User-Managed Access

User Managed Access ( UMA ) is an OAuth -based protocol for managing access rights (English: "access management protocol "). The protocol is defined at present ( end of 2013 ) in a draft version 1.0. This specification defines the legally binding obligations of the parties participating in UMA -compliant interactions. The development of UMA as a web standard takes place in the Kantara Initiative.

UMA is based on several hypotheses. One of them is that a consent (English " consent" ) is not very convenient and only a weak agreement for the exercise of user control over the disclosure of confidential information. Another reason is that the management of certain associated data accesses of a client application to a server not good " scaled " (ie disproportionately slower ) if you use many applications. Another reason is that autonomy and individual privacy control and transparency require to maintain an overview in the data shared with a variety of parties, and not just about applications that uses the user.

Accordingly, the design of UMA focuses on how a web user the authorization server (AS) uses called web application. With the AS are the shared web resources (ie, ultimately, data and information, < - no iron or other minerals -> ) only. These web resources could be on any number of servers that are referred to as UMA " Resource Server" ( RS). Applications that have the original authorization of users and other persons or organizations that have access to the protected resources by requesting client applications, as long as they are in conformity with the appropriate user's guide on the AS (ie, the access is allowed). These guidelines or rules is called a " policy" in English ( and also in the Denglishen ).

History and Background

The Kantara Initiative UMA Work Group held its first meeting on August 6, 2009. UMA design principles and technical interpretation begun by earlier work by Sun Microsystems employees in March 2008, developed a protocol called Protect Serve. Protect Serve was of the objectives of the [ Vendor Relationship Management ] (VRM ) movement and effort affects an offshoot called " feed -based VRM ".

Protect serve and the earlier versions of UMA used the OAuth 1.0 protocol. As OAuth was amended by the publication of WRAP specification, the designs were adapted for the UMA specification.

UMA is not dependent on OpenID 2.0. However, it optionally uses the OAuth -based OpenID Connect protocol for authentication.

UMA also has no dependence on XACML as a means of describing the user rules and obtaining the policy decisions. UMA does not prescribe a format for the rules. However, UMA and XACML have some similarities with the protocol rivers.

Current state of standardization

The UMA WG charter is aimed at the Internet Engineering Task Force ( IETF) as a possible home for the UMA standardization work. For this purpose, the working group made ​​multiple drafts (English " internet draft" ) of the IETF for consideration. One of them, a specification for " Dynamic Customer Registration ", has already been accepted as working for the " OAuth Working Group ."

Current implementation and adoption status

The UMA protocol has several implementations. GLUU UMA has implemented to secure and manage access to APIs .. Cloud Identity Limited has a full UMA implementation for the security and management of accesses to personal information as well as web APIs. Some others have shown towards the work group interested in implementation and interoperability testing.