Glossary / Authorization
User-Managed Access (UMA)
User-Managed Access is an OAuth-based standard that lets a person set policies for who can access their resources and data, enabling user-driven sharing and delegation rather than per-application consent alone.
Also: UMA, UMA 2.0
User-Managed Access extends OAuth 2.0 so that the resource owner, not just the application, sets the rules for who can reach their data. Standard OAuth asks a user to consent to one application at the moment of access. UMA lets the user define policies in advance that an authorization server then enforces for many requesting parties, including people and organizations other than the user themselves.
The model introduces an authorization server the user controls, sitting between their resources and anyone asking for them. That makes it a natural fit for selective, ongoing sharing: a patient granting a clinic access to records, a customer letting a family member act on an account, or any case where the individual wants to manage access on their own terms over time.
In CIAM, UMA matters where customer-driven sharing and delegation are real requirements rather than edge cases. It pairs with consent receipts for a record of what was agreed, and it shifts consent from a one-time click into managed policy. Adoption is uneven, so treat it as a capability to confirm against your delegation use cases rather than assume.
Sources
- Kantara Initiative, User-Managed Access (UMA) 2.0 Grant for OAuth 2.0: https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html
Related terms
Standards
- Kantara UMA 2.0
- OAuth 2.0