GH/KantaraInitiative/UMA-Text/0.md
Document views: xEdit Document Visual Print   Source views: Source Edit Missing IPLD GitHub   (rare: 'ShowMe' 1 2 )

Summary of Model Clauses and Supporting Terminology for Parties Serving in UMA Roles

  1. Terminology
    1. Terms
      This framework uses the following terms. Where terms are used without capitalization and are not otherwise defined in the [UMAcore], they are used in their normal sense.
      Individual
      A natural person (that is, a human being) with the capacity to take on contractual duties and obligations as a participant in an UMA interaction.
      Legal Person
      A legal entity to which the law ascribes the ability to contract, such as a corporation, partnership, agency or government.
      Person
      An Individual or Legal Person. Persons play various roles in achieving and seeking user-managed access, and the same Person might serve in multiple contractual roles.
      Conformance
      Claimed adherence of a running software program or service to the requirements of one or more of the roles "authorization server", "resource server", or "client", as defined in [UMAcore]. Software components play various roles in participating in the technical interactions necessary to achieve and seek user-managed access, and the same software component might serve in multiple technical roles.
      Resource Subject
      The Person to whom a digital data resource relates.
      Grantor
      The Person who manages access to a digital data resource, either as its Resource Subject or on that Person's behalf.
      Authorization Server
      A software service that fills the "authorization server" role as defined in [UMAcore].
      Authorization Server Operator
      A Person responsible for running and operating an Authorization Server.
      Resource Server
      A software service that fills the "resource server" role as defined in [UMAcore].
      Resource Server Operator
      A Person responsible for running and operating a Resource Server.
      Client
      A software application or service that fills the "client" role as defined in [UMAcore].
      Client Operator
      A Person responsible for running and operating a Client.
      Requesting Party
      A Person that uses a Client to seek access to a protected resource. This Person may be an Individual or an Legal Person. The Requesting Party and the Grantor may be the same Person or different Persons.
      Requesting Party Agent
      A Person using a Client to seek access to a protected resource on behalf of a Requesting Party. Typically this Person is an Individual acting on behalf of an Legal Person.
    2. Abbreviations
      This framework uses the following abbreviations.
      UMA
      User-Managed Access, the interoperability protocol defined by in [UMAcore] and the other specifications it includes normatively by reference.
      API
      Application programming interface.
      PAT
      Protection API token, as defined in [UMAcore].
      AAT
      Authorization API token, as defined in [UMAcore].
      RPT
      Requesting party token, as defined in [UMAcore].
  2. Obligations of the Requesting Party
    1. Requesting Party-Grantor: Adhere-to-Terms
      When the Client successfully gains access from a Resource Server to a protected resource by wielding a valid "bearer" RPT associated with at least one currently valid permission for the type of access sought, the Requesting Party using that Client gains an obligation to the Grantor to adhere to any terms it agreed to in order to gain the permission.
    2. Requesting Party-Authorization Server Operator: Supply-Truthful-Claims
      When the Authorization Server issues an AAT to a Client and for as long as the AAT is valid, the Requesting Party using that Client gains an obligation to the Authorization Server Operator to supply or facilitate access to truthful claims required for access authorization at this Authorization Server, when it chooses to supply them, to the best of its knowledge at the time it supplies them.
    3. Requesting Party-Resource Server Operator: Is-Legitimate-Bearer
      When the Authorization Server issues an RPT to a Client and for as long as the RPT is valid, the Requesting Party using that Client gains an obligation to the Resource Server Operator to represent the legitimate bearer of the RPT or its authorized representative, and not to allow others to impersonate the Requesting Party.
  3. Obligations of the Resource Server Operator
    1. Resource Server Operator-Grantor: Delegate-Protection
      For the period that the Resource Server Operator and Grantor have mutually agreed to serve in these respective roles for each other, the Resource Server Operator gains an obligation to the Grantor to delegate protection services to the Authorization Server Operator for the set of protectable resources for which it represents this capability to the Grantor, and to respect the authorization data that the Authorization Server has associated with an RPT when the Resource Server subsequently allows or disallows access by the Client that presented that RPT.
    2. Resource Server Operator to Grantor and Authorization Server Operator: Register-Accurately-and-Timely
      For the period that the Resource Server Operator and Grantor have mutually agreed to serve in these respective roles for each other, in the context of a particular Authorization Server Operator, the Resource Server Operator gains an obligation to the Grantor and the Authorization Server Operator to register resource set descriptions accurately and timely and according to the Grantor’s expressed instructions for protection if any.
    3. Resource Server Operator-Authorization Server Operator: Respect-Permissions
      For the period that the Resource Server Operator and Authorization Server Operator have mutually agreed to serve in these respective roles for each other, the Resource Server Operator gains an obligation to the Authorization Server Operator to disallow access by a Client presenting an RPT in all cases where the authorization data associated by the Authorization Server is insufficient for the access attempt..
  4. Obligations of the Authorization Server Operator
    1. Authorization Server Operator-Grantor: Follow-Policies-Accurately-and-Timely
      When the Authorization Server issues a PAT to a Resource Server and as long as the PAT is valid, the Authorization Server Operator gains an obligation to the Grantor to adhere to the Grantor's policies accurately and timely in granting permissions.
    2. Authorization Server Operator-Resource Server Operator: Follow-Policies-Accurately-and-Timely
      When the Resource Server registers a requested permission at the Authorization Server, the Authorization Server Operator gains an obligation to the Resource Server Operator to adhere to the Grantor’s authorization policies accurately and timely in associating authorization data with RPTs presented with the registered permission's ticket.
    3. Authorization Server Operator-Requesting Party: Request-Limited-Claims
      When the Authorization Server issues an AAT to a Client and as long as the AAT is valid, the Authorization Server Operator gains an obligation to the Requesting Party to request only claims that support the purpose of satisfying an Grantor's policy.
  5. Obligations of the Grantor
    1. Grantor-Requesting Party: Adhere-to-Terms
      When the Authorization Server responds positively to a Client's request for authorization, the Grantor gains an obligation to the Requesting Party using that Client to adhere to the terms offered to and accepted by the Requesting Party in the form of requests for claims driven by the Grantor's policy at the Authorization Server.
    2. Grantor-Authorization Server Operator: Introduce-Resource-Server
      When the Authorization Server issues a PAT to a Resource Server and as long as the PAT is valid, the Grantor gains an obligation to the Authorization Server Operator to introduce the desired Resource Server to this Authorization Server in outsourcing protection of this Resource Server's resources.
    3. Grantor-Resource Server Operator: Introduce-Authorization-Server
      When the Authorization Server issues a PAT to a Resource Server and as long as the PAT is valid, the Grantor gains an obligation to the Resource Server Operator to introduce the desired Authorization Server to this Resource Server in outsourcing protection of this Resource Server's resources.