Relationship-based Access Control for Data Spaces

Data spaces are an emerging concept with significant potential to enable a data-centric economy by fostering seamless and secure data sharing across diverse stakeholders. These environments are designed to unlock the value of data by ensuring interoperability and collaboration, which are essential for innovation and informed decision-making. However, managing access control in data spaces poses unique challenges, as it must account for complex relationships not only among stakeholders but also among data items themselves, requiring a flexible and context-aware approach. To this end, in this paper we present the design, implementation, and evaluation of an access control solution tailored for data spaces. Our solution leverages the paradigm of Relationship-Based Access Control (ReBAC), enabling the definition and enforcement of access control policies that consider the relationships between entities within the data space, as well as data consumer organisational structures. Furthermore, we propose a distributed version of our solution to facilitate the segregation of access control management across different administrative domains. Our approach supports fine-grained, continuous access control by dynamically evaluating the context of both the protected data items and the consumers of the data space. To ensure compatibility with existing data-sharing standards, we have integrated our solution with ETSI NGSI-LD API, a standardised interface for interacting with data spaces.