User-Managed Access: The BLT Sandwich – Business, Legal, Technical – Use Cases Mappings

From IIW

User Managed Access: The BLT Sandwich


Tuesday 4D 1I

Convener: Eve Maler

Notes-taker(s): Scott Fehrman


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


The UMA work has business, legal, and technical aspects. That's what the "BLT sandwich" (business, legal, technical use cases mapping) is about. In this session:

  • We reviewed how UMA works in light of OAuth and OpenID Connect (for more, see the UMA Introduction session notes).
  • We presented the new draft formal model of UMA-related legal parties, such as Data Subject Agent, and Authorization Server Operator, and the way they can delegate and license abilities and rights to other such parties — we plan for this to drive boilerplate legal text that would be available through CommonAccord.org.
  • We discussed real-life scenarios such as when mother Alice manages who gets access to newborn Johnny’s medical records and then he goes through different life stages.
  • The goal is to improve liability apportionment and individual empowerment through auditability and possibly even tools like smart contracts.
  • This slide deck was presented.

Quick overview ...

  • OAuth is for constrained delegation to apps .. the OAuth “dance”
  • OpenID Connect does modern-day federation
    • OAuth protected identity API, plus a bit more
  • User Managed Access is for cross-party sharing
    • Next-gen delegation and consent to OAuth

Organizations have Resource Servers and want them to be sharable


Multiple resource servers can use a single authorization server


It’s now about Alice to Bob sharing


Think about Google Docs:

  • setup what you want to share
  • control who actually has access
  • revoke access

Use Case: Origo … implemented UMA 1.0, UK pensions dashboard (for more information, see this white paper, website, article, and video)

  • ​Discover all the pension accounts
  • Alice to Alice sharing, initially, pension dashboard client
  • One Authorization Server
  • Multiple Resource Servers
  • Alice can share with financial advisors … the Requesting Party 
  • Selects what to share with who

Recently published, draft report, UMA 2 Proposed licensing model (see also the new draft report) … Legal role definitions

Giving access can come with some usage constraints

Starting with legal relationship model

Common Accord model


UMA capabilities … align well to a "next-gem" permission taxonomy (for more info, see this talk):

  • Modes
    • Directed, Reactive, Long-Term
  • Methods
    • Concrete, Abstract
  • Controls
    • Scope, grantee, environment, usage (constraints can only be legally enforceable), downstream (constraints can only be legally enforceable unless resource owner and requesting party share an AS)

Attempt at a formal legal model … legal relationships: 

  • Persons
  • Delegation and licensing
  • Devices and artifacts

Scenario: Parent-child resource management

  • Stage One: Mother and newborn child, offline
  • Stage Two: Child old enough to use on-line services
  • Stage Three: Child no longer needs legal guardian (age related to resources)

Need for more Identity Relationship Management capabilities 

Digital death … who has control of on-line data after biological death

https://youtube/LjWPyy94NgA