Technologies used
EuProGigant: Policy as Code in Data and Service Ecosystems
Policy as Code in Data and Service Ecosystems: How to control and understand what happens to your data when sharing it to build inter-company services.
8 min read - 12. Juli 2024
To improve product sustainability, product engineers designing plastic parts need information about their designs' environmental footprint. Providing detailed and accurate estimations requires know-how and data from multiple parties.
Injection-molding parts are produced on machines with configuration-dependent energy consumption levels. Mounted on the machine are tools for molding the plastic parts. These tools are manufactured specifically for the parts and are mostly made of steel and other metals and of course, the parts need plastic granules as raw material.
Product engineers share their designs. Machine manufacturers share configurations and energy usage profiles of their machines, tool manufacturers material usages for their tool designs, and metal and granules producers the carbon footprint of the raw materials they provide. Simulation experts require this information as input and provide know-how and simulation results to the other parties. This process is often iterative and more complex; for the purpose here, it’s important to understand that all participants have a strong need to control and understand what happens to their data since it carries sensitive information, like future product designs, machine/tool details under NDA’s, or simply information that should not leak to competitors.
The project complies with Gaia-X, an international initiative creating data space interoperability standards that strongly focus on trust and sovereignty. It provides ways to describe (among other things) legal persons, data resources, and services.
Outlook
Results
The developed concept shows how a policy-as-code can be implemented for data sharing, how it is integrated into services providing, consuming, and storing data, and, most importantly, how such a policy system is maintained over time. We developed different policies for different parties and kept them structured and readable for non-developers. Technically inclined people can understand what could happen to their company's data.
The concept allows us and our partners to develop policies further and align them with changing interests. The approach taken with extending the tooling (OPA) enabled us to incorporate Gaia-X standards (Gaia-X entities and partly their proposals for data contracting).
Solution
The task at hand was to create a concept that would provide all parties with the means to control and understand what happens to their data. The idea was to transfer the policy-as-code approach we know from our day-to-day operations as cloud and DevOps engineers to the authorization layers of the data exchange in this manufacturing use case.
Our experience building authorization systems shows that creating good systems with only simple examples is hard, as the challenges only become visible in realistic and more complex situations. Therefore, we developed a state-of-the-art service and authorization architecture. This testbed's features regarding data exchange were creating, reading, updating, and deleting (CRUD) product carbon footprints and requesting estimates. We added an organizational management layer: companies manage their employees and groups. On the technical side, we integrated open policy agent (OPA) at different levels of the stack. The setup allowed us to edit and evaluate policies quickly, add functionality (extensions) to OPA itself, and easily adapt the integration within the test application.
We created a realistic testbed to ensure the concept can be applied in a realistic scenario.
We implemented and iterated on policies controlling who can use a service at all (admission policies), who can access data (access policies), how data must look regarding structure and values when created (content policies), when and if data can be deleted (retention policies), and what characteristics a service must have for company employees to use it (usage policies).
For example, we implemented different rules for access control, a subset of which is illustrated in the following wireframe graphic. It shows three different ways to allow access to PCFs: one based on information about the customer provided ahead of time to the policy agent, one based on verifiable credentials provided by the customer, and one where the customer provides a valid agreement establishing his right to read the PCF.
Depending on the policies, they were managed by service administrators, data providers, or data consumers. Shared management, where administrators set minimum requirements and data providers refine them, is part of the concept.
Challenge
Related services
Weitere Referenzen
EuProGigant is a research project exploring how data sharing can help manufacturing companies build more efficient and resilient production networks. In one of its four use cases, multiple partners collaborate to help engineers design injection-molding parts with a lower product carbon footprint (PCF).
In the project's next phase, more policies will be implemented, the policy engine will be extended, and we’ll generally stabilize the setup so it can be deployed in production. Since we built on state-of-the-art methods and already mature software, we're confident that our additions can be stabilized with meaningful effort.
If you're interested in more details, feel free to check out this video: Controlling Data in Gaia-X
We thank our partners for their valuable input and look forward to continuing to work together.
This project was funded by:
-
Authorization concept built on a “Policy as Code” approach.
-
Service implementation as a testbed.
-
Allow parties to control service admission, access to data, the content of data, retention of data, and
-
allowed usage of data and services.
-
Implemented (default) policies for parties to adapt and build upon.