@@ -148,7 +148,7 @@ Considerations around offering an API (without a portal):
The present document does not contain a full analysis of portal security but identifies some risks and issues to consider.
### 4.6.2 Clear boundaries of responsibility (!all new text!)
### 4.6.2 Clear boundaries of responsibility
The Responsible Owner at an AO is the person who takes responsibility for a request that is issued (Was it lawful? Was it correct? Did it go to the right place? Can I justify it?)
@@ -168,8 +168,7 @@ Care should taken about functionality that sits between the AO Front Door and th
- There are risks about functionality which could be used by more than one AO or Provider. This carries risk of information going to the wrong place, or data being shared with people who are not entitled to see it.
- Generating requests anywhere other than within the AO runs the risk of the request being unlawful as it might not have been approved and fully understood by the Responsible Owner.
### 4.6.3 Management of users (!mainly new text!)
### 4.6.3 Management of users
An important issue for portals is that the provider is responsible for management of the list of accredited users.
