Consent is a clear and voluntary agreement given by a data owner (the individual whose data is being accessed) to permit a data controller (the entity or application requesting access to the data) to collect, use, or share their data for specific purposes.

In the context of data sharing through API, "consent" refers to the explicit permission or authorization granted by a user or entity to allow an ISV or third party (such as an application or service) to access their data.

Consent is required to protect individuals' privacy rights and ensure that their data is not used or shared without their knowledge and permission.

It also helps to establish a legal basis for processing personal data in compliance with data protection regulations like GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act).

The Authorization Code Flow is an OAuth 2.0 flow used in EcoStruxure Openness for securely authorizing a user to access their data. Consent is typically captured during this flow through a user interaction.

Here's how it works:

Step 1: The data owner initiates an action (e.g., logging into an ISV application) that requires access to their data.

Step 2: The application redirects the user to the official authentication server of Schneider Electric which is cIAM. The user has to identify themselves with their credentials.

Step 3: Post successful login, they are presented with a consent screen that explains what data the ISV application is requesting access to and why.

Here “Customer Data” refers to data processed in the Schneider Electric cloud-based software solution to which you have subscribed. Please refer to such solution’s Terms of Use for a complete definition. The data owner can either authorize by clicking "Authorize Access" or deny consent by clicking "Do not Authorize".

Before granting user has read and agree to the Terms & Conditions.

Step 4: If they grant consent, they are redirected back to the application with an authorization code which then exchanges this code for an access token, allowing it to access the user's data.

Consent records are stored by EcoStruxure Openness to demonstrate compliance with data protection regulations.

These records include information about what the user consented to, which ISV application they consent to, when they gave consent, and any relevant details about the consent process.

Consent records are stored in EcoStruxure Openness secure database.

Managing consent is essential for maintaining compliance with data protection laws. Ecostruxure Openness Consent Management Application provides a user interface for the Data Owners to manage their consent provided to the external ISV or third-party applications.

Consent Management features,

1. Consolidated view of all the authorized applications with scopes data owners have provided consent to access their customer data.
2. User can revoke the consent, which is provided.
3. User can view their consent history granted and revoked.
4. Data owner is notified through email when any action taken on grant or revoke during consent flow and managing it.

Login to consent management application at https://ecostruxure-openapi.se.com

View Authorized Applications

Users will be able to view the list of ISV applications for which the consent was provided earlier.

Revoke Application Consent

Users have to select the ISV application for which the consent has to be revoked. Click the "Revoke Access" button to revoke the access.

View Consent History

Users can view the list of revoke access by switching to "Revoked Accesses" tabs.

This guide is intended for ISV application developers looking to integrate with our platform. We employ OAuth2 Authorization Code Grant type to secure our APIs. This method ensures that customer data is not only safe but also only accessible after obtaining the customer's explicit consent through our consent management framework.

Consent Management plays a critical role in establishing trust and compliance. It allows customers to understand what data is being accessed and to control it proactively. This boosts customer confidence and positively affects adoption rates and long-term engagement.

This OAuth2 flow involves several steps that require the customer to authenticate and authorize the third-party application (ISV) to access their data. This is crucial for ensuring data security and privacy.

• Authorization Endpoint: https://api.exchange.se.com/ecostruxure/v1/oauth/authorize
• Token Endpoint: https://api.exchange.se.com/ecostruxure/v1/oauth/token

Authorization Endpoint

1. Method: GET
2. Parameters:
   • client_id: Your application's client ID
   • response_type: Should be code
   • redirect_uri: The URL to which the authorization code will be sent
   • scope: The access level that you are requesting. Refer to API product documentation for supported scopes.

Example

GET https://api.exchange.se.com/ecostruxure/v1/oauth/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI&scope=read_user_data

Token Endpoint

1. Method: POST
2. Parameters:
   • client_id: Your application's client ID
   • client_secret: Your application's client secret
   • grant_type: Should be authorization_code
   • code: The authorization code received
   • redirect_uri: Same as used in Authorization Endpoint

Example

POST https://api.exchange.se.com/ecostruxure/v1/oauth/token

{

  "client_id": "YOUR_CLIENT_ID",

  "client_secret": "YOUR_CLIENT_SECRET",

  "grant_type": "authorization_code",

  "code": "AUTHORIZATION_CODE",

  "redirect_uri": "YOUR_REDIRECT_URI"

}

Upon successful authorization, the Token Endpoint will return a JSON object containing:

• access_token: The token to be used for API access
• expires_in: The time (in seconds) when the token will expire
• refresh_token: Token used to obtain a new access token
• scope: Scopes granted

Example

{

  "access_token": "YOUR_ACCESS_TOKEN",

  "expires_in": 3600,

  "refresh_token": "YOUR_REFRESH_TOKEN",

  "scope": "read_user_data"

}

You can use the refresh token to obtain a new access token once the original access token has expired.

Example

POST https://api.exchange.se.com/ecostruxure/v1/oauth/token

{

  "client_id": "YOUR_CLIENT_ID",

  "client_secret": "YOUR_CLIENT_SECRET",

  "grant_type": "refresh_token",

  "refresh_token": "YOUR_REFRESH_TOKEN"

}

Offline Access Scope

If you require long-lived refresh tokens, request the offline_access scope during the initial authorization. This will provide you with a refresh token that has an extended lifetime.

1. Redirect the customer to our Authorization Endpoint.
2. Customer logs in and gives consent.
3. Authorization code is sent to your redirect_uri.
4. Exchange the authorization code for an access token using the Token Endpoint.

Customer Consent Management

We maintain a record of the consents given by customers, allowing for more granular control over data access. Customers can revoke access at any time.

Revoke Consent

Customers have the option to revoke consent through our platform. Once revoked, previously issues access and refresh token will be invalidated, ISV application will need to re-initiate the authorization process for further access.

Our commitment to privacy and data protection includes giving our customers complete control over their data. This guide outlines how our consent management system empowers customers to manage data-sharing permissions with third-party applications (ISVs).

Consent management is not only about meeting regulatory requirements; it's an ethical commitment to our customers. With our system, customers can actively give, view, and revoke consents, allowing them full authority over their data.

When a third-party application (ISV) requests access to a customer's data, the customer is redirected to our secure consent page. This page provides explicit details about the data the application is requesting access to, and what it intends to do with that data. The customer can choose to accept or deny this request.

Customers have access to a 'Consent Dashboard' within our platform. This dashboard provides a comprehensive list of all the third-party applications that have been granted consent to access their data. Features of the dashboard allow customers to:

• View the scope of each granted consent
• Revoke consent at their discretion

Procedure for Giving Consent

1. Customers are redirected to the consent page.
2. They review the request for data access.
3. They click on "Approve" to grant access or "Deny" to refuse.
4. A confirmation notice is emailed, and the third-party application is notified accordingly.

Procedure for Viewing Consents

1. Customers log into consent management application https://ecostruxure-openapi.se.com/
2. A list of all ISV apps with active granted consents is displayed.
3. Customer can view historic data by going to "Revoked Consent" tab.

Procedure for Revoking Consent

1. Customers log into consent management application https://ecostruxure-openapi.se.com/
2. They locate the ISV whose consent they wish to revoke.
3. They click on the "Revoke Access" button.
4. A confirmation dialog is shown; customers click "Proceed" to confirm the revocation.