Abstract
This document is a product of the User-Managed Access Work Group. It records the scenarios and use cases governing the development of the User-Managed Access protocol and guiding associated implementations and deployments.
Status
This document is currently under active development. Its latest version can always be found here. See the Change History at the end of this document for its revision number.
Editors
Eve Maler
Intellectual Property Notice
The User-Managed Access Work Group operates under Option Liberty and the publication of this document is governed by the policies outlined in this option.
Table of Contents
Introduction and Instructions
This document is a product of the User-Managed Access Work Group. It records the scenarios and use cases governing the development of the User-Managed Access protocol and guiding associated implementations and deployments.
Please use the scenario template near the end of this document in adding new scenarios and subordinate use cases. Change the status keyword in each scenario and use case title as appropriate, linking to the meeting minutes page explaining the status change:
- Pending: Initial status when first submitted
- Accepted: Needs to be accounted for in UMA V1 and/or its associated compliant implementations
- Deferred: Relevant to the problem space; may be considered in future versions
- Rejected: Out of scope
Edit the descriptions of technical issues and scope questions to reflect (or point to) group decisions about how to handle them.
Scenario: Sharing a Calendar with Vendors (Pending)
Submitted by: Eve Maler
Online calendars are an example of personal data that is readily shared with other people in a manner that evokes VRM paradigms. Because calendar data is fairly volatile, static calendar snapshots are rarely shared; rather, a calendar feed is provided and authorized recipients can pull fresh calendar data as required. The data is often considered sensitive and is expected to be kept secure, hence "private URLs" and (minimal) ACL features offered by Google Calendar and other hosts.
In this scenario, personal online calendars are shared with "vendors" (online services) rather than other individuals, and they are shared in such a way as to allow permissioning and auditing from a central location rather than wherever the calendar is hosted. For the purposes of this scenario we'll focus on sharing a single online calendar (such as for "work", "soccer", or "travel") as a unitary Web resource, on an ongoing basis, with one or more individually-authorized recipients.
User interface mockups of a calendar-sharing interaction can be found in the initial blog post made about ProtectServe and, in somewhat more sophisticated form, slides from a speech made at an identity conference.
Following are some motivating circumstances in which calendar-sharing with vendors may make sense. (NOTE: All references to real vendors are hypothetical.)
Travel Calendar Sharing with Vendors
Alice, who is based in the Seattle area, has an online calendar that specifically contains business travel details such as flights, hotel stays, and car rentals, and since she travels quite frequently and often to international destinations, she wishes to share it with the following vendors:
- Her Visa credit-card company, Chase
Often when she tries to charge European hotel stays to her Chase Visa, the credit card company denies the charges or asks the hotel desk clerk to put her on the phone to make sure it's really her flitting around Europe and racking up big hotel bills. To let Chase know ahead of time what her travel plans are, Alice decides to share her travel calendar with them on a long-term basis so they can know ahead of time that it's likely truly Alice who's putting a Barcelona hotel stay on the card.
Note that this recipient of her data already has a lot of quite personal and sensitive information about Alice, so she's fairly comfortable giving them access to this data under certain conditions, such as refusing to accept third-party direct marketing.
It must be possible for Alice to cut off the flow of travel calendar data to Chase (even though she continues to use that card for personal purchases) when Alice is told that she has to begin using a corporate AmEx card for all business travel purchases.
- The Seattle Times newspaper delivery service
She'd like to avoid having to go to their website to put her newspaper delivery on hold every time she travels. By sharing a travel calendar with the delivery service that accurately reflects when no one will be at home, she saves one more to-do item as she prepares for each trip.
This is data she would have had to share with the service "manually" anyway (by filling out a web form or using the phone), so she already had to trust the service not to rob her house while she's away. It's likely her full travel calendar contains more data than the service strictly needs, however.
- The U.S. Postal Service
Instead of having to go to the Post Office or its website to fill out a mail hold form, she wants to let them know automatically. This is very similar to the Seattle Times situation, but in our project we need to solve for being able to attach different data-sharing policies and possibly have a different data-sharing lifespan between the two.
- Her mobile carrier, T-Mobile
Alice would like to be offered the option to purchase pre-paid roaming minutes when she travels overseas. By sharing her travel calendar, she can let T-Mobile know that she'll be in Brazil next month and would welcome a special offer on mobile roaming. (Note that this use case has an element of volunteered personal information to it; by positively choosing to share her information, Alice gets new opportunities to transact with vendors.)
- Her travel data social-networking sites, Dopplr and TripIt
Alice wants to keep all her "source" travel information in one place, but some of her friends and colleagues use different Web 2.0 sites to share such information. Rather than re-input all her travel destinations into Dopplr and TripIt, she'd like to let them pick up her planned locations and trip dates from her travel calendar.
Today, Dopplr and other similar sites often use OAuth to share such information, but the actual data passed isn't standardized, and the protocol for creating that long-term connection between the sites is OAuth. (See the forthcoming scenario Granting Service Access to a Photo Set for more observations on this flavor of scenario.)
Soliciting Timely Interactions from Vendors
Alice happens to work from home. Her typical work day is very busy, and she rarely has time to sit on hold when calling the various vendors in her life. She has a calendar that exposes the times during the day when she is free to accept a phone call or consider an invitation to a meeting or other event. She would like to share this information with the following vendors:
- Her TV cable carrier, Comcast
Alice's TV cable system has stopped working, and she needs to have a Comcast repairman come over to the house to fix it. She's too busy to spend time jockeying with the customer support person on the phone about which three-hour period she might be free, so she decides to let Comcast get a limited view into her potential free times so they can send her an event invitation for a repair slot.
- Her general-practitioner doctor's office
Alice needs to talk to the medical assistant in her doctor's office, but it's impossible to get hold of her. The MA calls while Alice is on a telecon but the MA can't leave a substantive message because of HIPAA laws/fears, and then when Alice calls back, of course the MA is in the middle of making a series of other calls and can't be reached. It's a "telephone tag" nightmare. Alice would like to share her free/busy times for the next few days so that the MA can at least pick a likely time to call her successfully.
Use Case: Separate Resource Host, Relationship Manager, and Recipient (Pending)
Submitted by: Eve Maler
The most generic possible configuration of protocol endpoints solving this scenario is to have one service hosting the calendar in question, a different service getting permissioned access to it, and yet a different service functioning as the authorization manager, all of them "in the cloud" from the perspective of the user and all operating on the open Internet rather than on a corporate intranet (since our user is an individual acting on her own behalf). This configuration is illustrated below.
Issue: Policies Specific to the Web Resource Type
One consideration in this generic use case (and likely all other use cases for the same scenario) is the potential need to restrict, anonymize, blur, or otherwise transform the resource in question, possibly based on the unique characteristics of its content type.
The premier calendar format standard already accounts for a blurring of data details by providing a "free/busy" option in addition to a full-data option. I suggest that it is out of scope for us to solve for filtering the calendar data cleverly (beyond the format's natural capabilities) to hide Alice's destination, hotel, etc. (though generic solutions such as making events taggable, and then filtering on the tags in a relationship manager interface, come to mind). But for realism, it may be necessary to enter into a convention that says that "busy" (vs. "free") times on a calendar designated to hold travel data means that the calendar owner is away during that period.
Sharing policies that are generic and can apply to any content type might include time- or event-bounded windows (such as "pull only once" or "pull this week only"). This question interleaves with questions about the sorts of data-usage restrictions Alice would like to put in place, for example, needing to discard the data after a certain date.
Note that if fine-grained calendar filtering were a solved problem, different calendar sites could be shared with different friends as a way of managing minimal disclosure through indirection.
Issue: Authorization Manager Endpoint Discovery
The mockups linked above imagine that the user's authorization manager endpoint (what we imagine Alice will perceive as the name of her relationship management service) will be handled as if it were an OpenID, with introductions to popular relationship manager services offered in an array by potential UMA service providers much in the way that the RPX solution presents options. (The user always has the ability to self-host an authorization manager endpoint, similarly to self-hosting an OpenID provider – and they might even be colocated.)
Issue: Handling the Resource URL and Provisioning It to the Consumer Site
The mockups linked above imagine the simplest possible scenario: The Consumer site literally asks for exactly the kind of information it needs, and the user copies and pastes a URL into a field.
This is how calendar feeds, photo streams, RSS feeds, and other such resources are shared today; it works but we need to consider its scalability to arbitrary types of information. There are several challenges here: The Consumer's ability to handle the information, its way of expressing the desire/need for the correct information, and the user's (or user agent's) ability to provide it in a convenient and correct fashion.
In addition, the relationship manager interface is shown having some knowledge of that resource as a unique object. We need to consider how to let the AM and SP communicate about this information appropriately.
Issue: Processes By Which Consumers Meet the User's Data-Sharing Terms
Some of the vendors mentioned are big companies; we are placing a bet that standard (and machine-readable) data-sharing contract terms can be developed and pre-negotiated such that, when such contracts are offered by an individual, they are likely to be accepted and met. Small companies such as a modest medical practice may need a human-accessible interface and the option of an "I Agree" button so that the person manually fielding Alice's offer of data can complete the transaction.
For initial protocol work, I suggest we concentrate on terms that can be passively accepted, while ultimately accommodating a notion of having a Consumer present claims that it has actively met other types of terms (such as providing payment).
Scenario: Granting Service Access to a Photo Set (Pending)
Submitted by: Eve Maler
@@TBS: This differs in nature from the calendar scenario in that it gets into more OAuth-flavored situations and issues...
Issue: unique-title
(Provide commentary on the use case.)
Scenario: unique-title (Pending)
Submitted by: participant-name
(Provide description of the scenario with all nontechnical particulars, noting requirements, constraints, and other observations. Avoid diagrams.)
Use Case: unique-title (Pending)
Submitted by: participant-name
(Provide description of a use case matching this scenario with all technical particulars, such as the topological configuration of protocol endpoint entities, potential wireframes, listings and assessments of technical issues, and anything else helpful.)
Issue: unique-title
(Provide commentary on the use case.)
Change History
| Version | Date | Comment |
|---|---|---|
| Current Version (v. 10) | Jul 25, 2009 09:51 | Former user |
| v. 60 | Oct 05, 2010 22:08 |
Former user Migration of unmigrated content due to installation of a new plugin |
| v. 59 | Oct 05, 2010 22:08 |
Former user Migration of unmigrated content due to installation of a new plugin |
| v. 58 | Oct 05, 2010 22:08 |
Former user Migration of unmigrated content due to installation of a new plugin |
| v. 57 | Oct 05, 2010 22:08 |
Former user Migrated to Confluence 4.0 |
| v. 56 | Oct 05, 2010 22:08 |
Former user Filled in some links to specific scenarios in examples of dimensions. |
| v. 55 | Sept 30, 2010 12:44 | Former user |
| v. 54 | Sept 30, 2010 12:41 | Former user |
| v. 53 | Sept 30, 2010 12:34 | Former user |
| v. 52 | Sept 30, 2010 12:28 | Former user |
| v. 51 | Sept 30, 2010 12:25 | Former user |
| v. 50 | Sept 30, 2010 12:14 | Former user |
| v. 49 | Sept 22, 2010 10:56 | Former user |
| v. 48 | Sept 20, 2010 16:43 | Former user |
| v. 47 | Sept 20, 2010 16:42 | Former user |
| v. 46 | Sept 20, 2010 16:40 | Former user |
| v. 45 | Sept 20, 2010 16:19 | Former user |
| v. 44 | Sept 20, 2010 16:11 | Former user |
| v. 43 | Feb 16, 2010 10:35 | Former user |
| v. 42 | Feb 16, 2010 10:29 |
Former user Added "Hey, Sailor" (advertising a resource) scenario |
| v. 41 | Jan 28, 2010 19:35 | Former user |
| v. 40 | Jan 25, 2010 00:20 | Former user |
| v. 39 | Jan 24, 2010 10:03 | Former user |
| v. 38 | Jan 13, 2010 12:44 |
Former user Broke out the terms negotiation scenarios into a new top-level section |
| v. 37 | Jan 09, 2010 18:16 | Former user |
| v. 36 | Jan 09, 2010 18:07 | Former user |
| v. 35 | Jan 09, 2010 18:05 |
Former user Revised editors, put generic issues into its own file |
| v. 34 | Dec 16, 2009 17:48 | Former user |
| v. 33 | Dec 16, 2009 17:43 | Former user |
| v. 32 | Dec 16, 2009 17:41 | Former user |
| v. 31 | Dec 04, 2009 17:32 | Former user |
| v. 30 | Dec 04, 2009 15:38 | Former user |
| v. 29 | Dec 04, 2009 15:33 | Former user |
| v. 28 | Dec 03, 2009 11:18 | Former user |
| v. 27 | Nov 21, 2009 10:17 | Former user |
| v. 26 | Oct 08, 2009 19:11 |
Former user Added reference to module for Requester Delegate scenario |
| v. 25 | Oct 04, 2009 20:16 |
Former user Took out "related to" links from Issues to specific scenarios; expanded the Issue related to "terms"; revised to use new terminology |
| v. 24 | Sept 18, 2009 06:34 | Former user |
| v. 23 | Sept 18, 2009 05:47 | Former user |
| v. 22 | Sept 18, 2009 05:14 | Former user |
| v. 21 | Sept 08, 2009 14:00 | Former user |
| v. 20 | Sept 07, 2009 09:50 |
Former user replaced old version of distributed social networking scenario with new one about distributed services (and used inclusion) |
| v. 19 | Sept 06, 2009 22:43 | Former user |
| v. 18 | Sept 06, 2009 22:38 | Former user |
| v. 17 | Sept 06, 2009 22:28 | Former user |
| v. 16 | Sept 01, 2009 18:06 | Former user |
| v. 15 | Sept 01, 2009 14:23 | Former user |
| v. 14 | Sept 01, 2009 14:19 | Former user |
| v. 13 | Aug 13, 2009 05:42 |
Former user added new scenario about Distributed Social Networks |
| v. 12 | Aug 11, 2009 21:30 |
Former user This and all previous revs are "editors' drafts" and have not been approved by the group |
| v. 11 | Jul 25, 2009 16:29 | Former user |
| v. 10 | Jul 25, 2009 09:51 | Former user |
| v. 9 | Jul 23, 2009 18:08 | Former user |
| v. 8 | Jul 23, 2009 16:43 | Former user |
| v. 7 | Jul 23, 2009 16:34 | Former user |
| v. 6 | Jul 23, 2009 16:30 | Former user |
| v. 5 | Jul 23, 2009 15:14 | Former user |
| v. 4 | Jul 23, 2009 13:55 | Former user |
| v. 3 | Jul 23, 2009 13:33 | Former user |
| v. 2 | Jul 23, 2009 13:31 | Former user |
| v. 1 | Jul 23, 2009 12:53 | Former user |