Consent driven synchronisation in the age of GDPR

In a small example I would like to point out a basic requirement of the new European data protection regulation. Of course, this is only a small excerpt, but a good example of how easily an identity-driven process can be executed by a user dashboard. (The code for testing is below and should be seen without any guarantee!)

Background: The new Forgerock Identity Management contains some features that are included in the Data Principles Regulation. These include in particular the customer agreement to the use of user data and the purchase of the processing.

In my simple example, the user gives consent to release certain data for certain processes. The user receives a UI notification and an additional e-mail if he agrees or disagrees.

Beispiel User Dashboard “Privacy & Consent”

The user triggers a LiveSynchronistation to a target system. This process is described in IDM mapping. To facilitate the test here, I do not use an external target system, but instead create a Marketing Consent Managed Object. IDM has the ability to create any “Managed Objects”.

Manged Object für Marketing Consent Daten

In the mapping, the corresponding attributes from the User Managed Object are now filled, namely Consent driven. It is important that Consent is switched on when the mapping of the switches is created. This automatically assigns the mapping a LiveSync for the Consent, since the Consent is stored in the User Attribute consentedMappings as an array. A remainder example later.

Depending on the mapping settings, users will also see the attributes for sharing. To illustrate this better, I have defined different Constent with different attributes.

If the user activates his permission (controller is on), a data record with attributes is written to the Managed Object MarketingConsent or deleted again. As I said, for the sake of simplicity I have taken a Managed Object in the IDM, but of course you could imagine CRM, databases or other goals here.

In mapping, I changed a few things to be a bit creative: To create several Consent driven mappings into a Managed Object I entered a target queryfilter with the name of the Consent. So a mapping will only react to the specific filter and I can realize multiple mappings with different Constent in ONE Managed Object. (As I said, here only for demo). Furthermore I created the triggers OnCreate and OnDelete to trigger the notification (email and UI).

Beispiel Consent mit den Notification in der UI

This is of course only the beginning and you can certainly imagine other settings.


And here the hint if you want to test it yourself:

  1. Download the current version of OpenIDM from https://backstage.forgerock.com and install it.
  2. Creating the Managed Object for the Marketing Consent
  3. Creating a Mapping (Example) for the Consented Sync
  4. User in IDM Create and log in
  5. Switch on “BabyCare” in the User Dashboard under Consent. In the Managed Object the user should have created a new Consent with “BabyCare”.

Hints: Email should be configured (Since an email is sent to the user.

Curl Command for the creation of the Managed Object in IDM:

curl -X PATCH 
 http://localhost:8080/openidm/config/managed 
 -H 'Cache-Control: no-cache' 
 -H 'Content-Type: application/json' 
 -H 'X-OpenIDM-Password: openidm-admin' 
 -H 'X-OpenIDM-Username: openidm-admin' 
 -d '[
 {
 "operation": "add",
 "field": "objects/-",
 "value":
 {
 "name": "marketingconsent",
 "schema": {
 "$schema": "http://forgerock.org/json-schema#",
 "type": "object",
 "title": "Marketing Consent",
 "description": "Consent Database",
 "icon": "fa-arrow-right",
 "properties": {
 "_id": {
 "title": "_id",
 "type": "string",
 "viewable": false,
 "searchable": false,
 "userEditable": false,
 "description": "",
 "minLength": "",
 "isVirtual": false
 },
 "name": {
 "title": "Name",
 "type": "string",
 "viewable": true,
 "searchable": true,
 "userEditable": true
 },
 "sn": {
 "title": "Lastname",
 "type": "string",
 "viewable": true,
 "searchable": true,
 "userEditable": true
 },
 "firstname": {
 "title": "Firstname",
 "type": "string",
 "viewable": true,
 "searchable": true,
 "userEditable": true
 },
 "consent": {
 "title": "Consent",
 "type": "boolean",
 "viewable": true,
 "searchable": false,
 "userEditable": true
 },
 "userid": {
 "title": "User ID",
 "type": "string",
 "viewable": true,
 "searchable": false,
 "userEditable": false,
 "description": "",
 "minLength": "",
 "isVirtual": false
 },
 "username": {
 "title": "Username",
 "type": "string",
 "viewable": true,
 "searchable": true,
 "userEditable": true,
 "description": "",
 "minLength": "",
 "isVirtual": false
 },
 "email": {
 "title": "Email",
 "type": "string",
 "viewable": true,
 "searchable": true,
 "userEditable": true
 },
 "mobile": {
 "title": "Mobile Phone",
 "type": "string",
 "viewable": true,
 "searchable": true,
 "userEditable": true
 },
 "city": {
 "title": "City",
 "type": "string",
 "viewable": true,
 "searchable": true,
 "userEditable": true
 },
 "accountnumber": {
 "title": "Account Number",
 "type": "string",
 "viewable": true,
 "searchable": true,
 "userEditable": true
 },
 "date": {
 "title": "Consent Date",
 "type": "string",
 "viewable": true,
 "searchable": true,
 "userEditable": false,
 "description": "",
 "minLength": ""
 }
 },
 "order": [
 "_id",
 "name",
 "sn",
 "firstname",
 "consent",
 "userid",
 "username",
 "email",
 "mobile",
 "city",
 "accountnumber",
 "date"
 ],
 "required": []
 },
 "iconClass": "fa fa-database",
 "type": "Managed Object"
 }
}
]
'

Curl Command für die Erstellung eines Beispiel Syncs:

curl -X PATCH 
 https://localhost:8080/openidm/config/sync 
 -H 'Cache-Control: no-cache' 
 -H 'Content-Type: application/json' 
 -H 'X-OpenIDM-Password: openidm-admin' 
 -H 'X-OpenIDM-Username: openidm-admin' 
 -d '[
 {
 "operation": "add",
 "field": "mappings/-",
 "value":
 {
 "target": "managed/marketingconsent",
 "source": "managed/user",
 "name": "BeautyCare",
 "consentRequired": true,
 "icon": null,
 "properties": [
 {
 "target": "email",
 "source": "mail"
 },
 {
 "target": "userid",
 "source": "_id"
 },
 {
 "target": "username",
 "source": "userName"
 },
 {
 "target": "consent",
 "default": true
 },
 {
 "target": "name",
 "default": "Beauty Care"
 },
 {
 "target": "date",
 "transform": {
 "type": "text/javascript",
 "globals": {},
 "source": "dateUtil = org.forgerock.openidm.util.DateUtil.getDateUtil("GMT");ndateUtil.now()"
 },
 "source": ""
 }
 ],
 "policies": [
 {
 "action": "EXCEPTION",
 "situation": "AMBIGUOUS"
 },
 {
 "action": "EXCEPTION",
 "situation": "SOURCE_MISSING"
 },
 {
 "action": "EXCEPTION",
 "situation": "MISSING"
 },
 {
 "action": "EXCEPTION",
 "situation": "FOUND_ALREADY_LINKED"
 },
 {
 "action": "DELETE",
 "situation": "UNQUALIFIED"
 },
 {
 "action": "EXCEPTION",
 "situation": "UNASSIGNED"
 },
 {
 "action": "EXCEPTION",
 "situation": "LINK_ONLY"
 },
 {
 "action": "IGNORE",
 "situation": "TARGET_IGNORED"
 },
 {
 "action": "IGNORE",
 "situation": "SOURCE_IGNORED"
 },
 {
 "action": "IGNORE",
 "situation": "ALL_GONE"
 },
 {
 "action": "UPDATE",
 "situation": "CONFIRMED"
 },
 {
 "action": "UPDATE",
 "situation": "FOUND"
 },
 {
 "action": "CREATE",
 "situation": "ABSENT"
 }
 ],
 "targetQuery": {
 "_queryFilter": "name eq "Beauty Care""
 },
 "onCreate": {
 "type": "text/javascript",
 "globals": {},
 "source": "dateUtil = org.forgerock.openidm.util.DateUtil.getDateUtil("GMT");nportalname = "Beauty Care";nn// send email to usernemailParams = {n "from" : '''admin@example.com''',n "to" : source.mail,n "subject" : '''Registrierung Adhesive Technology''',n "type" : '''text/plain''',n "body" : '''Vielen Danke für die Registrierung bei ''' + portalnamen };nn// set ui notification as wellnopenidm.action("external/email", "send", emailParams);nn// send notificationnvar params = {n "receiverId": source._id,n "requesterId" : "",n "requester" : "",n "createDate" : dateUtil.now(),n "notificationType" : "info",n "notificationSubtype" : "",n "message" : "Registrierung " + portalnamen};nnopenidm.create("repo/ui/notification/", null, params);n"
 },
 "onDelete": {
 "type": "text/javascript",
 "globals": {},
 "source": "dateUtil = org.forgerock.openidm.util.DateUtil.getDateUtil("GMT");nportalname = "Beauty Care";nn// send email to usernemailParams = {n "from" : '''admin@example.com''',n "to" : source.mail,n "subject" : '''Abmeldung Adhesive Technology''',n "type" : '''text/plain''',n "body" : '''Abmeldung bei ''' + portalnamen };nn// set ui notification as wellnopenidm.action("external/email", "send", emailParams);nn// send notificationnvar params = {n "receiverId": source._id,n "requesterId" : "",n "requester" : "",n "createDate" : dateUtil.now(),n "notificationType" : "info",n "notificationSubtype" : "",n "message" : "Abmeldung " + portalnamen};nnopenidm.create("repo/ui/notification/", null, params);n"
 }
 }
}
]
'

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.