-
Notifications
You must be signed in to change notification settings - Fork 33
Personal Data Access Control
Within an application built on top of Funf for client data collection and openPDS for storage and processing of the data, there are 3 potential places for access control: on the client via the Funf configuration, and on the server in 2 different places; controlling access to raw data by the scripts processing it into answers, and controlling access to these processed answers. Of these 3 different access control schemes, 2 are currently implemented: Funf configuration control and access control over processed answers.
As most data within openPDS comes from Funf running within a client application on Android, the nature of data being collected can be controlled before it ever reaches the PDS via the Funf configuration on the phone. OpenPDS provides a place to store funf configurations, and a means for pushing new configurations to the phone, but does not provide a user interface for changing a Funf config.
Currently, access control for processed data on the PDS (accessed via the answer and answerlist REST endpoints) is provided via OAuth scopes. Without a bearer_token, all requests to openPDS fail as unauthorized. Via OAuth on a Registry Server, a user can provide access to write raw funf data to their PDS, and retrieve answers that are generated via scheduled tasks within their PDS. To authorize an application to write Funf data, a token must be approved for the funf_write scope. To authorize access to individual answers generated within openPDS a token must be approved for the answer keys associated with each of the answers the application wishes to read.
Access to raw data is only available to tasks running within the user's PDS. Each of these tasks is associated with an answer key, which stores the result of the task within the answer or answerlist collections. While running within a PDS, all tasks have unfettered access to all raw Funf data. In the future, access control within this space should be built to restrict access to data for tasks. For example, restricting the type of data that a task has access to could either cause the collection the task is pulling the raw data from to return an empty set of data, or it could throw an error. Additionally, methods could be provided to check for access to the raw data.