(Feature) Freeze Authorizations

[uvdsl]

At Hackathon 4 [1], we discussed a potential "freeze" feature for authorizations.

The idea:
Instead of revoking/deleting access rights upon termination of business relations,
participants need to be able to still access the data for legal reasons (Aufbewahrungspflicht).

While trying to implement the idea,
I ran into conceptual questions and would like to discuss and clarify how the feature should work.

My understanding:
Given the access authorizations of some access request,
any current data authorization is to be replaced with a new data authorization that

• only contains acl:Read rights
• only covers data instances that are currently given access to (either directly or indirectly via acl:default of data registrations)
  So, we need to do the same copy/update/paste stuff as for an update of an access authorization here.

Then, we also need to update the access authorizations because the links to the data authorizations changed.
(Similar to the revocation case)

Is my understanding here correct, did I miss something?

[1] https://docs.google.com/document/d/1Q_VCChtPjwXGNRU9Yn9pJJM1-RCnFrYQuh_sZb_t2MQ/edit