Delegation

The BDI framework enables the delegation of data access authorization, allowing a Data Owner to grant permission to a main contractor, who can then delegate this access further down the subcontracting chain. This delegation process is essential for ensuring that subcontractors can access the necessary data while maintaining control over who has access.

Delegation versus Representation

In many business scenarios, tasks are subcontracted and further sub-subcontracted. Within this context, it is important to differentiate between delegation and representation:

Delegation refers to the process where a Data Owner allows a main contractor to delegate access to their data to a subcontractor, and potentially further down the chain. The entire delegation chain is recorded in the Data Owner’s Authorization Register.
Representation involves verifying that an individual or entity has the authority to act on behalf of another legal entity. This process typically involves validating a set of claims, such as authenticated identity and the accountability of the entity sending the representative.

While the delegation chain can, in theory, be used to verify a representation chain, this is only applicable when the delegation chain is necessary, available, and equivalent to the representation chain. In many cases, such necessity and equivalence do not exist, making it crucial to treat delegation and representation as separate functions.

Delegation is focused on authorizing access to the Data Owner’s data.
Representation involves verifying claims related to the authority and identity of those acting on behalf of a legal entity.

Delegation evidence

The iSHARE framework provides a specification for using JWT tokens as Delegation Evidence. These tokens serve as proof that a delegation of access has occurred and are used to validate that the subcontractors in the chain have the appropriate permissions to access the data.