STAplus and personal data

opengeospatial / sensorthings

The official web site of the OGC SensorThings API standard specification.

132 stars 28 forks source link

STAplus and personal data #152

Closed securedimensions closed 1 year ago

securedimensions commented 1 year ago

Items for discussion:

Can the personalData be used in $filter expressions?
How can a party allow that their personalData can be used in $filter?
An implementation shall not allow to use $select based on personalData!?
An implementaiton shall not allow $expand on personalData!
An authenticated user SHALL be able to access it's own personalData - that needs to become a REQUIREMENT in Authentication!

joanma747 commented 1 year ago

Lets add a "security considerations" section saying that in absence of any business logic about parties, personalData should not be available in $filter ... (because I could use repetitive filters to "reveil" personal data). A business logic could allow for a Party to filter its own PArty data but not the others.

Filter by authID is allowed because it is only name that does not show anything about the person.

securedimensions commented 1 year ago

The standard is updated in that respect now.