[Wg-uma] Thinking in terms of requirements

Eve Maler eve at xmlgrrl.com
Fri Sep 18 08:27:21 PDT 2009

We've eased into the question of requirements slowly, allowing  
potential scenarios to accumulate first.  But we've all been starting  
to identify "distinctive aspects" of scenarios, and these can start to  
form the basis of requirements.  Where people are so inclined, maybe  
we can develop the habit of proposed potential ("pending")  
requirements as we go.  That way, Hasan can sweep them into a central  
location as they're proposed.

Here is a very tentative and incomplete set for the Calendar scenario;  
note that being the most "basic" use case, it's likely to drive lots  
more requirements than this, and I'll try to work on the list over  
time.  Thoughts?...

Host/AM separation: It must be possible to provide Host and AM  
functions in separate Web domains.

Resource orientation: User data access and service access must be  
enabled through accessing representations of Web resources that have  

Resource-specific policy limitation: The deployer of an AM must not be  
required to do any special configuration to enable the AM to present  
to the User, or to make decisions regarding Requester access to, any  
resource-specific policies that apply to the resources available at a  
Host (such as photos of different resolutions, or calendars covering  
different time periods or levels of detail, or locations at address  
vs. city level).

Terms persistence: A set of terms for accessing a resource must be  
accessible as a Web resource with a persistent URI.

User AM choice: The UMA protocol must not negatively impact a User's  
prerogative to choose or even self-host the AM that will protect a  
resource on any Host.

Host following authorization instructions: A Host must allow or deny  
Requester access to a resource according to a User's desires as  
conveyed by an AM access decision, or inform the AM of instances where  
the User wished to grant access but the Host did not or could not.  A  
Host must not grant a Requester access to a resource in cases where  
the AM gave instructions denying access.

Access audit log: A Host must inform the AM protecting a particular  
resource on that Host in a timely way of all successful Requester  
access events.


Eve Maler
eve at xmlgrrl.com

More information about the Wg-uma mailing list