Revocation of Delegated Authentication Use Case

From IDESG Wiki
Jump to navigation Jump to search

Title: Revocation of Delegated Authentication


Use Case Description: Via a person’s identity with a high value credential, disassociate access rights with another individual’s identity depreciating any authority for that person to act on their behalf .


Use Case Category: Trust/Assurance, Authentication, Interoperability, Privacy


Contributor: John MacTaggart


Use Case Details

Actors:

  • Financial institution
  • Benefits Providers
  • Relying parties
  • Identity Providers


Goals:

  1. Timely discontinuance of access to private information by others on behalf of primary user
  2. Fraud reduction which may imply cost reduction for the relying party.
  3. Viable business model for the relying party.


Assumptions:

  1. The relying party supports delegated access and revocation of delegated access


Requirements: Internet access device, identity information for the authorizing user, delegated user and identity information of the relying party.


Process Flow:

  1. The delegating user accesses the relying party with high level authentication as required by the relying party.
  2. The user wishes to terminate a delegation relation with another known user at the relying party
    1. The user searches and selects a delegated user with access to their account
    2. The user request that the delegation be terminated
  3. The relationship is terminated for that relying party and all parties are notified of the change


Success Scenario:

  1. Delegated User can no longer access their client’s information.
  2. Delegated spouse can no longer access benefits accounts established their spouse.
  3. Delegated financial planner can no longer access performance results of their clients.
  4. Delegated mortgage broker can no longer access account and rate information of their clients


Error Conditions:

  1. The delegating User does not have the credentials required by the relying party. Mitigation: the relying party to allow manual request to revoke delegated relationship
  2. User cannot find the delegated user in the relying party system.
  3. Relying party does not support revocation of delegated access.


Relationships

  • Extended by:
  • Extension of:

References and Citations