UMA Meets Privacy Requirements by Giving Customers Control Over Their Data

In our last post we discussed the growing need for customer identity and access management (CIAM) solutions. Like identity and access management (IAM), CIAM has to do with the registration and authentication of users so they can gain secure access to online resources. However, CIAM is also about the aggregation and synchronization of customer data across sales, marketing, and support processes. It enables organizations to build a 360-degree view of the customer while creating a seamless user experience across multiple channels.

CIAM adoption is also being driven by the need to secure sensitive data and protect customer privacy. Consolidating customer information into a single store is a critical first step toward improving security and meeting increasingly stringent privacy standards. In particular, the General Data Protection Regulation (GDPR) gives European Union (EU) citizens a great deal of control over their personal data. Organizations must know where customer identity data is stored and gain the customer’s consent to use that data.

In addition to centralized IAM, organizations need a mechanism for tracking and managing user consent, which is where the User Managed Access (UMA) protocol comes in. UMA is an internationally recognized standard that puts consent in the hands of the users themselves. It gives customers fine-grained control over the sharing of their data, enabling them to specify who gets access to what information, for how long, and under what circumstances.

UMA was built on OAuth (Open Authorization), an open standard that enables users to give third-party services access to their account information without revealing the password. First released in 2007, OAuth was originally conceived as an authentication mechanism for sharing information on Twitter. OAuth serves as an intermediary between users and third-party services, using tokens to share specific account information.

UMA extends this concept to a user’s personal information, working much like a “share” button that gives an online service access to specific data. With UMA, encrypted tokens pass between systems without directly identifying the individual user.

This is a new approach to data security and privacy. In the past, most organizations and regulatory bodies were concerned with keeping intruders out of networks and preventing the exfiltration of data. Technologies for gaining the customer’s consent to access and share data were limited. UMA bridges that gap, helping organizations meet the requirements of the GDPR and overcome consumers’ growing reluctance to share their information.

The Kantara Initiative, a global consortium focused on improving the trustworthy use of identity and personal data, approved the first-generation UMA standard in 2015. Today, UMA 2.0 is in the final stages of approval. UMA 2.0 is a federated authorization protocol that leverages OAuth 2.0 and identity frameworks.

Customers, citizens, employees, and partners are demanding the ability to control access to their personal information when they interact with businesses, healthcare providers, universities, and governments. Developed via an open standards-based approach that gives both users and organizations a high degree of flexibility, UMA is becoming a key enabler for driving privacy and IAM. In our next post, we’ll discuss how UMA is being applied to a growing number of use cases, including Authorization-as-a-Service for the Internet of Things (IoT).


For more information about User Managed Access, please send us an email at (

Leave a Comment