User-Managed Access: Why and How? - Access Control in Digital Contract Contexts

© 2016 ForgeRock. All rights reserved.
User-Managed Access:
Why and How?
Access Control in Digital Contract Contexts
Eve Maler
VP Innovation & Emerging Technology, ForgeRock
@xmlgrrl

From IAM to IRM
Digital business requires an identity-centric approach
Identity Access Management Identity Relationship Management
Customers
(millions)
On-premises
People
Applications
and data
PCs
Endpoints
Workforce
(thousands)
Partners and
Suppliers
Customers
(millions)
On-premises Public
Cloud
Private
Cloud
People
Things
(Tens of
millions)
Applications
and data
PCs PhonesTablets
Smart
Watches
Endpoints
Source: Forrester Research

The bits and bytes of identity, access, and
relationship management
UMA Provider Mobile App Synchronization Auditing
LDAPv3 REST/JSON
Replication Access Control
Schema
Management
Caching
Auditing
Monitoring
Groups
Password Policy
Active
Directory Pass-thru
Reporting
Authentication Authorization Provisioning User Self-Service Authentication OIDC / OAuth2
Federation / SSO User Self-Service Workflow Engine Reconciliation Password Replay SAML2
Adaptive Risk Stateless/Stateful Registration
Aggregated User
View
Message
Transformation
API Security Scripting
Built from Open Source Projects:
UMA Protector
Access Management Identity Management Identity Gateway
Directory Services
CommonRESTAPI
CommonUserInterface
CommonAudit/Logging
CommonScripting

We generally don’t
“do identity” just
for fun…
protect ion personalizat ion
payment

It’s a rare source of information that doesn’t
require serious permissioning for access

© 2016 ForgeRock. All rights reserved. 6
flickr.com/photos/vincrosbie/16301598031/ CC BY-ND 2.0

flickr.com/photos/vincrosbie/16301598031/ CC BY-ND 2.0

What happens when businesses can’t form
trusted digital relationships with consumers?
• Revenue loss
• Brand damage
• Loss of trust
• Missing out on opportunities
• Compliance costs and penalties?
flickr.com/photos/delmo-baggins/3143080675 CC BY-ND 2.0

Why enable personal data sharing?
Let’s use Health Relationship Trust as an example

data quality
and accuracy
improved
clinical data
better care

Why ensure personal control of sharing?

To empower
individuals as
legal parties,
give them (us)
permissioning
tools

To empower individuals as legal
parties, give them permissioning tools
• Alice:
• Wants to grant access to her medical power of attorney:
• To spouse Bob: Persistently
• To her medical professionals: When setting up and going through a procedure
• To first responders: In an emergency situation
• Wants to sell access to her professional high-resolution photos:
• From a central control console: Operating across her several photo services
• Integrating to a variety of applications: To reach the widest market
• Incorporating a smart contract component: To enable fair, efficient agreement

How dire is the “consent tech” situation?
9 percent [of companies]
believe current methods (i.e., check
boxes, cookie acknowledgment)
used to ensure data privacy and
consent will be able to adapt to the
needs of the emerging digital
economy.
– ForgeRock global survey conducted by
TechValidate, 16 Mar 2016

The next generation of consent
standards is riding to the rescue
1. innovates
coarse-grained
consent withdrawal 2. leverages
OAuth for
portable identity
3. adds multi-party
delegation, finer-
grained withdrawal,
central console
4. profiles #1, #2, #3
and the FHIR API
for patient centricity
5. defines
consent receipts
6. codifies and
automates
legal docs
and consents

USER-MANAGED ACCESS
A new standard for data sharing and control
Regard for one's
wishes and
preferences
The true ability to
say no and change
one's mind
The ability to share
just the right
amount
The right moment
to make the
decision to share
Context Control
RespectChoice
http://tinyurl.com/umawg
http://tinyurl.com/umalegal
@UMAWG

authorization
server
resource
owner
requesting
party
client
manage
control
protect
delegate
revoke
authorize
manage
access
negotiate
deny
A demo scenario
resource
server
Sharing access to:
• Identity attributes
• Consumer health device
• Contract clauses
• …?

OAuth does
“RESTful WS-
Security,”
capturing user
consent for
app access
and respecting
its withdrawal
RS
resource
server
AS
authorization
server
C
client
Both servers are run by the
same organization;
RO goes to AS in each
ecosystem to revoke its
token
Standard OAuth
endpoints that
manage access
token issuance
API endpoints
that deliver the
data or other
“value-add”
App gets the consent
based on the API
“scopes” (permissions)
it requested; is uniquely
identified vs. the user
RO
resource
owner
Authorizes (consents) at run
time after authenticating

OpenID Connect Turns Single Sign-On
Into an OAuth-Protected Identity API
SAML 2, OpenID 2 OAuth 2 OpenID Connect
Initiating user’s login session
Collecting user consent
High-security identity tokens
Distributed/aggregated claims
Dynamic introduction (OpenID only)
Session management
No sessions
No identity tokens per se
No claims per se
Dynamic introduction (new)
No sessions
X
X
X
X
X
X
X
Initiating user’s login session
High-security identity tokens
Distributed/aggregated claims
Dynamic introduction
Session management (draft)

UMA adds
party-to-party,
asynchronous,
scope-grained
delegation and
control to
OAuth
Loosely coupled to enable
centralized authorization and a central
sharing management hub
Enables party-to-party sharing –
without credential sharing – driven
by “scope-grained” policy rather than
run-time opt-in consent
Tested for suitability through trust
elevation, e.g. step-up authn or
“claims-based access control”
(optionally using OIDC), captured in a
specially powerful access token borne
by the client
Subsidiary access tokens protect
UMA’s standardized endpoints and
represent each party’s authorization
(consent) to engage with the central
server

UMA technical vs. UMA legal
• The UMA protocol can accommodate
many “protected sharing scenarios”
• The legal layer of trust relationships is
in a parallel world where things can
look markedly different
• Parties map to UMA entities that
interact “on the wire”
• UMA is leveraging CommonAccord to
create model text for accelerating
“access federation” deployments

Draft definitions from
http://www.commonaccord.org/index.php?action=list&file=GH/KantaraInitiative/UMA-Text/

Grantee
Bob
CO
RSOASO
UC1: Alice is an online adult with legal
capacity
• Her resources at the RS relate
to her
• So she is the Resource Subject
• She controls access to those
resources herself at the AS
• So she is also the Grantor
• She shares the resources with
Bob
• So he is a Grantee
• More complication potentially to
come here
AS RS
Grantor
Alice
=
PAT
C
resource
owner
Alice
requesting
party
Bob
Resource
Subject
Alice
AAT

Grantee
Bob
CO
RSOASO
UC2: Alice is a guardian (proxy) for 2-
year-old Johnny
• His resources at the RS relate
to him
• So he is the Resource Subject
• But she controls access to
those resources at the AS
• So she is the Grantor
• She wants to share the
resources with Bob on
Johnny’s behalf
• Johnny has no access because
he is too young to do anything
with them for now
AS RS
Grantor
Alice
C
requesting
party
Bob
Resource
Subject
Johnny
AAT
PAT
resource
owner
Alice

Grantee
Susie
CO
RSOASO
UC3: Alice oversees 12-year-old Susie’s
online usage
• Susie’s resources at the RS relate to
her
• But Alice controls access to those
resources at the AS
• So she is the Grantor
• Alice shares the resources in
constrained fashion with Susie
• So Susie is a Grantee
• A narrow ecosystem would help for
additional downstream controls to be in
place
• Susie will eventually turn 13 and will be
able to control access to her own
resources
• Alice could be “kicked out” and Susie
allowed to set up a direct AS relationship
at that time, as a Grantor in her own right
(see UC1)
AS RS
Grantor
Alice
C
requesting
party
Susie
Resource
Subject
Susie
AAT
PAT
resource
owner
Alice

Grantee
Bob
CO
RSOASO
UC4: Alice is offline and gives paper sharing
directives to a government agency
• Alice’s resources at the RS relate to
her
• The agency controls access to those
resources at the AS
• It is the Grantor, by virtue of controlling
a “headless” account for Alice for this
purpose (see the NZ case study)
• Alice specifies how to share
resources with Bob etc.
• The agency configures the AS for her
• If Alice wants to take online control,
the agency gives her a login to the
account and steps out of the way
• No more proxying – she would become
her own Grantor (see UC1)
AS RS
Grantor
Gov
Agency
C
requesting
party
Bob
Resource
Subject
Alice
AAT
PAT
resource
owner
Gov
agency

Next challenge: model clauses enabling RSO
liability management given AS instructions
• The token says don’t give access:
• When can the RS give access?
• The token says give access:
• When can the RS deny access?
• Outside the UMA context:
• When can RS give access?
• Plus other juicy model text work:
• What are the reporting and notification requirements?
• How to enable jurisdictional and sectoral hooks?
• How to handle three-party relationships (PAT and AAT)?
• The same subtle split in the Requesting Party as in the Resource Owner

Thank You

User-Managed Access: Why and How? - Access Control in Digital Contract Contexts

More Related Content

What's hot (20)

Similar to User-Managed Access: Why and How? - Access Control in Digital Contract Contexts (20)

More from ForgeRock (20)

Recently uploaded (20)

User-Managed Access: Why and How? - Access Control in Digital Contract Contexts

Editor's Notes