Nulli Identity Series: User Managed Access - A Primer

Editor's Note: ForgeRock and its global partner, Nulli, held a well-attended industry event on Digital Identity and Privacy, with a focus on the User Managed Access standard, in Edmonton on Oct. 4. This article originally appeared on the Nulli blog. Many thanks to Nulli's Roland Davis for allowing us to repost here. 

Nulli arranged to have Allan Foster, ForgeRock VP of Strategic Partner Enablement, speak with industry professionals about the benefits of leveraging the User Managed Access (UMA) protocol for their customers, partners and employees. The talk took place in Edmonton, Alberta where Allan noted UMA was an encouraging development that provided digital individuals auditable control over who has consent to access to their personal information.


Allan is the president of the Kantara Initiative, the braintrust behind the development of the UMA model of consent. He thus brought first-hand experience of the requirements that drove the creation and adoption of UMA in the digital identity community. Eve Maler, a leading proponent of UMA and peer of Allan’s at ForgeRock and Kantara, has worked closely with Allan to build recognition and adoption of the UMA protocol. Take a look at Eve's excellent talk from the ForgeRock Identity Summit 2016 and learn how UMA can be applied to authorization, consent and delegation scenarios across a wide variety of sectors.

User Managed Access - How It Works

Allan’s discussion and presentation fueled interest in the application of UMA within the context of an organization's identity strategic model. UMA gives individuals the ability to manage who has access to personal or private information and resources within a secure framework. UMA is a consent model that has been standardized. In basic terms, the way UMA works is that there is an Owner, and that Owner has information, resources or applications (known in the UMA world as a Protected Resource) that they may wish to share. A request for consent to access the Protected Resource can be made by a Requesting Party through the Authorization Server. The request for consent to access is made to the Owner and is either granted or denied. Rules defined by the Owner govern the access granted and are enforced by the Authorization Server.

The value of UMA is that it allows an Owner to manage access to their information by either providing or revoking consent to the Protected Resource as needed. The other unique benefit is that a Requesting Party who is granted consent to access personal information cannot share that consent without requesting additional permissions to do so and thus cannot share access to the information at their own discretion. UMA addresses the need for secure access as managed by the Owner of the information and allows for tracking of who has consent to access and under what conditions. Look for our next posting in the Nulli Identity Series where we follow up on the presentation by Allan Foster and provide more insights into securing the privacy of your user population’s information.

If you are interested in hearing about our future events, please email us at [email protected].

Roland Davis is Senior Sales Representative at Nulli.