Skip to main content

Access Control

Why is Access Control Required?

Access Control enforces that a data file uploaded to the Arcana Store can be viewed or accessed only by authorized users. With access control, sensitive data access is restricted only to data owners and trusted users. Access control is critical to providing data privacy. Arcana leverages cryptography techniques for ensuring data is encrypted, secured, and not accessible by unauthorized users.

Decentralized access control does not have a single centralized entity (administrator, node) that manages access to data or the cryptographic keys that are used to encrypt data. The creator or owner of data is solely responsible to manage access. The owner can delegate access to other entities for ease and un-delegate if required.

How does Arcana Access Control Work?

Access control can be rule-based or role-based. Arcana Network Storage protocol implements a combination of role and rule-based access control. Roles include 'data owner' and 'delegate'. Rules are simply conditions associated with each data file. Or a rule may act like a gating factor, allowing access to resources if the user owns a particular asset in the Arcana Network ecosystem.

For example, a rule may state that allows access to data files only if the user address is the same as the owner. Or a rule may state that allows access only if the user owns a certain private NFT that qualifies them as part of some community or special group. Access Control Lists or ACLs associated with each data file are stored in a database but the rule hash is stored in the blockchain. In the future, this ACL database will be made public.

Arcana Network enforces access control on all private data. By default, all the data uploaded to the Arcana Store is private. The following operations on private user data are access controlled:

  • Share a file
  • Revoke file share access
  • Transfer file ownership
  • Delete a file
  • Get a list of users who have shared access to a file
  • Other private metadata-specific operations

The public data does not require any authorization and anyone can access it.

In a decentralized data store, the data file can be downloaded by anyone who has access to the file identifier or DID. However, they cannot view or read the file as it is encrypted. Only the file owner or those who have been granted access to the file by the owner can decrypt and view or read the file.