Radio Frequency IDentification (RFID) is an emerging technology for use within supply chains to tag and track individual products. Each of a number of products (or assets such as transportation items, including boxes, pallets, roll cages etc.) can be given a unique serialised identifier which is stored within the RFID tag and can be read by other parties. Each organisation can collect such product information and store it within its own data services (such as an EPCIS or “Electronic Product Code Information Service”) and use this information to optimise it own internal operations.
The collection of such product information is also heralded as enabling a new category of applications that use data from multiple organisations. Examples include the optimisation of the end-to-end supply path, and verifying the complete “pedigree” of a product (i.e. whether it has been received from a correct or approved source). To gain such benefit from serialised product data, each organisation must be willing to expose the data to a select group of other organisations. The release of data must generally be strictly controlled to only those parties that are trusted and have a legitimate agreed purpose for the data since the data may reveal confidential information about the organisation's operations.
A challenge involves how one organisation can establish such access rights to its own data for external organisations. This is particularly problematic because appropriate access control may need to be both fine-grained and dynamic. The access control may need to be fine-grained because individual products may flow along different paths through an end-to-end supply chain. Thus, while a distributor may wish to share information about a particular product with a particular retailer, it may not wish to share information about similar products that have been sent to different retailers. The access control may need to be dynamic because it is often impossible to define such access rights before the operation of the supply chain. A distributor, for example, may not know in advance which serialised products it will be receiving, and hence which data it will need access to from a manufacturer. Further, the distributor may not know which products it will then distribute to individual retailers, and hence which information it must share with such retailers.