On-chain access grants
Access grants allow their grantees to retrieve data at a later point in the future without requiring user interaction, as described in Granting data access. These grants are:
Managed by the data owners themselves
Recorded on-chain
Observed by idOS nodes for Authorization
Smart contracts
These grants are configurable by the data owners using any of the smart contracts that idOS nodes check. The contract functionality is straightforward:
A grant is an idOS object representing a data access grant from an owner to a grantee for a given data ID (optionally with a timelock)
The contract stores a collection of grants
Anyone can list grants
A signer can
create a grant that they own
delete (revoke) a grant that they own (unless timelocked)
Below is a simplified Solidity interface.
Our GitHub repo has more information, as well as tested implementations for the EVM (in Solidity) and the NEAR VM (in TypeScript and in Rust).
idOS nodes
When receiving a signed request for data not owned by the signer, idOS nodes use these smart contracts as the source of truth for authorizing (or denying) the request. Here's an example of how they're used:
Timelocks
A request for an access grant can include an optional timelock. If accepted, it restricts the data owner's ability to revoke the access grant or delete the underlying data until said timelock expires.
Timelocks are particularly relevant for AML/KYC compliance. For example, at an international level, FATF recommends a retention period on financial institutions of at least 5 years. The relevant EU directive states also 5 years. The same is true for the US and China, but for Brazil and Switzerland, for example, that is 10 years.
Contracts enforce timelocks by checking whether a timelock is present and active before agreeing to delete a grant.
On its end, the idOS checks whether an active timelock exists when receiving deletion requests.
Last updated