Archived 2024-03-12. Please refer to the CDS Guide.
Question
In Consumer Data Standard (CDS), Client Registration Management, the authorisation server support for a Delete API is marked as optional
. Does this mean that a Data Holder (DH) can choose to not implement the Delete API?
Answer
The CDS does not specify the exact behaviour of the DH when it receives a delete request. However, the DH should ensure that the other requirements in Client Registration are maintained as per the CDS.
Question
What is the expected usage scenario for the Delete API? Why or when would an Accredited Data Recipient (ADR) want to delete their registration, given there is an Update API to modify registration details?
Answer
Currently there is no expected usage scenario for the Delete API. The ADR might choose to clean up their registrations, either at the beginning of a Software Product's lifecycle, where erroneous registrations may have occurred, or at the end of the lifecycle, when the Software Product is decommissioned.
However, currently, the design does not require all DHs to support this functionality. Future design iterations may look at changing this position if there is community demand for standardising this functionality.
Question
What is the expected DH behaviour in response to a delete
request received, if there are active arrangements associated with the registered client? Should the DH reject the delete
request, or invalidate consents and clean up registrations.
Answer
When an ADR chooses to delete registration, the DH is required to expire
all consents at the time the ADR status is set to revoked
or surrendered
. The status of the Software Product changes to inactive
. When the delete registration is requested there should be no active
consents.
If the ADR is deleting a Software Product from the CDR ecosystem, independent of the above-mentioned changes in status either at the Legal Entity or Software Product Status level, then the DH must delete all associated consents.
When an ADR status is surrendered
and the status of the Software Product is inactive
, all consents must be preserved
.
The DH can also undertake these security hygiene tasks when the software status changes to remove
, regardless of whether an ADR calls the delete function.
Question
The duplicate check for registration requests is on the Software Product ID. If a registration associated with the software product ID has been deleted, should a subsequent registration request succeed, using the same software product ID?
Answer
Regardless of any previous registrations, when the CDR Register issues a Software Statement Assertion an active software product, that product must be able to register with all relevant DHs in the ecosystem.
Comments
0 comments
Please sign in to leave a comment.