Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


These user stories are designed to evoke the benefits and value of various UMA protocol features, paint a fuller picture of potential user experiences, and highlight security needs. Rows in which epics (tightly bound collections of stories) are defined have the epic title in bold. Rows in which regular individual stories are defined have the story title in bold. Rows that have the story title in italic are "negative" user stories, in which a malicious party is seeking to do something that that must be avoided; in these cases the "How to measure" column is stated as a mitigation of the risk. Click on the column headers to sort on them.


  • Access sought by the requesting user (person-to-person sharing), requesting entity (person-to-service sharing), requesting entity rep (person-to-service sharing with UX needed on the requesting side), and authorizing user as requesting user (person-to-self sharing)
  • Assign persistent numbers to the stories, in addition to auto-numbering sorted versions of the rows?
  • Negative story: malicious host correlating same user's activities across hosts (related to DP9, R3)
  • Gather promises/claims stories into claims epic: share selectively based on dynamically provided characteristics of requesting parting (stories: AM requests claims based on policy; requester conveys claims on requesting party's behalf; user manages sets of characteristics/criteria, including ACLs of identities; optional Claims 2.0 stuff...) – related to R0b
  • Epic for accessing resource if authorized (stories: requester presents access token; move negative story about fraudulent access here; host validates token with AM's help; liability concerns)
  • Add trusted claims story in post-1.0 backlog?
  • Add story about resource baskets/grouping of scoped resources at AM?