Use Cases for MidPrivacy

Last modified 12 Mar 2021 10:22 +01:00

Use cases and "user stories" for MidPrivacy project. The purpose of this document is to guide design activities by providing a list all the practical use cases for inspiration. We do not claim that our implementation will support all of those use cases.

This list is not complete. It is expected that it will be continually updated.

Related use-cases are captured in following pages:

Crucial part of privacy preserving features is to put end user in control. Let them make decision what will happen with their data. But there are other factor which needs to be taken into account. Data processing might be done because of legal requirements, legitimate interests or there might be other basis which might overrule users' decisions. The challenge here is to combine the policies with users decision and correctly evaluate how the data can be processed. Moreover is important to be able to provide information on what basis are the data processed for the audit purposes.

Managing user consent to process data is simple on a technical level but difficult from the user experience perspective. Main challenge is to chose optimal granularity, so the users aren’t overwhelmed by the amount of consent decisions they have to deal with, but they still have they data in control. Moreover the requirements on the consent process might be affected by laws or organization policies which will differ for each midPoint deployment. Therefore the consent management have to be flexible and configurable. Additional challenge is when and how to get the consent. This might happen directly in midPoint, probably with leveraging email notifications, but it can be also done in the access system when the user is accessing a service. For that midPoint have to be able to provide information about the existing consents but also import consents from the access system or any other system.

Data representation for end users

All consents for data processing give by users should be so called informed consents. That means that users should understand for what purpose they are giving the consent and what are the data that will be processed. Identity management is working with broad scale of data, some of which might problematic or impossible to be understood by end users. Therefore we need a human-readable representation of such data. Some data can be displayed as is, some can be "translated" to human readable for using translation table and others need explanation instead of showing the value (e.g. state that this is user’s certificate instead of showing the binary representation of data). There might be even more ways to represent data which have to be analyzed first.

Privacy preserving user profile

Some types of organization like universities give their users bigger degree of freedom when it comes to maintaining the user profile. Users can for example choose their own contact information (e.g. email address), nickname, artist name, main department (in case they belong to multiple one) and so on. Usually is for the user comfort but it might serve as privacy preserving tool as well. Especially, when it would be possible to select what attribute values will be released to which service. Of course this feature have to be compliant with organization policy which might mandate for some services to ignore preferences of user and release the official/primary values of attributes.

Access to sensitive data

Not all data are equal. Some of them are labeled as sensitive which means there might substantial damage (financial, reputation, …​) caused by unauthorized access to such data. Common approach to protect such data is to enforce multi-factor authentication. Even though midPoint won’t contain sensitive data directly in most of the cases it might be used to manage authorization for them. Therefore, midPoint should have the same level of security (e.g. multi-factor authentication) as access to the data themself. Having multi-factor authentication for all midPoint operation might be perceived as user-unfriendly and users might even slip to recklessness when dealing with multi-factor authentication because they won’t use it for managing access to sensitive data in most cases. Therefore the solution might be to require higher degree of authentication only when user will manage access to sensitive data.

Privacy protection of data in midPoint

MidPoint itself is typically full of personal data. Typically management of roles, access rights, groups, etc. is distributed between multiple persons and it’s often dynamic - based on position withing the organization etc. These managers have to work with users to give them access and for that they need to see some of their attributes to be at least able to identify them. MidPoint have to provide a way how to limit access to other persons data or even mandate for the mangers to agree with privacy policy before they will be allowed to see the data of others.