What is ESS?

Hi my name is Yulia and I'm a curriculum engineer at Inrupt.

In this video we'll discuss the Enterprise Solid Server. We'll start by defining what it is, and then dive into its components pertaining to the Pod Lifecycle, Authentication, Authorization, and Data Management.

Enterprise Solid Server, or ESS, is a data infrastructure product that enables an organization to deploy and manage a Solid-compliant server solution.

This infrastructure provides an organization the capabilities to create and securely host millions of Solid Pods. We discussed Pods in our earlier videos. To learn more about Solid Pods, check out the links in the description.

Pods allow for greater data quality, interoperability, regulatory compliance, and the ability for users and other entities to access, update, and share the data to best personalize their experiences. 

By implementing the Solid Protocol, ESS provides an entity-centric method of storing, protecting, querying, and sharing data. It supports multiple storage solutions, and uses standard infrastructure and technology, such as Kubernetes and Kafka. This means that it can seamlessly integrate into most existing tech infrastructures and operational practices.

How does it all work? We can categorize the ESS services into three groups: Pod Lifecycle, Authentication and Authorization, and Data Management. 

The Pod Lifecycle category includes services responsible for signup and login, creation of Pods and WebIDs. Inrupt has a developer sandbox deployment of ESS, called PodSpaces, which we will use to see these services in action in the following video, where we learn more about WebIDs and create our own Pod.

Authentication and Authorization in ESS are handled by a variety of services that are responsible for integrating identity providers, managing authorization policies and Access Grants, and managing which applications are allowed to interact with ESS in which ways. This suite of services enables things like user-managed consent and access controls, and service allow and deny lists.

Specifically, when setting up the authentication services in ESS, the service provider configures which identity provider they want their users to use, and which applications are trusted to be a part of their ecosystem.

When it comes to making a decision about the identity provider, multiple trusted services can be defined within ESS using any existing OIDC-compliant provider such as Okta, Auth0, Google, Facebook, Keycloak, Cognito, or others. This means that organizations deploying ESS can connect their existing OIDC-compliant identity provider services to Solid WebIDs, allowing end users to seamlessly reuse their existing accounts to use Solid Pods, enabling single sign on across the Solid ecosystem.

We also mentioned service allow and deny lists. An ESS operator can configure the system to only allow approved or certified applications to interact with or request data directly from a user's Pod. This ensures sensitive Pod data cannot be leaked or accidentally disclosed to non-trusted entities. 

Last but not least in the ESS Authorization suite of capabilities are user managed consent and access controls. Let's take a medical data Pod as an example of users having the right access to the appropriate subsets of the Pod. A primary care doctor could have read and write access to a patient Pod, which would allow them to prescribe medications and record their diagnosis. Meanwhile a nurse might only have read access to some resources, and no access to others, without the ability to prescribe medications or issue an official diagnosis, but with the ability to see what prescriptions the patient is currently taking. 

The Authorization set of ESS services allows developers to implement this and other access patterns, such that both the primary care physician and the nurse are able to provide their services and have the correct permissions to the patient’s Pod data.

Finally there are data management services, which include, storage, notifications, auditing, and querying, where each of the services does exactly what the names suggest: storage provides the APIs for CRUD operations to modify stored data, notifications service enables applications to subscribe to receive notifications in real time when data changes, auditing service audits all the ESS services, and the query service takes care of creating and maintaining an index, and providing querying functionality.

Now that we did an overview of the Enterprise Solid Server and its services, let's recap what we've discussed in this video.

ESS is a cloud agnostic data infrastructure product that enables an organization to deploy and manage a Solid-compliant server solution. This infrastructure provides an organization the capabilities to create and securely host millions of Solid Pods, creating a direct channel of communication with each user or entity via accurate, always up-to-date data with consent.

ESS builds on widely adopted technologies familiar to operations teams for persisting data and managing production deployments.

We can categorize the ESS services into three groups: Pod Lifecycle, Authentication and Authorization, and Data Management. 

ESS introduces a lot of new capabilities that are not available in most data services today. A user-centric model with user managed consent and access controls, application and identity provider allow and deny lists, and visibility into data use.

All of these capabilities are tunable and configurable in a fine grained way so that ESS can conform to a wide spectrum of policies, regulations, and business models. ESS service providers can change and adjust these capabilities depending on their use cases, the type of data that is being managed, and the nature of the service that they are providing.

See you in the next video where we'll dive into WebIDs, and get our own Solid Pods to explore.

‍