elering-3

Authenticate data users

1. Description of the Use Case

1.1. Name of the Use Case

IDArea /Domain(s)/Zone(s)Name of the Use Case
1Access to data, Market for flexibilities, Operational planning and forecasting, Services related to end customers, Balance management,elering-3

1.2. Version Management

Version No.DateName of author(s)ChangesApproval status
12018-04-12T00:00:00Kalle Kukk (Elering),
22018-06-01T00:00:00Kalle Kukk (Elering), Georg Rute (Elering),
32018-06-28T00:00:00Ricardo Jover (EDF), Eric Suignard (EDF),
42018-07-02T00:00:00Ricardo Jover (EDF), Eric Suignard (EDF),
52018-08-10T00:00:00Ricardo Jover (EDF), Eric Suignard (EDF),
62018-08-19T00:00:00Ricardo Jover (EDF), Eric Suignard (EDF),“Delegated Authentication” changed into “Representation Rights”
72018-08-02T00:00:00Eric Suignard (EDF),
82018-09-21T00:00:00Eric Suignard (EDF), Ricardo Jover (EDF),Remarks from Innogy, Elering (Automatic process for DEP, without Operator) and EirGrid.
92018-10-04T00:00:00Eric Suignard (EDF),Version post WP5&9 physical meeting in Tallinn
102018-10-17T00:00:00Eric Suignard (EDF),Version reviewed by WP5&9 partners
112019-05-07T00:00:00Eric Suignard (EDF),WP6-7-8 demos alignment and miscellaneous changes
122020-06-16T00:00:00Eric Suignard (EDF),innogy’s and Elering’s review

1.3. Scope and Objectives of Use Case

ScopeAccess to private data and other information with restricted access through a Customer Portal and a Data Exchange Platform only to authorized users
Objective(s)Support easy but secure access to data
Related business case(s)

1.4. Narrative of Use Case

Short description

All data users need to be authenticated to a Customer Portal before having access to a Data Exchange Platform (DEP), for the exchange of individual metering data (private data) or any other information with restricted access.

Complete description

1.5. Key Performance Indicatiors (KPI)

IDNameDescriptionReference to mentioned use case objectives

1.6. Use case conditions

Assumptions
eIDAS (electronic IDentification, Authentication and trust Services) regulation and its trust levels shall be applied
Prerequisites
National or platform specific identification infrastructure – ID card, dedicated password, internet bank link, etc

1.7. Further information to the use case for classification/mapping

Relation to other use cases
Level of depth
Prioritisation
Generic, regional or national relation
Nature of the use cases
SUC
Further keywords for classification

1.8. General remarks

General remarks

2. Diagrams of Use Case

Authenticate data users - overview Authenticate data users - scenarios flowchart

3. Technical Details

3.1. Actors

Actor NameActor TypeActor DescriptionFurther information specific to this Use Case
Customer Portal OperatorBusinessOperates a Customer Portal.
Authentication Service ProviderBusinessTrust authority. Verifies the identity of authenticating parties.
Some countries will have their own authentication service provider. For countries which will not, there may be a more global and to be defined one.
Data OwnerBusinessAny person who owns data and can give authorization to other parties to access them. Can be, inter alia:
  • Flexibility Services Provider
  • Market Operator
  • Consumer
  • Generator
Data Delegated Third partyBusinessAny natural person who has received representation rights from a data owner.
Foreign Customer PortalSystemCustomer Portal for another country.
Can also mean a separate portal in the same country.
Customer PortalSystemCustomer Portal manages data users' authentication, access permissions and data logs. Customer Portals store data related to its services (e.g. authentication information, representation rights, access permissions, data logs).
Data Exchange PlatformSystemData exchange platform (DEP) is a communication platform the basic functionality of which is to secure data transfer (routing) from data providers (e.g. data hubs, flexibility service providers, TSOs, DSOs) to the data users (e.g. TSOs, DSOs, consumers, suppliers, energy service providers). DEP stores data related to its services (e.g. cryptographic hash of the data requested). The DEP does not store core energy data (e.g. meter data, grid data, market data) while these data can be stored by data hubs. Several DEPs may exist in different countries and inside one country.
DEP OperatorBusinessData exchange platform operator owns and operates a communication system which basic functionality is data transfer.

3.2. References

No.References TypeReferenceStatusImpact on Use CaseOrganistaor / OrganisationLink

4. Step by Step Analysis of Use Case

4.1. Overview of Scenarios

No.Scenario NameScenario DescriptionPrimary ActorTriggering EventPre-ConditionPost-Condition
1Authentication process and representation rights delegationAny person needing access to personal or commercial data needs to be authenticated to a Customer Portal for having access to the data via a DEP – either logging in through a Customer Portal or through third party application connected to a DEP.

This may involve:
  • Consumer’s/generator’s access to own consumption/generation data;
  • Access to a person’s data by another person who has received representation rights from data owner.

After authenticating himself/herself, the data owner (e.g. electricity consumer is the owner of its consumption data) can give representation rights to any other person who can then act on behalf of the data owner.

Customer Portal operator checks the validity of the representation rights. If a representation right is given to a person in another country, then the Customer Portal operators of the involved countries share the information about representation rights between themselves.

After authenticating himself/herself, the person who has received the representation rights can see who is he/she representing and act on behalf of data owner.

Notes

4.2. Steps – Scenarios

Scenario Name:
Authentication process and representation rights delegation
Step No.Event.Name of Process/ ActivityDescription of Process/ Activity.ServiceInformation Producer (Actor)Information Receiver (Actor)Information ExchangedRequirements, R-ID
1.1AuthenticateAuthentication means may include ID-card, mobile-ID or bank link.
Information associated to authentication process may include name, surname and ID-code of individual customers; company name and registry code of corporate customers as well as name, surname and ID-code of their representatives.
Modsarus Use Case::InstanceName=Authenticate Information
Modsarus Use Case::InstanceDescription=
a17749ef-fb35-4331-9275-eaadfad82b36baa61f8b-bde4-4008-820b-bfad5a7150f679077332-56bd-437e-8295-63b9a9dab5bd1e05916d-6efd-4312-b48e-80cf75241cb5
1.2Verify Logging Identification
Modsarus Use Case::InstanceName=Authenticate Information
Modsarus Use Case::InstanceDescription=
baa61f8b-bde4-4008-820b-bfad5a7150f69488169b-e952-4818-b0f0-d417cf25f11b79077332-56bd-437e-8295-63b9a9dab5bd2af6ad64-c90f-4bc9-aebd-7c01060f85c4 5798483d-0d41-4eee-8923-e6104e0a5407 61a984c8-570b-44ea-ae27-4ac6e8d539a4 f92f957a-3da4-4c7a-b131-07c09c7c78f5 6274a294-499d-4bb6-9d98-ef3d0a488633
1.3Verify IdentityVerifies the identity of authenticating parties.
9488169b-e952-4818-b0f0-d417cf25f11b2af6ad64-c90f-4bc9-aebd-7c01060f85c4 5798483d-0d41-4eee-8923-e6104e0a5407 61a984c8-570b-44ea-ae27-4ac6e8d539a4 f92f957a-3da4-4c7a-b131-07c09c7c78f5 6274a294-499d-4bb6-9d98-ef3d0a488633
1.4Give access to data
Modsarus Use Case::InstanceName=Authenticate access
Modsarus Use Case::InstanceDescription=
4e694b8b-e0eb-4b2a-ae7a-1bcb6f656385a17749ef-fb35-4331-9275-eaadfad82b36 baa61f8b-bde4-4008-820b-bfad5a7150f6 bd6ead6c-b65f-44e5-b686-9c9456170f0a79077332-56bd-437e-8295-63b9a9dab5bd2af6ad64-c90f-4bc9-aebd-7c01060f85c4 5798483d-0d41-4eee-8923-e6104e0a5407 61a984c8-570b-44ea-ae27-4ac6e8d539a4 f92f957a-3da4-4c7a-b131-07c09c7c78f5 6274a294-499d-4bb6-9d98-ef3d0a488633
1.5Access to Own Dataa17749ef-fb35-4331-9275-eaadfad82b362af6ad64-c90f-4bc9-aebd-7c01060f85c4 5798483d-0d41-4eee-8923-e6104e0a5407 61a984c8-570b-44ea-ae27-4ac6e8d539a4 f92f957a-3da4-4c7a-b131-07c09c7c78f5 6274a294-499d-4bb6-9d98-ef3d0a488633
1.6Delegate Representation RightsA data owner gives representation rights for data per consumption/generation point.
He/she can also select types of data (e.g. historical consumption/generation data, sub-meter data, operational data) for which he/she gives representation rights.
He/she selects the persons to whom he/she gives representation rights.
Modsarus Use Case::InstanceName=Representation Rights
Modsarus Use Case::InstanceDescription=
a17749ef-fb35-4331-9275-eaadfad82b36baa61f8b-bde4-4008-820b-bfad5a7150f62d556860-d3eb-4096-a4e9-da817e3150022af6ad64-c90f-4bc9-aebd-7c01060f85c4 5798483d-0d41-4eee-8923-e6104e0a5407 61a984c8-570b-44ea-ae27-4ac6e8d539a4 f92f957a-3da4-4c7a-b131-07c09c7c78f5 6274a294-499d-4bb6-9d98-ef3d0a488633
1.7Register Representation Rights
Modsarus Use Case::InstanceName=Representation Rights
Modsarus Use Case::InstanceDescription=
baa61f8b-bde4-4008-820b-bfad5a7150f6baa61f8b-bde4-4008-820b-bfad5a7150f6 5351ac19-9ec2-47b9-9ead-4a28907df0452d556860-d3eb-4096-a4e9-da817e3150022af6ad64-c90f-4bc9-aebd-7c01060f85c4 5798483d-0d41-4eee-8923-e6104e0a5407 61a984c8-570b-44ea-ae27-4ac6e8d539a4 f92f957a-3da4-4c7a-b131-07c09c7c78f5 6274a294-499d-4bb6-9d98-ef3d0a488633
1.8Verify Representation RightsCustomer Portal operator checks the validity of the representation rights.
Modsarus Use Case::InstanceName=Representation Rights
Modsarus Use Case::InstanceDescription=
baa61f8b-bde4-4008-820b-bfad5a7150f6baa61f8b-bde4-4008-820b-bfad5a7150f62d556860-d3eb-4096-a4e9-da817e3150022af6ad64-c90f-4bc9-aebd-7c01060f85c4 5798483d-0d41-4eee-8923-e6104e0a5407 61a984c8-570b-44ea-ae27-4ac6e8d539a4 f92f957a-3da4-4c7a-b131-07c09c7c78f5 6274a294-499d-4bb6-9d98-ef3d0a488633
1.9Verify Representation Rights in a Foreign CountryIf the representation right is given to a person in another country, then the Customer Portal operators of the involved countries share the information about representation rights between themselves.
Modsarus Use Case::InstanceName=Representation Rights
Modsarus Use Case::InstanceDescription=
5351ac19-9ec2-47b9-9ead-4a28907df045baa61f8b-bde4-4008-820b-bfad5a7150f62d556860-d3eb-4096-a4e9-da817e3150022af6ad64-c90f-4bc9-aebd-7c01060f85c4 5798483d-0d41-4eee-8923-e6104e0a5407 61a984c8-570b-44ea-ae27-4ac6e8d539a4 f92f957a-3da4-4c7a-b131-07c09c7c78f5 6274a294-499d-4bb6-9d98-ef3d0a488633
1.10Notify Representation Rights
Modsarus Use Case::InstanceName=Authenticate Information
Modsarus Use Case::InstanceDescription=
baa61f8b-bde4-4008-820b-bfad5a7150f6baa61f8b-bde4-4008-820b-bfad5a7150f679077332-56bd-437e-8295-63b9a9dab5bd2af6ad64-c90f-4bc9-aebd-7c01060f85c4 5798483d-0d41-4eee-8923-e6104e0a5407 61a984c8-570b-44ea-ae27-4ac6e8d539a4 f92f957a-3da4-4c7a-b131-07c09c7c78f5 6274a294-499d-4bb6-9d98-ef3d0a488633
1.11Authenticate
Modsarus Use Case::InstanceName=Authenticate Information
Modsarus Use Case::InstanceDescription=
bd6ead6c-b65f-44e5-b686-9c9456170f0abaa61f8b-bde4-4008-820b-bfad5a7150f679077332-56bd-437e-8295-63b9a9dab5bd1e05916d-6efd-4312-b48e-80cf75241cb5
1.12Access to Delegated Databd6ead6c-b65f-44e5-b686-9c9456170f0a2af6ad64-c90f-4bc9-aebd-7c01060f85c4 5798483d-0d41-4eee-8923-e6104e0a5407 61a984c8-570b-44ea-ae27-4ac6e8d539a4 f92f957a-3da4-4c7a-b131-07c09c7c78f5 6274a294-499d-4bb6-9d98-ef3d0a488633

5. Information Exchanged

Information exchanged IDName of InformationDescription of Information ExchangedRequirement
79077332-56bd-437e-8295-63b9a9dab5bdAuthenticate Information—-
2d556860-d3eb-4096-a4e9-da817e315002Representation Rights—-

6. Requirements (optional)

Category IdentifierNameDescriptionmRID
Cat1Personal databd1580a2-20b8-41fa-a8df-2ae6041bf604
IdentifierNameDescriptionmRID
Req1Access Citizen RightRight to secure direct access of own personal data and to any processing, storage or sharing details2af6ad64-c90f-4bc9-aebd-7c01060f85c4
Category IdentifierNameDescriptionmRID
Cat2Task 5.3Requirements integrated from Task 5.3.1880e39c-7084-4785-8c02-297057abe312
IdentifierNameDescriptionmRID
Req2AUTH-REQ-3Ability to share information related to representation rights between data users and concerned Customer Portals5798483d-0d41-4eee-8923-e6104e0a5407
Req3AUTH-REQ-4Ability to share authentication information between data users, Customer Portal and Authentication Service Provider61a984c8-570b-44ea-ae27-4ac6e8d539a4
Req4AUTH-REQ-2Authentication toolsf92f957a-3da4-4c7a-b131-07c09c7c78f5
Req5AUTH-REQ-1Right to access own data6274a294-499d-4bb6-9d98-ef3d0a488633
Category IdentifierNameDescriptionmRID
Cat3FunctionalFunctional requirements59e7899c-d9ee-4534-81a6-81b37dce5e81
IdentifierNameDescriptionmRID
Req6Authentication meansAuthentication means may include ID-card, mobile-ID or bank link. <br/>Information associated to authentication process may include name, surname and ID-code of individual customers; company name and registry code of corporate customers as well as name, surname and ID-code of their representatives.1e05916d-6efd-4312-b48e-80cf75241cb5

7. Common Terms and Definitions

8. Custom Information (optional)

KeyValueRefers to Section