contact for a 1-off approach”. Under these terms, in this example, Inrupt keeps a scan on people visiting, it is a whitelisted and trustworthy counterpart according to my Data Steward, and my Data Steward’s algorithm has flagged my strong interest in Solid solutions. Therefore, it gives Inrupt a 1-time access to email, so they have a chance at forming a longer term relationship with me.

So here is another version of my question - how easy is it for SOLID to accommodate the Data Stewart in the example given? And is it part of the “SOLID philosophy” that this is a good solution, or would it always be kludgey and in risk of being made impossible as the protocols develop?

Thank you for any pointers and help.


I think that the “Solid philosophy” includes the ability to delegate trust e.g. to have an organization which evaluates and whitelists applications based on their transparency and record of not stealing data.

I think that the kinds of individual and group access controls that Solid supports will always support that kind of delegation. It is central to Solid to be able to say that X (a social or software agent) has control over who accesses a given set of resources.

I recommend that you look at the work of the Interoperabiity Panel who are proposing a class of software called an Authorization Agent which manages your permissions for you. It is envisioned to do so by consulting with you, but I don’t imagine that omitting that step is a technical problem :-).


Hi Tony,

Indeed there has been significant forward progress in the past couple of years. In working with customers, I’ve spoken with a number who have needs related to delegation of authority. Some are as simple as giving some control over a part of a Pod and others are as complex as power of attorney. One in particular is close to your question where the decisions around providing automated access to data are made by a bot that considers user preferences. The user’s decision is only required when the answer to the request is not discernable without human input.

There are also implementations of specifications that were not available two years ago such as Access Control Policies and Access Grants. These two are going through the process to become part of the specification at the moment. ACP provides lots of flexibility to authorize access based on things like time and verified claims; access grants underpin an implementation of consent. This enables not only a standard but an extension mechanism where a number of different certified and trusted services can act on behalf of the user in the consent flow.

There are other considerations once you get into the detail such as audit, revocation, overriding, privacy, exceptions, governance, etc.

The list of specifications provides a lot of information but of course it can be time consuming to read all the material and it’s sometimes hard to map that information to the challenge being considered and determine an appropriate solution.

I’m happy to have a conversation if there are specific questions you want to talk through or if you want to get deeper into how we currently address delegation type challenges.