User Managed Access

Roland Hedberg
TrackTrack 2 -- Lecture Hall IV on the Main Floor
DescriptionMore and more individuals have information on online services. The norm so far has been that that such information is public, open to anyone to view/use. Eventually this has to change, people will start realizing that public access to all publish information is not in the individuals best interest.
Information that once was thought just fun to publish might a couple of years down the line have a negative impact on the future of a person.
Therefore individuals must be able to control who (other persons as well as other services) can do what with what. And to do this in a standardized way that many, if not all, services can support.
To that end a working group was created a number of years ago by the Kantara Initiative ( to try to:
”develop a set of draft specifications that enable an individual to control the authorization of data sharing and service access made between online services on the individual's behalf, and to facilitate the development of interoperable implementation of these specifications by others.”
The name of the working group is User-Managed Access (UMA).
In this talk I will present a couple of proof-of-concept implementations that I have been working on:
- Allowing individuals to control the attribute release policy of a SAML2 Identity Provider.
- Allowing individuals to control the access to JSON resources in a simple web server adhering to Paul Bryant’s Internet draftand possibly, dependent on progress.
-  UMAfying the Health IT Record Location Service (Data Aggregation) use case.

All talks