Custod
in and aro
Eve Maler
[email protected]
March 9, 2015
dianship
ound UMA
FORGEROCK.COM
Examples
■ Under-13 student using a
completed homework ass
■ Elderly parent with interm
social networking and he
■ Developmentally disabled
online bank accounts and
a school portal to share
signments
mittent dementia using
ealth-related apps
d adult with access to
d related data
2
Goal
■ Bring various benefits of
even to those who are at
with respect to consent, i
user-managed access
some level “incapacitated”
if possible
3
Reminder about
architecture
t UMA
The challenge: Can the person
who manages the resources be
trusted to control their access?
4
A “PAT” represents th
the RS to outsource p
he RO’s consent for
protection to the AS
Plain old OAuth token
representing an important
UMA concept, and likely to
be associated with “binding
obligations” in trust
frameworks
5
Notes
■ UMA does not have a for
ROs” (like “joint bank acc
– Rationale: V1.0 speed and sim
clashing policy between ROs; G
successful single-RO model
– Mitigating this “lack” at the app
ranging admin or further-down
can grant them
■ As an aside, the RS and
instances of the same ap
rmal notion of “multiple
counts”)
mplicity; inherent complexity in
Google Apps as existence proof of
p level: If an API exposes wide-
nstream share scopes, then an RO
C may, in fact, be
pp
6
Generic roles us
following discus
■ Guardian (custodial role)
■ Ward (in custody)
■ Agent (representative of r
sector bureaucracy)
sed in the
ssion
relevant public/private
7
Some options fo
custodianship in
UMA
You may have others in mi
or handling
n and around
ind…
8
Option 1: offlin
RqP (becoming a downstream
the control of an “offline” gua
1. Guardian executes a paper
2. Agent creates an RO accoun
3. Agent issues PAT on guardia
4. System-default policy under
manually – issues relevant R
ward
5. Ward can function normally
however…
6. Guardian, through agent, ca
ward’s access as an RqP as
ne guardian
m RO) account initiated under
ardian
consent form
nt record on guardian’s behalf
an’s behalf
r trust framework – or agent,
RqP permissions to associated
as a downstream RO;
an monitor control, and revoke
s required
9
Option 1 discu
■ This a fairly “top-down” p
■ The offline/proxy pattern
current public-sector and
■ The PAT gives some aud
■ Policies/trust framework f
accountability
■ The onus is on agents to
work
■ …
ussion
pattern
seems to match many
d financial use cases
ditability
force some formal
make the whole thing
10
Option 2: onlin
RO account initiated by a
framework bounded by an
1. Ward registers for an RO
requires linking a verified
treated as an automatic
2. System-default policies
with others besides guar
ensures that ward can m
disclosures; standard sc
access by guardian
ne guardian
a ward but in a trust
n “online” guardian
O account; process
d guardian’s account,
RqP
limit ward’s ability to share
rdian RqP; trust framework
monitor uncontrolled
copes ensure extent of
11
Option 2 discu
■ This is a fairly “bottom-up
■ The online pattern seems
private-sector use cases
■ System-default policies a
give guardian some real “
ward’s activity
■ …
ussion
p” pattern
s to be closer to some
and, particularly, scopes
“teeth” for overseeing
12
Option 3: “outs
Enhanced AS handles RO imp
■ Kennisnet has chosen this op
Netherlands for K-12 students
– http://www.laceproject.eu/blog/give-s
– http://panelpicker.sxsw.com/vote/320
■ Mark Dobrinic of Kennisnet sa
– “We have decided that dealing with c
case, this means that we have move
to the AS completely. This is visualiz
the mother that logs in at the Dashbo
her children she wants to use the da
thinking in the design, but we have is
projecting it on the AS would allow u
side UMA”
personation duties
ption for its LACE Project in the
s, currently in UX mockups:
students-control-data/
086
ays:
custodians is a problem by itself. In our
ed the relationship between child-custodian
zed in the Dashboard(AS) application, by
oard(AS), and she can select which one of
ashboard for. …. So, it has been part of our
solated it away from UMA and thought that
us to focus on the rest of the case study.”
13
Option 3 discu
■ Impersonation approache
avoid!
■ But there hasn’t been gui
go beyond
■ …
ussion
es are what UMA tries to
idance to date on how to
14