Consents for just-in-case provisioning
Just-in-case provisioning is used for services that require data about services even when users are not using the service directly. This principle is used to create accounts before the first usage of the service, keep account information up to date, or implement deprovisioning, which is, in short, disabling the accounts of users who are no longer eligible to use the service.Example services are:
- mailing lists (members of the lists need to be managed even though they rarely sign in to the mailing list web interface)
- addresses directories (manage up to date information for institution-wide address book)
- cloud platforms (suspend virtual machines of users who are no longer eligible to use the service).
On the technical level, just-in-case provisioning is implemented by Perun IdM, where provisioning rules are defined by giving access for groups to used resources representing capabilities of target services (e.g. concrete mailing list, access to a project web page, etc.). A delegated person gives access, and only users authorized this way will be provisioned to the target system.
Apart from the technical aspects, the provisioning process must uphold the privacy data protection regulations. Therefore only users for whom we have the legal basis for using the data will be provisioned to the target service. In most cases, the legal base is consent.When the user becomes eligible to use a service that requires provisioning, he will be asked via an email notification about providing consent. Only users who gave the consent will be provisioned. Others won't be provisioned to the service at all. Therefore the service will get no information about them. Users can manage consents on their profile page and decide to give or revoke them anytime. Withdrawing the consent will prevent the provisioning of all user data to the service. The service might react accordingly, for example, disabling or even deleting the account.