iTWire has previously reported on the UMA (User Managed Access) standard and the way it has been implemented in the ForgeRock Identity Platform, as well as presenting a recent video interview with company executives.
One of the key ideas behind UMA is that people should be able to grant access rights to others in a very granular way.
On her latest visit to the region, ForgeRock vice-president of innovation and emerging technology (and founder and chair of the UMA Work Group) Eve Maler told iTWire that the first phase of a UMA proof-of-concept in New Zealand has been successful.
The proof-of-concept is moving into its second phase, she said. This will be broader, involving the use of open banking APIs to provide selective access to information. For example, a customer might want to allow their spouse or accountant to authorise certain types of transaction rather than merely allowing them to view transactions, or an executive might want to give their administrative assistant certain rights.
"Potentially, the sky's the limit," said Maler, adding that organisations should give people control over their digital identities.
Another example comes from the health sector. A patient with a smart insulin pump typically interacts with a care team that has a fuzzy boundary: a doctor may go on leave, or a temporary nurse brought in to cover for illness. UMA can be used to provision access policies according to the relationship between the patient and caregiver.
Also in the Internet of Things space, Maler gave the example of a building fitted with smart thermostats. The tenants, the building manager and the electricity supplier may all want access but with various permissions. The building manager "owns" the thermostats, but individual tenants probably want to control the temperature in their apartments or offices. And with the tenants' and manager's permission, and in return for appropriate concessions, the electricity company might seek the ability to turn the thermostats by a degree or two during periods of peak power consumption.
Supporting UMA is made easier by the way many applications are now "API fronted," Maler said.
UMA is just as relevant to large enterprises looking for a way to control the internal use of their APIs. Where CASBs (cloud access security brokers) are designed to protect and assist access to cloud systems, organisations also need a simple, standards-based way to manage internal systems (eg, to allow selective access by an employee of a supplier or customer).