3a - Onboarding of a New Dataspace Participant - Providers (data - application - infrastructure) & Consumers
Description
To help understand the content of this document, readers should familiarize themselves with the key definitions and actors and the business process introduction containing the diagram legend.
The onboarding process for a new Applicant details the tasks and decisions required to onboard a new organisation to a Dataspace. Both Providers and Consumers can apply to a Dataspace and will be referred to as (Dataspace) Applicants from here on.
The Applicant Representative submits the onboarding requests to the Governance Authority. Upon approval, they set up the Simpl-Agent, a local gateway enabling interaction with the dataspace. As such installing the Simpl-Agent is a crucial step for onboarding to the dataspace. The Applicant Representative must install and configure the Simpl-Agent. After successful setup, the Applicant receives the necessary security credentials, completing the onboarding process and allowing participation in the dataspace.
The actors involved in this process are the: Governance Authority, Applicant, and Applicant Representative.
Assumptions for the business process:
- Dataspace Applicants are assumed to be an organisation and not an individual person.
- The Applicant Representative, the person/people acting on behalf of the Applicant, applying to the dataspace is assumed to be a member of the Applicant organisation's directory.
- It is assumed that one Applicant Representative will receive one keypair.
Prerequisites for the business process:
The following prerequisites must be met to enable the process to occur:
- Dataspace specifications: The document(s) describing the dataspace’s objectives, candidature criteria and requirements applicable to an organisation for onboarding must be developed and made available to a potential applicant (e.g., website publication).
Business Process Diagram & Steps
This chapter presents a diagram visualising the business process, labelled with specific steps. Each step is further detailed in the accompanying 'Step Description'.
Figure 2: Diagram representing the Onboarding of a New Dataspace Participant - Providers (data - application - infrastructure) & Consumers.
Steps Description:
Below there is the description of the steps involved in this business process. Each step outlines the specific actions and decisions required to successfully complete the process:
- Prepare & submit onboarding request: This initial step involves the Applicant Representative preparing a comprehensive application to participate to the dataspace, gathering the required information based on the documentation made available by the Governance Authority (see prerequisites 1). After the preparation of the onboarding request, the Applicant Representative fills in the forms and provides any other documents that may be mandatory (following the rules that are defined by the Governance Authority) to the Governance Authority for review.
- Review onboarding request: After receiving the onboarding request, the Governance Authority starts the review process. It verifies the Applicant’s onboarding request against a predefined set of criteria and the alignment with the dataspace objectives (see prerequisite 1). The review process of the onboarding request can be either manually or automatically done by the Governance Authority.
- Request Approved?: As an outcome of the review in step 2, the Governance Authority approves or rejects the request. If the request is approved, the process continues to the identification of Identity Attributes in step 4. In case deficiencies are found, the Applicant shall have the possibility to address them and start over the process from Step 1.
- Identify Identity Attributes: After the approval the Governance Authority identifies the relevant Identity Attributes of the Applicant that will be used for authentication of the Applicant.
- Agent deployment: If the application is approved, the Applicant Representative downloads the minimal set of modules from Simpl-Open that are required to have an operative Simpl-Open. The Applicant Representative then deploys and configures the Simpl-Open modules on the Applicant's infrastructure to establish the necessary environment for participating within the dataspace.
- Generate public/private keypair: The Applicant's agent generates a public/private key pair to enable encrypted communications and data integrity within the dataspace. The private key is securely stored in the agent. The Applicant Representative shares the public key with the Governance Authority to request signed security credentials.
- Create & sign security credentials: The Governance Authority creates and signs digital security credentials (e.g., x.509 certificates) that incorporate the Applicant’s public key. These credentials serve as proof of identity and are validated through the issuance of certifications by the Governance Authority. The certifications ensure that the credentials are securely linked to the correct entity.
- Provide the security credentials: The Governance Authority provides the signed security credentials to the Applicant. The security credentials are essential to ensure secure operations within the dataspace.
- Store & install security credentials: The Applicant Representative stores and installs the signed identity security credentials in its Simpl-Open Agent.
Notify the Applicant Representative of the Successful Onboarding: The Applicant Representative is notified that they are now fully onboarded to the Dataspace and from now on are a Participant.
| L0 - Business Process | Status: Proposed |
Associated L1s - High Level Requirements
3a.1 - Onboarding of a new data space participant - attribute placement during onboarding
Simpl shall provide support to position identity attributes ...3a.2 - Onboarding of a new data space participant - finalizing onboarding
Simpl shall provide support for the following:...3a.3 - Onboarding of a new data space participant - onboarding procedure
Depending on the rules set by the Dataspace Governance Authority, ...3a.4 - Onboarding of a new data space participant - participant actions
The new participant can then register users that can connect to Simpl ...3a.5 - Onboarding of a new data space participant - registration of onboarding request
Simpl shall provide support when an organisation wants ...3a.6 - Access control - end users to agent
Simpl shall support Role-based Access Control (RBAC).
Moderator note: Comments are from the previous discussion platform.
Submitted by Luis Carlos BU… on Mon, 25/03/2024 - 14:34
The Description of the high-level requirement should also include provision for the possible withdrawal of participants in Dataspaces
Submitted by Javier VALIÑO on Tue, 02/07/2024 - 15:12
Looking at the diagram, it seems it is following a centralised approach where the Governance Authority is issuing the security credentials.
Is there a plan to support decentralised approaches such as Verifiable Credentials/DIDs as described by Gaia-X (https://www.gaiax.es/sites/default/files/2023-04/Gaia-X_Architecture_Do… section 4,6)?
In reply to Looking at the diagram, it… by Javier VALIÑO
Submitted by Rick Santbergen on Mon, 15/07/2024 - 14:52
Hi Javier, the credential issued by the Dataspace Governance Authority only has the purpose of implementing a secure mTLS channel of communication between participant Agents (tier 2 agent-to-agent communication), which ensures the highest level of security. Besides that, all operations/functionalities such as signing a service offering, consuming a service offering, signing contracts, and giving consent, etc., will be following the decentralised approach (VC/DID) as described by Gaia-X.
Submitted by Mark Dietrich on Thu, 04/07/2024 - 14:06
As discussed in Simpl workshop -- process should reflect organisations' having individuals who are authorized to make an application (able to prove they have the authority), as well as the fact that different individuals will be involved at different points (e.g. the Rector of KU Leuven will not install software).
In reply to As discussed in SIMPL… by Mark Dietrich
Submitted by Rick Santbergen on Thu, 25/07/2024 - 10:30
Hi Mark, all tasks related to legal identities, authentication/authorisation, and legally binding signatures fall outside the scope of the onboarding procedure. Approval for onboarding occurs after validation through secondary channels, which may include document verification, contract signing, and other requirements set by the Dataspace Governance Authority.
Submitted by Andreas Eisenrauch on Fri, 16/08/2024 - 11:02
I am not sure, if the human end users are really relevant for the data space governance authority. I have doubt, that they will acquire connectors for getting an airlines flight schedule or a museum catalogue directly from the source. Instead, they will register to applications (developed in use case projects) provided by corporate participants, which retrieve the data from partners in the DS. I think this, item has no high priority at least.
Please log in or sign up to comment.