direct naar de inhoud

Roles, The Breakdown

In the iSHARE Trust Framework, data spaces are structured around key roles to ensure smooth and secure data sharing among participants. the Data Owner (Entitled Party), Service or Data Provider, Service or Data Consumer, Satellite or Data Space Authority, Identity Provider, Identity Broker, and Authorization Registry. For a detailed understanding of the responsibilities and functions associated with each role, please refer to the descriptions provided below.

Adhering Roles

Service or Data Consumer

The Service or Data  Consumer-role is fulfilled by a legal entity entitled to consume data provided by a Service Provider, authorised by the Data Owner. This entity requires the service outcome.

For example, an energy supplier consumes smart energy metre data from an office building, or a trucking company needs to know its optimal route and estimated time of arrival from a shipping agent.

A Service Consumer can be represented by a machine (its system) or a human (e.g. the trucker), fittingly called the Machine Service Consumer and the Human Service Consumer.

Data Owner (Entitled Party)

The Data Owner role is fulfilled by a legal entity that has one or more rights to a service provided by a Service Provider. These rights, or entitlements, are established in a legal relationship between the data owner and the Service Provider. 

The Data owner, Service Consumer and Service Provider-roles can be fulfilled by the same entity – i.e. a legal entity that consumes a service based on its own entitlements to this service (for example, the trucking company’s entitlement to request Estimated Time of Arrival- and optimal route information) – but this is not necessary. 

Entities entitled to a service can delegate others to consume it on their behalf. In such cases,, the consuming entity operates based on another entity’s entitlements. In these cases, the Service Consumer uses a Service Provider’s service based on the Data Owner’s entitlements, but the role of Service Consumer is performed by a different entity than the Data Owner.

Read more on our Wiki, also about the Functional Requirements of this role.

Service or Data Provider

The Service Provider-role is fulfilled by a legal entity that provides a service, in the form of data, for consumption by a Service Consumer. This legal entity provides the result of a service that Service Consumer(s) need; for example, the party that uses a truck’s time and location to calculate and communicate the truck’s optimal route and estimated time of arrival.

Read more on our Wiki, also about the Functional Requirements of this role.

Certified parties

Authorisation Registry 

The Authorisation Registry-role is fulfilled by a legal entity that provides solutions for Adhering Parties for the storage of delegation- and authorisation information. An Authorisation Registry: 

  • Can hold information on delegations to Service Consumers; i.e. information indicating what parts of the rights of an Entitled Party are delegated to a Service Consumer.
  • Can check, on the basis of this information, whether a machine representing a legal entity is authorised to take delivery of a service;
  • Can confirm whether this is the case to the Service Provider. 

As a result, Adhering Parties can outsource tasks concerning the management of authorisation and delegation information to an Authorisation Registry instead of implementing their own tooling.

Read more on our Wiki, also about the Functional Requirements of this role.

Identity Provider 

The Identity Provider-role is fulfilled by a legal entity whose tooling identifies and authenticates entities (humans or machines). An Identity Provider:

  • Provides identifiers for humans;
  • Issues credentials (i.e. a password or electronic keycard) to humans;
  • Identifies humans to Service Providers based on this information. 
  • Holds information on authorisations of humans representing a Service Consumer; i.e. information indicating which humans are authorised to act on a Service Consumer’s behalf.
  • Can check whether a human representing a legal entity is authorised to receive the service;
  • Can confirm this authorisation to the Service Provider.

As a result, Service Providers can outsource identification and authentication of humans, as well as tasks related to managing the authorisations and delegation information of humans, to an Identity Provider instead of implementing their own tooling.

Read more on our Wiki, also about the Functional Requirements of this role.

Identity Broker 

Different humans might hold identifiers at different Identity Providers. Also, Service Providers might need to connect to several Identity Providers. To ensure that Service Providers do not need a direct relationship with each Identity Provider individually, an Identity Broker is introduced. The Identity Broker role is fulfilled by a legal entity that provides Service Providers with access to various Identity Providers. It also allows humans the flexibility to choose which Identity Provider to use for identification and authentication within the data space/iSHARE network.

As a result, Service Providers opting to outsource identification and authentication to multiple Identity Providers can connect to an Identity Broker, streamlining the process.

Read more on our Wiki, also about the Functional Requirements of this role.

Scheme Owner

The Scheme Owner role is fulfilled by the legal entity that ensures the proper operation of the Framework and its network of participants. Detailed Operational descriptions can be found in the documentation.

The Scheme Owner is responsible for admitting the Satellites and overseeing the overall maintenance of the iSHARE Trust Framework, including the Participant Registry.  

Data Space Authority (Satellite)

A central role, not included in the fundamental iSHARE Framework, is that of the Data Space Authority (Satellite). The role is undertaken by a legal entity responsible for operational processes, ensuring the proper functioning of the data space. Detailed information about its responsibilities can be found in the detailed Operational descriptions

The Data Space Authority admits members to the Participant Registry of the data space. Additionally, the Participant Registry Management Point serves as the Trust Anchor for the data space, a crucial aspect in any iSHARE use case. Each participant in the iSHARE Trust Framework is linked to the Data Space Authority through the Participant Registry Management Point. They can verify in the Participant Registry whether other parties in the data space are trusted and compliant. These are prerequisites, however, which is why it does not play a direct role (and is not depicted) in any of the use cases.

To register all participants in the data space and ensure that the coverage by the Framework is digitally verifiable, the Participant Registry is built on a Distributed Ledger across all data spaces, using the iSHARE Trust Framework as the core component. This means all data spaces operating based on the Trust Framework are interoperable by design.

With the Participant Registry Management Point, data space authorities/administrators can register participants with: 

  • Their unique ID (EORI numbers in line with EU Identification) and 
  • EIDAS identification and public key. 
  • Register signed Terms of Use and possible additional terms and 
  • Additionally checking the Chamber of Commerce documentation to assure that the contract is legally signed

For participant administration, a web interface (Participant Registry Management Point) or APIs for automated registration are available. Automated participant discovery in data spaces is facilitated through defined endpoints that offer key insights for data spaces to operate:

Parties End-point
Retrieve data from a selection of parties available in the data space or in a subset of the data space. It will look like this: /parties/EU.EORI.identifierOfTheParticipant.

Every node implementation is equipped with API’s and with that can serve within the data space as the single source for party information with the performance level to the data space.

Data Space Administrator

The onboarding procedures can be delegated to a Data Space Administrator by the Data Space Authority. The Administrator validates and checks for compliance – whether a party can be admitted to the data space/iSHARE network (and whether this is as an Adhering- or Certified Party). 

For detailed processes, please refer to our Wiki