Versions Compared

Old Version 2

changes.mady.by.user Alec Laws

Saved on

compared with

New Version Current

changes.mady.by.user Alec Laws

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

UMA telecon 2021-07-01

...

Relationship Manager - user stories


As RqP Bob(reserach), I want to be able to request access to a set of Alice's resources (heath information) directly from Alice's AS without knowledge of their location(health record repositories), because I don't have to bother getting or caring about all the locations from Alice first (since there is no direct relationship between Alice and the researcher)

A reseacher may discover health records that have been authorized for them to access, without needing a direct relationship with the RO. In this case, Alice can mark her resources at the AS as being approved for someone with a specific claim. THis isn't a specific consent, ie to a specific RqP, instead she's specifying the claims that the RqP must present (such as a particular study, or researchers from specific IDPS).  How she knows which avaialble studies/research institutes would have to be part of the trust ecosystem known to the AS. The AS can define the size of this ecosystem. The rule at the AS "I Alice allow people with claim=researcher from idp=[baylor, acme] to access these specific health resources=[A@RS1, B@RS2, Immz@RS2]". This next component of this is how that Client/RqP can understand the scheme/type of the resource being accessed. The Client should be requesting and receiving resources that are useful to it and not other ones (data minimization).

...

There is a need for Bob to know the AS at which to request access from

As RqP Bob(financial advisor), I want to be able to request access to a set of Alice's resources (pension information) directly from Alice's AS without knowledge of their location(specific pension providers), because I don't have to bother getting or caring about all the locations from Alice first (since this is cumbersome to Alice and the Advisor)

The rule at the AS "I Alice allow people with claim=advisor, myadvisor@advisingcompany.com from idp=[advisor idp] to access these specific pension resources=[A@PP1, B@PP2]". The resources available in this rule are the registered resources from an earlier discovery/registration step (both cases). This also allwos the RS to not guess what resources and scopes the Client needs based on the inititial request with the URL (RPT-less request), the AS has a much clearer idea about the Clients capability and what specificifally has been granted after claims gathering has occured. 


Reviewing the Diagram: https://groups.google.com/g/kantara-initiative-uma-wg/c/WAnizgl08Fg/m/YjflL1EbAwAJ

Is there an alternative where Alice tells the AS, my resources are here (RS)? This could be the AS as RelationshipManageer, where the RM reaches out to the RS to read the available resources. The challenges is still in PAT establishment. 

Could Alice create policy before resources are registered? This is getting closer to delegation/consent vs protocol level


UMA Interop Testing

Deferred

...