[WG-UMA] Enterprise questions about UMA

Eve Maler eve at xmlgrrl.com
Thu Jun 21 23:21:52 EDT 2012

Although I'm a day late (and possibly a dollar short, if you guys discussed this in today's call), I wanted to follow up on my action item to collate Kevin's ideas on "UMA for enterprise" FAQs. This note actually tries to bring together several recent threads, including Kevin/Mario/Thomas/+ discussing enterprise use cases and liability, and Domenico/Mario/George/+ discussing cloud enterprise use cases. Obviously there's a lot more to day on all these topics, but distilling them into FAQs seems like a good next step to get clarity. Here are FAQs that I suggest we add:

UMA for the enterprise:

* "Can the 'user' in UMA be an enterprise?" (proposed by Kevin): The answer to this one should draw on Thomas's discussion of use cases for different populations who use UMA, e.g. employees vs. customers. Hopefully we can point out to a new set of scenarios (in the actual scenario doc?) that include Domenico's new graphical use cases etc. We're starting to collect quite a few of these.

Trust, liability, and what happens when things go wrong:

* If individuals can manage and access data held by an enterprise won't commercially sensitive data be passed to competitors?
* Won't an enterprise lose control of its own information systems if others manage access to data held by the enterprise?
* Is the enterprise liable if an individual, when managing data about themselves held by the enterprise, suffers a financial loss?
* How do I know it is the user who is managing their data and what liability do I have if it is someone else?

These mostly relate to risks that AM operators and host operators would take on, so the Binding Obligations work provides at least some answers. They also relate to business models for serving in these roles.

Finally, regarding Domenico's "Cloud-enabled Enterprise API Security & UMA" diagram, I can say, based on conversations with a variety of industry folks, that it's entirely viable to conceive of an external provider that's hosting and operating an AM on behalf of an enterprise. In a way, this use case is like OAuth on steroids, with standardized AS/RS separation. The key question is around how loosely coupled that separation is! A lot of RS's today are just doing simple token introspection at the AS to look up claims. But this still requires that the AS and RS "onboard" each other in a totally proprietary way, and the host has to be pretty smart to understand claims. UMA solves both of these in modular fashion.

Neil asks whether OpenID Connect could simply be used for this. I'd say that it should be used precisely the way UMA already does use it, as a standardized way to exchange claims -- but it doesn't really solve the underlying use case by itself.


Eve Maler                                  http://www.xmlgrrl.com/blog
+1 425 345 6756                         http://www.twitter.com/xmlgrrl

More information about the WG-UMA mailing list