Nulli Identity Series: User Managed Access – A Primer

Roland Davis 12/10/2016

Nulli with its global partner, ForgeRock held a well-attended industry event on Digital Identity and Privacy in Edmonton on Oct. 4.

Nulli arranged to have Allan Foster, co-founder of ForgeRock, speak with industry professionals about the benefits of leveraging the User Managed Access (UMA) protocol for their customers, partners and employees. The talk took place in Edmonton, Alberta where Allan noted UMA was an encouraging development that provided digital individuals auditable control over who has consent to access their personal information.  Allan is the president of the Kantara Initiative (;  the braintrust behind the development of the UMA model of consent.  He thus brought first hand experience of the requirements that drove the creation and adoption of UMA in the digital identity community.  Eve Maler, a leading proponent of UMA and peer of Allan’s at ForgeRock and Kantara, has worked closely with Allan to build recognition and adoption of the UMA protocol.   Take a look at Eve’s excellent talk from the ForgeRock Identity Summit 2016  and learn how  UMA can be applied to authorisation, consent and delegation scenarios across a wide variety of sectors                      

Allan’s discussion and presentation fuelled interest in the application of UMA within the context of an organization’s identity strategic model.   UMA gives individuals the ability to manage who has access to personal or private information and resources within a secure framework.  UMA is a consent model that has been standardized.  In basic terms the way UMA works is that there is an Owner, and that Owner has information, resources or applications (known in the UMA world as a Protected Resource) that they may wish to share.  A request for consent to access the Protected Resource can be made by a Requesting Party through the Authorization Server.  The request for consent to access is made to the Owner and is either granted or denied.  Rules defined by the Owner govern the access granted and are enforced by the Authorization Server.  The value of UMA is that it allows an Owner to manage access to their information by either providing or revoking consent to the Protected Resource as needed.   The other unique benefit is that a Requesting Party who is granted consent to access personal information cannot share that consent without requesting additional permissions to do so and thus cannot share access to the information at their own discretion.

UMA addresses the need for secure access as managed by the Owner of the information and allows for tracking of who has consent to access and under what conditions.   Look for our next posting in the Nulli Identity Series where we follow up on the presentation by Allan Foster and provide more insights into securing the privacy of your user population’s information.

If you are interested in hearing about our future events, please email us at [email protected].

No Results