The process:

The Resource Owner (RO) controls the "life cycle" of their resources. The management of an actual "resource" (create, read, update, delete) is out-of-scope for the User Managed Access (UMA) specification. The Resource Server (RS), from an UMA perspective, enables the Resource Owner (RO) register resources and apply policies. The Resource Server (RS) will enforce Requesting Party (RqP) access to the resources. Requesting Parties (RqP) will only be allowed to perform operations against resources that have a proper policy.

This Reference Implementation uses an external Content Server (CS) to manage actual resources / documents. The management of actual resources / documents could be provided as an embedded capability of the Resource Server (RS).

This sequence covers the process related to a Resource Owner (RO) that creates a resource (document) using a custom Resource Owner Application (ROA). The Resource Server (RS) creates the resource's meta data.

The sequence:

• Resource Owner (RO) must be authenticated with the Authorization Server (AS)
  • This can be done prior to accessing the Resource Owner Application (ROA) with SSO Session or via an explicit login process
• Resource Owner Application (ROA) is used to initiate a "create" process for a given resource / document.
• Resource Owner Application (ROA) issues a POST request to the Resource Server (RS) /manage/resources interface to create the resource
  • The request contains required and optional attributes that are used to perform operations.
  • The Resource Server (RS) validates the RO user session via the SSO session token.
• Resource Server (RS) creates the resource's meta data
  • The resource meta data sets the state to "private" and discoverable to "false". The state and discoverable attributes are used support Requesting Party (RqP) operations.
• Resource Owner Application (ROA) receives response from create operation
  • The interface is updated with the created resource