IOTICSpace

An IOTICS data ecosystem is formed of multiple IOTICSpaces. Each party has its own IOTICSpace, which contains one or more Digital Twins. Each IOTICSpace presents its own API. This API is private to the party owning IOTICSpace.

An introduction to IOTICSpace

In IOTICS, each party has its own IOTICSpace (represented as a circle), which together form a decentralised data ecosystem.

Each IOTICSpace contains one or more Digital Twins (represented as a dot). The twins can publish and receive data with other Digital Twins in your own or others' IOTICSpaces within the same ecosystem.

The owner of an IOTICSpace is in control of all its twins, and therefore of all the metadata stored and data streaming through them. Owners can decide to make their twins visible (or not) and to share data with all, none, or a select number of parties and, by extension, join one or more data ecosystems or consortia.

The formation of IOTICSpaces might look similar to the illustration above where all parties can find and access data from the other parties’ shared twins.

Each IOTICSpace comes fully deployed and set up on the IOTICS Cloud. The ecosystem is built on a decentralized infrastructure, so each IOTICSpace is deployed on its own and data separation is guaranteed. Each IOTICSpace also presents its own API.

🚧

Deploy anywhere

For the sake of this guide, we will assume that IOTICSpace is available through IOTICS Cloud. Indeed, IOTICSpace may be deployed on any Cloud infrastructure with no modifications to its capabilities and functionalities.


Technical components

Each IOTICSpace corresponds to one node called “Host” on the decentralised IOTICS network. The Digital Twins therefore “live” and are stored within the Host.

🚧

IOTICSpace = Host

For the purposes of this guide, we’re using the terms IOTICSpace and Host interchangeably.

Each Host has its own metadata storage database, therefore ensuring separation of metadata and data per IOTICSpace (important for security and machine-readability) as well as guaranteeing the separation of data by owner across the network.

Each IOTICSpace or Host has:

  1. One Twin of the Host - the Host Twin - controlling access permissions
  2. Multiple Digital Twins, owned and controlled by the owner of the IOTICSpace
  3. Its own API
  4. Its own metadata database

When configuring your IOTICSpace, consider the following best practices:

  1. Who owns and controls the data? An IOTICSpace should belong to one and only one party, which owns and controls all the data within it.
  2. Who should have access to the data? And who shouldn’t have? Access to your IOTICSpace can be granted to all, none or select other IOTICSpaces. You can update your IOTICSpace permissions through the Host Twin (see Selective Sharing for Metadata and Data )
  3. If you require more granular access permissions, remember that selective access can also be granted on a Digital Twin level to all, none or select other IOTICSpaces (see Selective Sharing for Metadata and Data)

API access permissions

The first security layers you’ll find in an IOTICSpace consist of the Agent and the User AllowList. They will make sure the correct Agents and Users can access and send requests through the IOTICS API to the Host. They can only be managed by admins.

Agent AllowList

Whether specific Agent Identities can access the Host through the IOTICS API, this AllowList is a property of the Host Twin only, no other Twins in the Host have it.

It’s important to remember that:

  • It’s automatically created when the IOTICSpace is created and its default value is Allow All. It can be changed by the admin at any moment.
  • It can contain one or more Agent DIDs. If it contains DID1 and DID2, only DID1 and DID2 are authorised to send requests to the Host.
  • If all values are deleted from the AllowList then it will be automatically set to Allow None.

The Agent AllowList is configured by updating a specific property within the Host Twin’s Metadata, determined by the Key-Value pair:

Key

  • http://data.iotics.com/public#agentAllowList

Values

  • Allow All = http://data.iotics.com/public#all
  • Allow None = http://data.iotics.com/public#none
  • Allow ID = did:iotics:didexample1234abcd

User AllowList

Whether specific User Identities can access the Host through the IOTICS API, this AllowList is a property of the Host Twin only, no other Twins in the Host have it.

It’s important to remember that:

  • It’s automatically created when the IOTICSpace is created and its default value is Allow All. It can be changed by the admin at any moment.
  • It can contain one or more User DIDs. If it contains DID1 and DID2, only DID1 and DID2 are authorised to send requests to the Host.
  • If all values are deleted from the AllowList then it will be automatically set to Allow None.

The Agent AllowList is configured by updating a specific property within the Host Twin’s Metadata, determined by the Key-Value pair:

Key

  • http://data.iotics.com/public#userAllowList

Values

  • Allow All = http://data.iotics.com/public#all
  • Allow None = http://data.iotics.com/public#none
  • Allow ID = did:iotics:didexample1234abcd

Metadata and Data access permissions

The AllowLists that manage how your Metadata and Data can be selectively shared work as follows:

Selective Metadata Sharing

Whether a Digital Twin's Metadata can be found and described by other Hosts.

It’s important to remember that:

  • It can be enabled selectively on a twin-by-twin basis.
  • The Twin's Metadata Sharing setting is configured by updating the Digital Twin's hostMetadataAllowList property.
  • The Host Twin’s Metadata Sharing setting is configured by updating its hostAllowList property.

The Key-Value pairs used for this purpose are the following:

Key

  • http://data.iotics.com/public#hostMetadataAllowList

Values

  • All Hosts = http://data.iotics.com/public#all
  • No Host = http://data.iotics.com/public#none
  • Host ID = did:iotics:didexample1234abcd

Selective Data Sharing

Whether a Digital Twin's Data can be accessed or not from other Hosts.

It’s important to remember that:

  • It can be enabled selectively on a twin-by-twin basis.
  • The Twin's Data Sharing setting is configured by updating the Digital Twin's hostAllowList property.
  • The Host's Data Sharing setting is configured by updating the Host Twin's hostAllowList property.

The Key-Value pairs used for this purpose are the following:

Key

  • http://data.iotics.com/public#hostAllowList

Values

  • All Hosts = http://data.iotics.com/public#all
  • No Host = http://data.iotics.com/public#none
  • Host ID = did:iotics:didexample1234abcd

For more information about access permissions, including examples of how to update them, go to: