Overview
SAP Hybris Profile provides a platform for gathering any type of relevant information to create a comprehensive and extensible consumer profile. Because the information shared by the consumers might be sensitive, a guarantee of proper data protection is required. To ensure that the information is safe and managed responsibly, SAP Hybris Profile offers a consent management system that allows the consumer to control how their data is handled. No data is collected, stored, or processed unless the consumer grants their consent.
You can use the Consent service to manage consumer consents.
API Reference
/consentClasses
/consentClasses
Gets all consent classes - the dictionary values for grouping consents. By default classes are sorted ascending by class name.
/{tenant}/users/{hybrisUser}
/{tenant}/users/{hybrisUser}
Gets a consent reference for a given hybrisUser and tenant. hybris.profile_consent_view is required to access this endpoint.
/{tenant}/consentReferences
/{tenant}/consentReferences
Generates a new user consent reference with default consents of a given tenant. If hybris-user is set in the header then it first tries to return an existing consent reference for this user and tenant. If the hybris-user equals null or ANONYMOUS, a new consent reference is always generated.
/{tenant}/consentReferences/TENANT
Generates a new consent reference for tenant if it doesn't exist. Otherwise returns information about the existing consent reference. Requires the scope hybris.profile_consent_manage.
/{tenant}/consents
/{tenant}/consents/{consentReference}
Gets a list of single consents data for a given tenant and abstract referenceId To access this endpoint, the hybris.profile_consent_view scope is required.
Deletes all consents data for a given consentReference. hybris.profile_consent_manage is required to access this endpoint. Removing TENANT and YPROFILE consent reference is disabled, 403 will be returned when such operation is requested.
/{tenant}/consents/{consentReference}/classes/{consentClass}
Updates the granted flag of consents in the specified class. Note that if the granted flag is set to false, consent blobs are also cleared. To update user's or tenant's consents hybris.profile_consent_manage scope is required.
Returns consents with a given consent class. hybris.profile_consent_view scope is required.
/{tenant}/consents/{consentReference}/schemas/{schema}
Updates the granted flag of consents for the specified schema. Note that if the granted flag is set to false, consent blobs are also cleared. To update user's or tenant's consents, hybris.profile_consent_manage scope is required.
Returns a single consent for a given schema hybris.profile_consent_view scope is required.
Consent
All profile data is encrypted when it is stored. To access data, internally or externally, it must first be decrypted. The consumer's consent controls data decryption. Data can only be collected, stored, and decrypted for use if the consumer grants consent for that data.
Each data type (such as IP address) in SAP Hybris Profile is represented by a unique data schema, and a single consent grants permission to store a single data type. Because SAP Hybris Profile uses a different encryption key for each such data type, a consumer can grant or revoke consent for specific data types independently.
The consumer can revoke formerly-given consents or grant new consents at any time. Revoking consent has two effects:
- No data of that type is collected about the consumer.
- Decryption of the data is disallowed, so that the encrypted data can no longer be used.
For more information about how to revoke or grant consent, see Grant consent by class and Grant a single consent. For more information about encryption, see Consent encryption.
Consent classes
Consent class
A consent class organizes consents into a group to make consent management easier and more efficient. A single consent class defines a list of logically- or functionally-related schemas that identify related types of data. This grouping allows consumers to toggle consent for a logical data grouping, rather than for individual data nodes. For example, a consent class called "Product interaction tracking" could allow a single point of control to toggle consent for both categories viewed and products viewed.
The consent class of each schema in the metamodel is set during enricher registration. For more information, see the Enricher registration tutorial.
For more information about how to grant or revoke consent for an entire consent class, see the Introduction to Tutorials section.
Consent class dictionary
The consent class dictionary offers a list of all available consent classes. The list is the same for all tenants subscribed to SAP Hybris Profile. Retrieve the dictionary using the Consent service.
When a new schema that requires a new consent class is created, a system administrator must add the new consent class to the consent class dictionary. You must submit a support request for the system administrator to accept and add the new consent class to the dictionary.
Consent references
Consent reference
A consent reference is a unique key, assigned to a consumer, that is associated with all consents for that consumer. The Secure Graph service uses a consent reference to create data elements for a given consumer. The association of a unique consent reference with each consumer ensures that only the relevant consumer can control the associated consent, and that one consumer cannot overwrite the data of another consumer.
When a consumer enters a storefront for the first time, the system asks them to accept default consents that allow SAP Hybris Profile to gather consumer data. If the consumer agrees, the system creates a consent reference for that consumer and grants default consents. If the consumer does not agree, the system does not create any consent reference for that consumer.
Instead of asking the consumer to accept the default consents, you can alternatively configure the storefront to ask a consumer who is visiting for the first time to specify which types of data the system can collect. The list of consents can then be different for each consumer.
Example of a consent reference
A consent reference is an arbitrary character string such as 965dcef9-da77-40bf-9e9b-65fd735df113.
As shown in the diagram, a consent reference is associated with one or more consent classes for which consent is granted. Each independent consent class is associated with one or more consents; each consent is associated with a particular data schema. A given consent can belong to only one consent class.
The Consent service can create a consent reference for an anonymous user or for a signed-in consumer. The service generates a new consent reference for each anonymous user. For a signed-in consumer, the service generates a consent reference only once and reuses that consent reference for all subsequent events from that consumer.
Types of consent references
Each schema has an encryption type that determines whether the user, the tenant, or the SAP Hybris Profile system controls consent for that data type. Schemas with a "user" encryption type define user-related data. Schemas with a TENANT encryption type define tenant-related data.
Depending on the encryption type, consent references are organized into the following groups:
- User consent reference: Represents consents granted by the consumer for schemas that define personal data such as
nodes/commerce/Session. The service assigns the consumer a single, unique "user" consent reference for each tenant. If the consumer browses multiple storefronts belonging to different tenants, the service generates a unique "user" consent reference for each tenant. - TENANT consent reference: Represents consents granted by a tenant for schemas that define tenant-related data such as
nodes/commerce/Product. The service assigns each tenant a single 'TENANT' consent reference. This consent reference's value is always the literal stringTENANT. - YPROFILE consent reference: Used only internally. A single
YPROFILEconsent reference is issued for the entire SAP Hybris Profile system.
The diagram shows how SAP Hybris Profile uses keys to encrypt tenant-controlled data (such as ID or label) and consumer-controlled data (such as email address or gender):
- Tenant-controlled data of a given data type is encrypted with the same encryption key for all users:
Labeldata in the diagram is encrypted withTenant Key 2for all of that tenant's users. - User-controlled data of a given data type is encrypted with a unique encryption key per user:
Genderdata in the diagram is encrypted withUser Key Bfor one user, and withUser Key Yfor another user.
Consent reference aliases
Consent reference aliases
You can access the same set of consents using more than one consent reference. When the Merge service merges two or more profiles, any of the consent references created for those profiles before the merge allows you to update consents and profile data of the same customer profile. It applies to granting and revoking consents, accessing and modifying customer profile data, and to any other operations where you must provide the consent reference.
The Consent service introduces the notion of a leading consent reference. The system returns the leading consent reference in every call to the Consent service. Although the system allows you to access your consents by providing an alias consent reference, instead replace any consent references stored, for example, in an external system or in a browser cookie, with the leading consent reference. This means the system eventually uses only one consent reference, making it more consistent.
Consent reference lifecycle
This section describes the lifecycle of a consent reference. It explains how a consent reference is generated, both for a consumer and a tenant, and how it can be revoked. Moreover, this section describes how adding and removing schemas in the metamodel can affect a consent reference.
Determine data ownership
Each data type is assigned an owner: tenant or user. Personal data, such as address, is generally user-owned. Company-controlled data, such as product names, is generally tenant-owned. The owner of a data type is defined in the associated schema that is registered with the enricher or context adapter responsible for managing that data type.
Consumers can control consent for user-owned data only. Consumers cannot alter consent for tenant-owned data.
Create a TENANT consent reference
When a tenant subscribes to the Profile Core Services package, a consent reference with the value TENANT is automatically created for that tenant. If, subsequently, the tenant subscribes to any package that contains enrichers or context adapters and then enables them in the metamodel, consents pertaining to the tenant-related data written by those enrichers and context adapters are automatically generated within a TENANT consent reference. No additional, manual action from a tenant is required for the TENANT consent reference to be updated.
Create a user consent reference
The SAP Hybris Profile system generates user consent references for user-related data that is managed by the tenant's subscribed enrichers and context adapters.
When consumers enter a storefront for the first time, they must decide whether to accept the default consents, thereby allowing SAP Hybris Profile to collect personal data pertaining to their activities. A pop-up dialog allows consumers to either grant or deny consent for the collection of their data. The particular storefront configuration determines whether consent can be granted or denied per data type or globally.
If a consumer does not accept any consents, the consumer's activities are not tracked, and, by extension, no data is collected.
If a consumer grants specific consents, the storefront sends a POST request to the Consent service, which responds by generating a "user" consent reference ID. The storefront uses this consent reference ID when communicating with the SAP Hybris Profile system.
When a consumer consents to the collection and storage of personal information, the consumer's activities are tracked and the consumer profile is continually enriched with new data. The information about the consumer's interactions with the storefront, such as product view and front end entered events, is collected and subsequently delivered to the SAP Hybris Profile system.
For details on how to create a user consent reference for a consumer, see the Create a consent reference section.
Revoke user consent
Consumers can alter consent settings at any time. For example, consumers can revoke consent for a data type or for a consent class if they no longer want the system to collect specific types of data pertaining to their activities. Revoking consent immediately discontinues the collection of the specific type of data. In addition, the existing data of that type is irrevocably inaccessible.
For details about how to revoke consents, see Revoke single consent and Revoke consents by classes.
Block consent reference
A tenant can block a user consent reference at any time. In this case, the system can no longer collect new data or access the existing data for this user. Unlike revoking a consent, blocking a consent reference does not result in data deletion. Once the tenant lifts this block, the user's data reappears and can be processed again, based on the user's consents.
Manage anonymous user consent
An anonymous user represents a consumer who browses a storefront without signing in.
The hybris.profile_consent_manage scope allows a user to manage consent in the system. To prevent anonymous users from using another person's consent reference to alter that person's data or consent, anonymous users are not granted the hybris.profile_consent_manage scope. However, this necessary security restriction also prevents anonymous users from managing consent for their own data.
To allow anonymous users to manage their own consent, you can develop customized solutions. For example, a customized consent management UI can pass anonymous consent management requests to a customized service. This service can then automatically apply the hybris.profile_consent_manage scope to the request.
However, such a customized solution exposes the risk that an anonymous user will use another person's consent reference to manage that person's data. To address this security risk, the customized service can require an extra layer of authorization, such as a temporary password or token, included in consent management requests.
Remove schemas from the metamodel
When a tenant discontinues a subscription to an enricher, some schemas might be removed from the metamodel. Even if the consumer previously granted consent for the type of data written by that enricher, it is no longer collected due to the removal of the schema that defines that data.
Add schemas with the user encryption type
The creation of new schemas that define consumer-related data affects the consumer's consent reference. The system can add new schemas to the metamodel when the tenant subscribes to the newly-registered enricher or resubscribes to an enricher that was discontinued. Those events have different effects on the consumer's consent references. The following sections describe the effects of adding a new schema to the metamodel and re-adding a previously removed schema.
Add a newly-created schema to the metamodel
When a tenant subscribes to a newly-registered enricher, new schemas might be added to the metamodel. The consents to store and process the data items defined by those schemas are not automatically added to existing user consent references. To add user consents for the new data, the storefront must specifically ask the consumer to provide them. No data pertaining to the newly-defined schemas are collected until the consumer explicitly permits it.
Re-add a previously-removed schema to the metamodel
When a tenant resubscribes to an enricher, the original user consent reference for the associated data types is used as the active consent reference. Because consent was previously granted, the storefront does not need to ask the consumer to grant it again. The data stored before the removal of a given schema is accessible after the schema is re-added to the metamodel.
Add new schemas with the TENANT encryption type
When a tenant subscribes to an enricher that writes tenant-owned data, new schemas defining associated data types might be added to the metamodel. Consequently, SAP Hybris Profile updates the tenant's consent reference with consents for the new data types.
Introduction to Tutorials
These tutorials use the Consent service API Console to describe these topics:
- Present the lifecycle of a consent reference for anonymous and signed-in sessions
- Create a new consent reference
- Get all consent classes
- Grant a single consent
- Revoke a single consent
- Grant consents by class
- Revoke consents by class
- Present the consent encryption concept
Prerequisites
- Access to the Consent service API Console
- A valid Bearer access tokenFor more information about how to get an access token, see the
/tokenendpoint section of the OAuth 2.0 service documentation.
Lifecycle of consent-reference for anonymous and logged-in session
Lifecycle of a consent reference
This section explains the lifecycle of a consent reference. It describes how a consent reference is generated for an anonymous session and what changes when a customer signs in. For more information about what a consent reference is, see the Consent reference topic.
An anonymous session
An example of an anonymous session is a session in which an end customer browses a storefront without signing in.
Whenever a request is made to generate a consent reference, the Consent service generates a random consent reference key for an anonymous customer.
Getting a consent reference for an anonymous customer
Execute the command in the example to get a consent reference for an anonymous customer.
Example
curl -X POST -H "Authorization: Bearer Access_token" 'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consentReferences'
Command parameters
- HEADERS
- Authorization - Provide a valid Bearer access_token.
- URI parameters
- {tenant} - Provide your tenant name.
Example of a POST request with real data
curl -X POST -H "Authorization: Bearer 001-958ff69f-532c-43db-b847-fa1d7b9e7635" 'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consentReferences'
Response
A successful response returns a message with two parameters. For example:
{
"id": "cdb98c1c-e431-476c-a00a-1169eba4d318",
"link": "https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consentReferences/cdb98c1c-e431-476c-a00a-1169eba4d318"
}
The id represents the consent reference key. It identifies the end customer and the consents granted and revoked by that user.
Logged-in session
An example of a logged-in session is a session in which an end customer logs in to a storefront, either at the beginning of the session or later in the session.
Getting a consent reference for a logged-in user
To generate a Bearer access token for a logged-in end customer, execute the command from the example. For more information about how to generate a Bearer access token, see the OAuth 2.0 service documentation.
This consent reference is reused for all subsequent customer log-in attempts. An example is if, before logging into the storefront, a customer has been browsing the storefront in an anonymous session. All data stored for the anonymous session remains in SAP Hybris Profile, but is available only by its original consent reference and not by the consent reference assigned to the logged-in customer. In other words, anonymous data stays anonymous and is not linked to the customer that logs in.
The logged-in customer and the anonymous customer can grant and revoke consents on the storefront to allow or prevent SAP Hybris Profile from gathering data about their respective actions (information). For more information about how to grant/revoke a consent class, see the Introduction to Tutorials.
Example
curl -X POST -H "Authorization: Bearer Access_token" 'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consentReferences'
Command parameters
- HEADERS
- Authorization - Provide a valid Bearer access_token. Make sure you provide a Bearer access_token for the logged-in user.For details on how to receive an access_token for a logged-in user, see the
/tokenendpoint section of the OAuth 2.0 service documentation.
- Authorization - Provide a valid Bearer access_token. Make sure you provide a Bearer access_token for the logged-in user.
- URI parameters
- {tenant} - Provide your tenant name.
Example of a POST request with real data
curl -X POST -H "Authorization: Bearer 001-fa77890a-5d85-4b92-b29a-62ed8d469384" 'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consentReferences'
Response
A successful response includes a message with two parameters. For example:
{
"id": "baa8a056-8b71-417e-9ad6-1c5069c66096",
"link": "https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consentReferences/baa8a056-8b71-417e-9ad6-1c5069c66096"
}
The id represents the consent reference key. It identifies the end customer and the consents granted and revoked by that customer.
Tenant's consent reference
The tenant's consent reference is automatically generated when the tenants subscribes to an SAP Hybris Profile in the Builder, but it can also be manually generated or manually managed. The consent reference identifier is constant and its value is always TENANT.
Creating a consent reference
Create a consent reference for an end consumer
The steps shown in this example demonstrate how to create a consent reference. A consent reference is acquired by a user when they enter or log in to a storefront. When a user logs in, any consent reference that was previously generated for them as an anonymous consumer is re-fetched by the new consent reference.
To create a new consent reference, use the command shown in the example.
Example
curl -X POST -H "Authorization: Bearer {access token}" 'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consentReferences'
Command parameters
- HEADERS
- {access token} - Provide a valid Bearer access token.
- URI parameters
- {tenant} - Provide your tenant name.
Example of a POST request with real data
curl -X POST -H "Authorization: Bearer 001-ad2b1327-8888-4ce4-b2cc-d64a9bc4932e" 'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consentReferences'
Response
A successful response includes an id whose value is a consent reference.
{
"id": "965dcef9-da77-40bf-9e9b-65fd735df113",
"link": "https://api.beta.yaas.io/hybris/consent/v1/mycomicsshop/consentReferences/965dcef9-da77-40bf-9e9b-65fd735df113"
}
Asynchronous consent creation
Consent creation is an asynchronous operation. The system does not generate a consent reference immediately after you submit the request, even though it instantly returns a consent reference ID. Because the operation of creating a consent reference is fairly time-consuming, SAP Hybris Profile might not persist the first few requests that you send after the system returns the consent reference ID.
To mitigate such event failures, configure your storefront accordingly, for example, by implementing a personalized solution, such as buffering the requests until the consents are available.
Create a consent reference for a tenant
The system automatically generates a consent reference for a tenant when the tenant subscribes to the SAP Hybris Profile solution. Use the command in this example only if the system does not automatically generate a consent reference when a tenant subscribes.
Example
/token endpoint section of the OAuth2 service documentation.curl -X POST -H "Authorization: Bearer {access token}" 'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consentReferences/TENANT'
Command parameters
- HEADERS
- {access token} - Provide a valid Bearer access token with the appropriate scope.
- URI parameters
- {tenant} - Provide your tenant name.
Example of POST request with real data
curl -X POST -H "Authorization: Bearer 020-ff40ae4c-4951-4438-a328-9603848076cb" 'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consentReferences/TENANT'
Response
A successful response includes an id whose value is a consent reference.
{
"id": "TENANT",
"link": "https://api.beta.yaas.io/hybris/consent/v1/mycomicsshop/consentReferences/TENANT"
}
Delete a consent reference
Delete a consent reference event
A customer can also withdraw consent to collect and store any data associated with customer activity, and represented by a specified consent reference. If a customer deletes a consent reference entirely, the Context service sends the event with the operation DELETE:
{
"context":{
"location":"https://api.beta.yaas.io/hybris/profile-context/profiletestproj/data/57709830-be52-11e4-9370-edc4d47be75d",
"consentRefId":"ae3ade81-052f-4f36-8825-f1617180ed5e",
"id":"57709830-be52-11e4-9370-edc4d47be75d"
},
"schema":"core/ConsentReference",
"operation":"DELETE"
}
Properties
- location: The link defining where the event is stored
- consentRefId: The consent reference used for storing the event
- id: The unique identifier of the event
- schema: Defines the type of event
- operation: The type of operation
The event triggers a dedicated enricher. The enricher uses the location link, passed within that event, to retrieve another event with the consent reference ID:
{
"id": "consent-reference-id-1234"
}
Get consent classes
Register consent classes in SAP Hybris Profile
You can retrieve all consent classes, for example, to verify whether a consent class exists in support of new enricher registration.
This functionality uses paging. You can define these query parameters:
- pageSize: This parameter specifies how many results to return on one page. The default pageSize is 16.
- pageNumber: This parameter specifies the result page to return.
- sort: This parameter sorts results to address situations wherein one consent class displays on multiple pages or the consent class order changes when navigating from one page to another.
This example command lists the defined consent classes placed on a given page.
Example
curl -X GET -H "Authorization: Bearer {access token}" 'https://api.beta.yaas.io/hybris/profile-consent/v1/consentClasses?pageSize={pageSizeValue}&pageNumber={pageNumberValue}&sort={sortExpression}'
Command parameters
- HEADERS
- {access token}: Provide a valid Bearer access token.
- Query parameters
- {pageSizeValue}: Provide the maximum number of consent classes to return on a single page.
- {pageNumberValue}: Provide the page number to return.
- {sortExpression}: Provide a valid sorting expression.
Example of GET request with real data
curl -X GET -H "Authorization: Bearer 001-fa77890a-5d85-4b92-b29a-62ed8d469384" 'https://api.beta.yaas.io/hybris/profile-consent/v1/consentClasses?pageSize=3&pageNumber=1&sort=class:asc'
Response
The response to the example request returns a list of the first three consent classes.
Get all consents
Get all consents
Execute the example command to retrieve all consents for a particular consent reference. Because the service grants each consent to a data item associated with a schema, the response to the example command returns a list of schemas.
Example
curl -X GET -H "Authorization: Bearer {access token}" 'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consents/{consentReference}'
Command parameters
- HEADERS
- {access token} - Provide a valid Bearer access token.
- URI parameters
- {tenant} - Provide your tenant name.
- {consentReference} - Provide a consent reference.
Example of a GET request with real data
curl -X GET -H "Authorization: Bearer 001-fa77890a-5d85-4b92-b29a-62ed8d469384" 'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consents/baa8a056-8b71-417e-9ad6-1c5069c66096'
Response
A successful response returns a list of schemas, as shown:
Get all consents for the tenant
Execute the command in the following example to get a list all consents for the specified tenant.
/token endpoint of the OAuth2 service documentation.curl -X GET -H "Authorization: Bearer {access token}" 'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consents/TENANT'
Command parameters
- HEADERS
- {access token} - Provide a Bearer access token with the proper scopes.
- URI parameters
- {tenant} - Provide your tenant name.
Example of a GET request with real data
curl -X GET -H "Authorization: Bearer 020-ff40ae4c-4951-4438-a328-9603848076cb" 'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consents/TENANT'
Response
A successful response returns a list of schemas such as those in the Get all consents tutorial.
Grant single consent
Grant a single consent
A consumer can grant a single consent, for example, to track a credit card number. The consumer must grant consent from the consumer's profile on storefront. To grant a single consent, execute the command in the example.
Example
curl -X PUT -H "Authorization: Bearer {access token}" -d '{"granted" : true}'
'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consents/{consentReference}/schemas/{schema}'
Command parameters
- HEADERS
- {access token} - Provide a Bearer access token.
URI parameters
- {tenant} - Provide your tenant name.
- {consentReference} - Provide a consent reference.
{schema} - Provide an HTML-encoded schema name.
For details about how to generate a consent reference, see the Lifecycle of a consent reference for anonymous and logged-in sessions topic.
BODY
{ "granted" : true }
Example of a PUT request with real data
curl -X PUT -H "Authorization: Bearer 001-fa77890a-5d85-4b92-b29a-62ed8d469384" -d '{"granted" : true}'
'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consents/baa8a056-8b71-417e-9ad6-1c5069c66096/schemas/https%3A%2F%2Fapi.beta.yaas.io%2Fmetamodel%2Fv1%2Fcontext%2Fcommerce%2Fcaptainzbik'
Response
The command in the example sets the granted flag to true, which allows SAP Hybris Profile to collect data about the user's activity based on the granted consent class.
Grant a single consent for a tenant
To grant a consent for a tenant, you must use a TENANT consent reference. For more information, see the Create consent reference for tenant tutorial.)
Example
curl -X PUT -H "Authorization: Bearer {access token}" -d '{"granted" : true}'
'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consents/TENANT/schemas/{schema}'
Command parameters
- HEADERS
- {access token} - Provide a valid Bearer access token with an appropriate scope.You must obtain a Bearer access token with the scope hybris.profile_consent_manage. For details about how to receive an access token, see the
/tokenendpoint section of the OAuth 2.0 service documentation.
- {access token} - Provide a valid Bearer access token with an appropriate scope.
- URI parameters
- {tenant} - Provide your tenant name.
- {schema} - Provide an HTML-encoded schema name.
Example with real data
curl -X PUT -H "Authorization: Bearer 020-ff40ae4c-4951-4438-a328-9603848076cb" -d '{"granted" : true}'
'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consents/TENANT/schemas/https%3A%2F%2Fapi.beta.yaas.io%2Fmetamodel%2Fv1%2Fcontext%2Fcommerce%2Fcaptainzbik'
Revoke single consent
Revoke a single consent
Although consents are grouped in consent classes, a consumer can choose to revoke a single consent. For example, a consumer could allow SAP Hybris Profile to track their personal data, but not to track credit card information. Consents can be managed through the consumer's profile in the storefront.
You can revoke a single consent using the command in the following examples.
Example
curl -X PUT -H "Authorization: Bearer {access token}" -d '{
"granted" : false
}' 'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consents/{consentReference}/schemas/{schema}'
Command parameters
- HEADERS
- {access token} - Provide a Bearer access token.
- URI parameters
- {tenant} - Provide your tenant name.
- {consentReference} - Provide a consent reference.
- {schema} - Provide the schema to revoke.
- BODY
{ "granted" : false }
- BODY
Example of a PUT request with real data
curl -X PUT -H "Authorization: Bearer 001-fa77890a-5d85-4b92-b29a-62ed8d469384" -d '{
"granted" : false
}' 'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consents/baa8a056-8b71-417e-9ad6-1c5069c66096/schemas/https%3A%2F%2Fapi.beta.yaas.io%2Fmetamodel%2Fv1%2Fcontext%2Fcdm%2Fcaptainzbik'
Response
The command in the example sets the granted flag to false, which prevents SAP Hybris Profile from accessing existing data, or collecting new data, about the user's activity based on the granted consent class.
Consent revoked event
If a user revokes a consent associated with a given type of data, the Context service sends the event with the operation REVOKED:
{
"context":{
"location":"https://api.beta.yaas.io/hybris/profile-context/profiletestproj/data/57709830-be52-11e4-9370-edc4d47be75d",
"consentRefId":"ae3ade81-052f-4f36-8825-f1617180ed5e",
"id":"57709830-be52-11e4-9370-edc4d47be75d"
},
"schema":"core/ConsentReference",
"operation":"REVOKED"
}
Properties
- location: The link defining where the event is stored
- consentRefId: The consent reference used for storing the event
- id: The unique identifier of the event
- schema: Defines the type of event
- operation: The type of operation
The event triggers a dedicated enricher. The enricher uses the location link, passed within that event, to retrieve another event with the list of schemas defining the data for which the user revokes consent.
The following example shows the event containing a list of schemas that an enricher retrieves from the Context service when a user revokes consent for collecting and processing data related to cart events.
CartEvents schema list.{
"id": "consent-reference-id-1234",
"revokedConsents": [
"https://api.beta.yaas.io/metamodel/v1/context/commerce/AbandonAlertEvent",
"https://api.beta.yaas.io/metamodel/v1/context/commerce/AddedToCart",
"https://api.beta.yaas.io/metamodel/v1/context/commerce/ModifiedCart",
"https://api.beta.yaas.io/metamodel/v1/context/commerce/RemovedFromCart",
"https://api.beta.yaas.io/metamodel/v1/nodes/commerce/AbandonmentDetail",
"https://api.beta.yaas.io/metamodel/v1/nodes/commerce/AbandonmentDetail/date",
"https://api.beta.yaas.io/metamodel/v1/nodes/commerce/Cart",
"https://api.beta.yaas.io/metamodel/v1/relations/commerce/Cart/commerce/Product/commerce/CONTAINS",
"https://api.beta.yaas.io/metamodel/v1/relations/commerce/Session/commerce/Cart/commerce/CREATED",
"https://api.beta.yaas.io/metamodel/v1/relations/core/Profile/commerce/Cart/commerce/ABANDONED"
]
}
Grant consents by class
Grant consents of the same class
You can grant consents so that SAP Hybris Profile can collect information for those consents. To grant consent for a consent class, execute the command from the example.
Example
curl -X PUT -H "Authorization: Bearer {access token}" -H -d '{
"granted" : true
}' 'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consents/{consentReference}/classes/{consentClass}'
Command parameters
- HEADERS
- {access token} - Provide a Bearer access token.
URI parameters
- {tenant} - Provide your tenant name.
{consentReference} - Provide a consent reference.
For details about how to generate a consent reference, see the Lifecycle of a consent reference for anonymous and logged-in sessions topic.{consentClass} - Provide the consent class to be granted.
For details about how to obtain all the consent classes registered in SAP Hybris Profile, see the Get consent classes topic.
BODY
{ "granted" : true }
Example of a PUT request with real data
curl -X PUT -H "Authorization: Bearer 001-fa77890a-5d85-4b92-b29a-62ed8d469384" -H -d '{
"granted" : true
}' 'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consents/baa8a056-8b71-417e-9ad6-1c5069c66096/classes/comicbookview'
Response
The command in the example sets the granted flag back to true, which means that SAP Hybris Profile can start to collect data about the user's activity based on the granted consent class.
Grant consents of the same class for a tenant
To grant a consent class for a tenant, execute the command in the following example.
Example
curl -X PUT -H "Authorization: Bearer {access token}" -H -d '{
"granted" : true
}' 'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consents/TENANT/classes/{consentClass}'
Command parameters
- HEADERS
- {access token} - Provide a Bearer access token with the appropriate scopes.You must obtain a Bearer access token with the scope hybris.profile_consent_manage. For details on how to get an access token, see the
/tokenendpoint section of the OAuth 2.0 service.
- {access token} - Provide a Bearer access token with the appropriate scopes.
- URI parameters
- {tenant} - Provide your tenant name.
Example of a PUT request with real data
curl -X PUT -H "Authorization: Bearer 020-ff40ae4c-4951-4438-a328-9603848076cb" -H -d '{
"granted" : true
}' 'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consents/TENANT/classes/comicbookview'
Revoke consents by class
Revoke consents of the same class
Consumers can grant and revoke consents, grouped by consent class, through the storefront. The collected data associated with a consent becomes irrevocably inaccessible if the consumer revokes that consent. If a consumer grants consents that were formerly revoked, within the scope of a specific consent class, then SAP Hybris Profile can track new information represented by the granted consents. You can use the command in the following example to revoke consents that belong to a specific consent class.
Example
curl -X PUT -H "Authorization: Bearer {access token}" -H -d '{
"granted" : false
}' 'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consents/{consentReference}/classes/{consentClass}'
Command parameters
- HEADERS
- {access token} - Provide a Bearer access token.
URI parameters
- {tenant} - Provide your tenant name.
{consentReference} - Provide a consent reference.
For details about how to generate a consent reference, see the Lifecycle of a consent reference for anonymous and logged-in sessions tutorial.{consentClass} - Provide a consent class to revoke.
For details about how to obtain all consent classes registered in SAP Hybris Profile, see the Get consent classes topic.
BODY
{ "granted" : false }
Example of a PUT request with real data
curl -X PUT -H "Authorization: Bearer 001-fa77890a-5d85-4b92-b29a-62ed8d469384" -H -d '{
"granted" : false
}' 'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consents/baa8a056-8b71-417e-9ad6-1c5069c66096/classes/comicbookview'
Response
In the response, the example consent class is disabled. This means SAP Hybris Profile can no longer collect the information about the consumer's activities represented by the disabled consent class. Pre-existing data associated with this consent class becomes irrevocably inaccessible. In the consent class in the example, the granted flag is set to false.
Revoke a consent class for a tenant
To revoke consent for a tenant, you must use a TENANT consent reference. For more information, see the Create consent reference for tenant tutorial.
Example
curl -X PUT -H "Authorization: Bearer {access token}" -H -d '{
"granted" : false
}' 'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consents/TENANT/classes/{consentClass}'
Command parameters
- HEADERS
- {access token} - Provide a valid Bearer access token with the proper scope.You must obtain a Bearer access token with the scope hybris.profile_consent_manage. For details about how to receive an access token, see the
/tokenendpoint section of the OAuth 2.0 service documentation.
- {access token} - Provide a valid Bearer access token with the proper scope.
- URI parameters
- {tenant} - Provide your tenant name.
- {consentClass} - Provide the consent class name.
Example with real data
curl -X PUT -H "Authorization: Bearer 020-ff40ae4c-4951-4438-a328-9603848076cb" -d '{"granted" : false}'
'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consents/TENANT/classes/comicbookview'
Glossary
| Term | Description |
|---|---|
| authorization | The process of determining whether a given microservice has permission to gain consent. |
| consent | Permission to access (read, write) specific profile data, for example, permission to read/write age estimation or physical address. A consumer and a tenant can grant and revoke consent for subsets of their respective data. |
| consent class | A string alias, defined by developers, that references a set of profile data (also called "schemas") for which consent can be granted and revoked. This string is exposed to users (consumers and tenants) as a reference through which they control consent. For example, the consent class "Purchases" might reference a set of data that includes items purchased, purchase dates, and purchase prices. Toggling consent for "Purchase" would enable and disable consent for that entire set of data. |
| consent reference | A unique, randomized string that serves as a passcode to decrypt data associated with one or more schemas. Various service calls require a consent reference. |
| consumer | The end user whose actions yield profile data in the graph. A profile describes a single consumer. |
| context | Data that affects the state of the graph. This data can be collected from consumer-triggered events or from third-party sources such as weather stations. |
| Context Adapter | A microservice that receives data and, optionally, adapts it for entry into the graph. For example, a context adapter can adapt address data by adding a ZIP code and normalizing the street labels (for example, changing "St" to "Street"). The context adapter then passes the data through the Context service, which caches it so that enrichers can subsequently persist the data in the graph. |
| context repository | A temporary cache for adapted context data, before it is further processed by enrichers and persisted in the graph. |
| context service | An internal microservice that manages the insertion of, and the retrieval of, context data in the Context Repository. |
| encryption key | A unique, randomized string used to encrypt and decrypt specific data in the graph. Each data element is encrypted with a different encryption key. Decryption, using this key, is required to access, view, and alter the data. |
| enricher | A microservice that retrieves data from the Context Repository and/or Graph, possibly alters or extends it, and then persists data in the graph. An enricher can interpret data points, or sets of data points, to yield new data to persist. For example, an enricher can interpret purchasing data and contemporaneous weather station data to yield new data indicating that the consumer is a rainy-day shopper. |
| graph | The database that stores profile data as nodes, edges, and properties, and allows semantic queries. |
| identity | One of many independent units of data used to identify a unique profile, such as an email address, browser type, or version. |
| profile | Data about a single consumer, collected and derived from events that are triggered by, or are logically associated, with that consumer. |
| schema | A string representation of a path in the graph that represents an abstraction, rather than a concrete instance, of a particular data structure. |
| tenant | A registered entity with a shared commercial goal that subscribes to SAP Hybris Profile services and packages to reach that goal. A tenant can also develop and contribute enrichers and context adapters to the SAP Hybris Profile suite. Within YaaS, a tenant is a project. |
If you find any information that is unclear or incorrect, please let us know so that we can improve the Dev Portal content.
Use our private help channel. Receive updates over email and contact our specialists directly.
If you need more information about this topic, visit hybris Experts to post your own question and interact with our community and experts.