Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The PDP service would expose policy administration point (PAP) functions to IT administrators in some fashion. BusinessCo would need the capability to express their access policies; for example, BusinessCo or ParentCo might interface a standard enterprise entitlements management system that expresses polices in XACML or some other standard language.

Third-party SaaS vendors used by BusinessCo could also use the UMA approach. The SaaS API is a resource server/PEP that allows access by BusinessCo employees only when such access aligns with BusinessCo's (and ParentCo’s) policies. In this case, the SaaS provider would register the relevant resource sets and scopes with BusinessCo's PDP, and BusinessCo (and ParentCo) would map which policies should be evaluated to grant those scopes.

Solution Flow

This scenario uses ordinary UMA flows, noting that it is a human "Authorizing Party Agent", not BusinessCo, that sets policy and possibly performs any policy-dictated manual intervention to enable access requests to go through. The company Gluu has produced a swimlane diagram to illustrate.

...

Gluu gave a demo of an enterprise UMA scenario at an UMA WG meeting on Jan 10, 2013; see the meeting notes. Also see their series of demo videos on YouTube and information on their open-source implementation.

...