To address the challenge of fine-grained access control in multi-stakeholder, cross-domain data spaces—where semantic-aware advanced querying and event subscription must coexist with data sovereignty, interoperability, and trust—this paper proposes a decentralized policy management architecture integrating Verifiable Credentials (VCs). Our approach unifies policy-as-code, semantic policy modeling, event-driven authorization, and dynamic policy evaluation for the first time, enabling distributed policy governance and real-time semantic authorization. Evaluated on a real-world prototype system, it achieves sub-50 ms policy evaluation latency, throughput of over one million fine-grained authorizations per second, and 99.8% accuracy in event subscription authorization. The architecture significantly enhances data sovereignty autonomy and functional expressiveness of access control.

Data spaces represent an emerging paradigm that facilitates secure and trusted data exchange through foundational elements of data interoperability, sovereignty, and trust. Within a data space, data items, potentially owned by different entities, can be interconnected. Concurrently, data consumers can execute advanced data lookup operations and subscribe to data-driven events. Achieving fine-grained access control without compromising functionality presents a significant challenge. In this paper, we design and implement an access control mechanism that ensures continuous evaluation of access control policies, is data semantics aware, and supports subscriptions to data events. We present a construction where access control policies are stored in a centralized location, which we extend to allow data owners to maintain their own Policy Administration Points. This extension builds upon W3C Verifiable Credentials.