Delegated Managing of permissions - would this work?


#1

A very newbie question, so it may not make sense. (Please be patient! :slight_smile: )

I would like to set up something like this: Alice has her browsing data in her pod; Bob wants to use her browsing data for a piece of public health research. Alice wants to delegate to her union the management of her data permissions, and her data union agrees that Bob should be trusted with Alice’s data for this purpose. Can Alice’s ACL for her browsing data simply point to the list that her data union has compiled and use that as her ACL for that resource?

Thank you! Tony


#2

So do I understand correctly that your question is: ‘can an individual appoint anther individual or body to decide on their data sharing preferences’?


#3

I think there would be many ethical challenges there, but if done ethically also many business opportunities.


#4

yes … and would this be the way of doing it?


#5

If you want exactly that behavior, I think you could use groups of agents. Here is an example from the spec:

# Group authorization, giving Read/Write access to two groups, which are
# specified in the 'work-groups' document.
<#authorization2>
    a               acl:Authorization;
    acl:accessTo    <https://alice.example.com/docs/shared-file1>;
    acl:mode        acl:Read,
                    acl:Write;
    acl:agentGroup  <https://alice.example.com/work-groups#Accounting>;
    acl:agentGroup  <https://alice.example.com/work-groups#Management>.

In your scenario, the acl:agentGroup would be managed by the “data union”. It’s either stored on their server, or they have write access to the group definition on Alice’s server.

Another possibility would be to give the data union CONTROL permissions for Alice’s data. Then they could modify the acl in Alice’s pod and give Bob access this way.

I haven’t tried those two options, but afaik they work in theory.