Roles

1. Introduction

During the life cycle of a Sharemind HI solution numerous stakeholders are involved in various roles. This site provides an overview of the technical roles which are encoded in the Dataflow Configuration.

2. Enforcer

The Enforcer verifies a given dataflow configuration and signs it if it as expected. This applies to the initial setup of a Sharemind HI Server, as well as for follow-up DFC upgrades.

The Enforcer first downloads the DFC and verifies that it contains the expected content. Then the DFC is signed, and the signature uploaded to the Sharemind HI Server. When all approvals of the enforcers have arrived, the DFC becomes active. For the initial DFC this means that data upload, task running and data download can be performed now.

Diagram

3. Auditor

The Auditor has the technical capability to decrypt the audit log using the audit log key. They should download the audit log key from the Sharemind HI Server and store it in a safe location. Refer to the Audit Log Inspection site for more information.

Note that no Auditor shall have access to the admin-managed audit log storage, as this would give the auditor the possibility to manipulate the cryptographic protection of the audit log. This means for example that an administrator of the Sharemind HI Server shall not have an Auditor role.

Diagram

4. Producer

Producers use the Sharemind HI Client to upload confidential data to the Sharemind HI Server. The Sharemind HI Client encrypts the confidential data transparently before uploading the data to the server, and sends the encryption keys to the key enclave. The producer can attach custom, public[1] metadata to the confidential data. This can be used for example to later find relevant data without decrypting the ciphertext, to add additional data processing instructions, or to add access control information which can be enforced by the task enclave.

If the topic has a retention time configured, the Sharemind HI Server will regularly delete old data from it. Deleted data can no longer be downloaded by consumers, or used in the task enclaves.

Diagram

5. Consumer

Consumers use the Sharemind HI Client to download confidential data from the Sharemind HI Server. The confidential data is stored in encrypted form on the Sharemind HI Server, and is only decrypted in the Sharemind HI Client using the decryption keys from the key enclave and core enclave.

If the topic has a retention time configured, the Sharemind HI Server will regularly delete old data from it. Deleted data can no longer be downloaded.

Diagram

6. Task Runner

The task runner can invoke a task enclave to perform the analysis. There are two ways how a task runner can do that:

Asynchronous Invocation - "Starting a Batch Process"

This action, Task Run, is meant to be used in situations where at least one of the following is true:

  • The task is expected to take at least one second to process.

  • The task runner themselves wants to provide more than a couple of KiB confidential or public data.

  • The task creates more than a couple of KiB output data.

Synchronous Invocation - "Querying the Task Enclave"

This action, Task Query, is meant to be used for requests which should be answered as quickly as possible, in the sub-second range.

6.1. Task Run

The task enclave is invoked asynchronously from the perspective of the task runner, to process a long running batch-like process. Stakeholders can wait synchronously for the task enclave to finish computation with the Task Wait action. When the task invocation is finished, meta data about the task invocation will be stored in the core enclave[2], and this can be queried through the Task Status action.

The task runner can supply public[3] arguments to the invocation of the task enclave. Confidential data can only be transported through topics (but Data IDs of the uploaded confidential data can be sent as a public argument).

If the task enclave writes to a topic, the Task Status action can be used to display respective topic names and data ids.

Diagram

6.2. Task Query

The task runner lazily creates a session with the task enclave and, with a single round trip, sends confidential and public input, waits for the completion of the task invocation, and returns confidential outputs. For scenarios where the task enclave shall process tiny payloads in sub-second, Task Query is a much better tool than Task Run.

Diagram

7. Generic Actions

7.1. Task Status

The Task Status action shows information about the current state of a specific task enclave. The possible states are PENDING, RUNNING, FINISHED and FAILED. Querying the status of a task is allowed for all stakeholders, however it needs knowledge of the ID of the specific task instance.

In addition to the status, the Task Status action shows the following public metadata of the task:

  • task arguments,

  • the runner of the task

  • the output topic and data ID of any data written to a topic by the task.

  • timestamp of starting the enclave

  • error message, if the enclave failed.

7.2. Task Wait

The Task Wait action blocks until a specific task enclave stops running. Waiting for a task to complete is allowed for all stakeholders, however it needs knowledge of the ID of the specific task instance.

1. This metadata can be read by all users in the system. In the future it may become readable to the Sharemind HI Server administrator, too.
2. This meta data can accumulate over time, hence it is recommended to configure a reasonable retention time in the dataflow configuration file (Task.DataRetentionTime).
3. These arguments can be read by all users in the system. In the future it may become readable to the Sharemind HI Server administrator, too.