User-Managed Access (UMA) is an access management protocol standard that allows users to control authorization and delegation of access to their resources to online services and other entities. The standard lets resource owners directly manage the rules for access to their private information. This is a key feature in the evolution of access management in the IoT world and has thus inspired many of the leading Access Management software companies to integrate UMA into their products.

UMA relies on the Open standard for Authorization (OAuth 2.0) and extends it to to support the new user-centric concepts of Resource Owner (RO) and Requesting Party (RqP), as well as to clearly distinguish the concepts of Client (C), Resource Server (RS) and Authorization Server (AS). In simple words, the interaction  between these entities can be summarized as follows. To manage access to a particular resource, a resource owner communicates with the the authorization server through their resource server and sets up policy rules and conditions. Assuming that the policy rules allow some sort of access to a requesting party, the party can demand access by letting their client communicate to the resource server and to provide a valid token, issued by the authorization server if legitimate. The following diagram illustrates the protocol standard:



Figure 1: UMA entities and relationships taken from


Nulli can help your enterprise:

  • Understand UMA capability, theory, and best practices.
  • Design a flexible and scalable UMA solution that suits your corporate requirements.
  • Integrate UMA in a systematic way into your already existing IAM architecture.
  • Improve end user satisfaction.
  • Develop custom UMA implementations and enhancements for edge-case needs.