Overview

SAP Hybris Profile provides a platform for gathering any type of relevant information to create a comprehensive and extensible consumer profile. Because the information shared by the consumers might be sensitive, a guarantee of proper data protection is required. To ensure that the information is safe and managed responsibly, SAP Hybris Profile offers a Partial consentservice_consent doesn't exist management system that allows the consumer to control how their data is handled. No data is collected, stored, or processed unless the consumer grants their consent.

You can use the Consent service to manage consumer consents.


API Reference

/consentClasses

/consentClasses

get

Gets all consent classes - the dictionary values for grouping consents.

/{tenant}/users/{hybrisUser}

/{tenant}/users/{hybrisUser}

get

Gets a consent reference for a given hybrisUser and tenant. hybris.profile_consent_view is required to access this endpoint.

/{tenant}/consentReferences

/{tenant}/consentReferences

post

Generates a new user consent reference with default consents of a given tenant. If hybris-user is set in the header then it first tries to return an existing consent reference for this user and tenant. If the hybris-user equals null or ANONYMOUS, a new consent reference is always generated.

/{tenant}/consentReferences/TENANT

post

Generates a new consent reference for tenant if it doesn't exist. Otherwise returns information about the existing consent reference. Requires the scope hybris.profile_consent_manage.

/{tenant}/consentReferences/{consentReference}

get

Validates hybris-consent-reference-token header. It requires hybris.profile_consent_view scope

patch

To set the leading consent reference of this consent reference, send the leadingConsentReference field. Send null value in this field to undo the operation. Requires the scope hybris.profile_aliases_manage.

To add aliases for this consent reference, send the aliases array. Requires the scope hybris.profile_aliases_manage.

To replace all consents of this consent reference, send the consents array. Empty array or explicit null value revokes all existing consents of this consent reference. Requires the scope hybris.profile_consent_manage.

To block this consent reference, send blocked flag set to true. Set it to false to undo the operation. Requires the scope hybris.profile_consent_manage_blocked.

/{tenant}/consents

/{tenant}/consents/{consentReference}

get

Gets a list of single consents data for a given tenant and abstract referenceId To access this endpoint, the hybris.profile_consent_view scope is required.

delete

Deletes all consents data for a given consentReference. hybris.profile_consent_manage is required to access this endpoint. Removing TENANT and YPROFILE consent reference is disabled, 403 will be returned when such operation is requested.

/{tenant}/consents/{consentReference}/classes/{consentClass}

put

Updates the granted flag of consents in the specified class. Note that if the granted flag is set to false, consent blobs are also cleared. To update user's or tenant's consents hybris.profile_consent_manage scope is required.

get

Returns consents with a given consent class. hybris.profile_consent_view scope is required.

/{tenant}/consents/{consentReference}/schemas/{schema}

put

Updates the granted flag of consents for the specified schema. Note that if the granted flag is set to false, consent blobs are also cleared. To update user's or tenant's consents, hybris.profile_consent_manage scope is required.

get

Returns a single consent for a given schema hybris.profile_consent_view scope is required.



Consent classes

A Partial consentservice_consentclass doesn't exist organizes consents into a group to make consent management easier and more efficient. A single consent class defines a list of logically- or functionally-related Partial consentservice_schema doesn't exists that identify related types of data. This grouping allows consumers to toggle consent for a logical data grouping, rather than for individual schemas. For example, a consent class called "Product interaction tracking" could allow a single point of control to toggle consent for both categories viewed and products viewed.

[
  {
    "title": "IP tracking",
    "description": "Allows tracking of user's IP address",
    "editable": true,
    "enabled": true,
    "class": "IPTracking"
  },
  {
    "title": "TimeZone",
    "description": "Checks user's current time zone.",
    "editable": true,
    "enabled": true,
    "class": "TimeZone"
  }
]

The consent class of each schema in the metamodel is set during enricher registration. For more information, see the Enricher registration tutorial.

For more information about how to grant or revoke consent for an entire consent class, see the Introduction to Tutorials section.

The consent class dictionary offers a list of all available consent classes. The list is the same for all tenants subscribed to SAP Hybris Profile. Retrieve the dictionary using the Consent service.

When a new schema that requires a new consent class is created, a system administrator must add the new consent class to the consent class dictionary. You must submit a support request for the system administrator to accept and add the new consent class to the dictionary.


Consent references

A Partial consentservice_consentreference doesn't exist is a unique key, assigned to a consumer, that is associated with all consents for that consumer. The association of a unique consent reference with each consumer ensures that only the relevant consumer can control the associated consent, and that one consumer cannot overwrite the data of another consumer.

When a consumer enters a storefront for the first time, the system asks them to accept default consents that allow SAP Hybris Profile to gather consumer data. If the consumer agrees, the system creates a consent reference for that consumer and grants default consents. If the consumer does not agree, the system does not create any consent reference for that consumer.

Instead of asking the consumer to accept the default consents, you can alternatively configure the storefront to ask a consumer who is visiting for the first time to specify which types of data the system can collect. The list of consents can then be different for each consumer.

A consent reference is an arbitrary character string such as 965dcef9-da77-40bf-9e9b-65fd735df113.

For details about how to create a consent reference, see the topic Lifecycle of a consent reference for anonymous and logged-in sessions.

As shown in the diagram, a consent reference is associated with one or more consent classes for which consent is granted. Each independent consent class is associated with one or more consents; each consent is associated with a particular data schema. A given consent can belong to only one consent class.

graph TD A((Consent reference))-->B(Consent class 1) B(Consent class 1)-->D[Consent 1] D(Consent 1)-->N[Schema 1] B(Consent class 1)-->E[Consent 2] E(Consent 2)-->O[Schema 2] B(Consent class 1)-->F[Consent 3] F(Consent 3)-->P[Schema 3] A((Consent reference))-->G[Consent class 2] G(Consent class 2)-->H[Consent 4] H(Consent 4)-->Q[Schema 4] G(Consent class 2)-->I[Consent 5] I(Consent 5)-->R[Schema 5] A((Consent reference))-->J[Consent class 3] J(Consent class 3)-->K[Consent 6] K(Consent 6)-->S[Schema 6] J(Consent class 3)-->L[Consent 7] L(Consent 7)-->T[Schema 7] J(Consent class 3)-->M[Consent 8] M(Consent 8)-->U[Schema 8]

The Consent service can create a consent reference for an anonymous user or for a signed-in consumer. The service generates a new consent reference for each anonymous user. For a signed-in consumer, the service generates a consent reference only once and reuses that consent reference for all subsequent events from that consumer.

Each schema has an encryption type that determines whether the user, the tenant, or the SAP Hybris Profile system controls consent for that data type. Schemas with a "user" encryption type define user-related data. Schemas with a TENANT encryption type define tenant-related data.

Depending on the encryption type, consent references are organized into the following groups:

  • User consent reference: Represents consents granted by the consumer for schemas that define personal data such as profiles/insights/affinities. The service assigns the consumer a single, unique "USER" consent reference for each tenant. If the consumer browses multiple storefronts belonging to different tenants, the service generates a unique "user" consent reference for each tenant.
  • TENANT consent reference: Represents consents granted by a tenant for schemas that define tenant-related data such as context/commerce/ProductView. The service assigns each tenant a single 'TENANT' consent reference. This consent reference's value is always the literal string TENANT.
  • YPROFILE consent reference: Used only internally. A single YPROFILE consent reference is issued for the entire SAP Hybris Profile system.

The diagram shows how SAP Hybris Profile uses keys to encrypt tenant-controlled data (such as ID or label) and consumer-controlled data (such as email address or gender):

  • Tenant-controlled data of a given data type is encrypted with the same encryption key for all users: Label data in the diagram is encrypted with Tenant Key 2 for all of that tenant's users.
  • User-controlled data of a given data type is encrypted with a unique encryption key per user: Gender data in the diagram is encrypted with User Key B for one user, and with User Key Y for another user.



Consent reference aliases

You can access the same set of consents using more than one consent reference. When the Merge service merges two or more profiles, any of the consent references created for those profiles before the merge allows you to update consents and profile data of the same customer profile. It applies to granting and revoking consents, accessing and modifying customer profile data, and to any other operations where you must provide the consent reference.

The Consent service introduces the notion of a leading consent reference. The system returns the leading consent reference in every call to the Consent service. Although the system allows you to access your consents by providing an alias consent reference, instead replace any consent references stored, for example, in an external system or in a browser cookie, with the leading consent reference. This means the system eventually uses only one consent reference, making it more consistent.


Consent reference lifecycle

This section describes the lifecycle of a consent reference. It explains how a consent reference is generated, for an unknown and known user, and for a tenant, and how it can be revoked. Moreover, this section describes how adding and removing schemas in the metamodel can affect a consent reference. Suggestion: For more information, see the Consent reference topic.

Determine data ownership

Each data type is assigned an owner: tenant or user. Personal data, such as address, is generally user-owned. Company-controlled data, such as product names, is generally tenant-owned. The owner of a data type is defined in the associated schema that is registered with the enricher or context adapter responsible for managing that data type.

Consumers can control consent for user-owned data only. Consumers cannot alter consent for tenant-owned data.

When a tenant subscribes to the Profile Core Services package, a consent reference with the value TENANT is automatically created for that tenant. If, subsequently, the tenant subscribes to any package that contains enrichers or context adapters and then enables them in the metamodel, consents pertaining to the tenant-related data written by those enrichers and context adapters are automatically generated within a TENANT consent reference. No additional, manual action from a tenant is required for the TENANT consent reference to be updated.

The SAP Hybris Profile system generates user consent references for user-related data that is managed by the tenant's subscribed enrichers and context adapters.

When consumers enter a storefront for the first time, they must decide whether to accept the default consents, thereby allowing SAP Hybris Profile to collect personal data pertaining to their activities. A pop-up dialog allows consumers to either grant or deny consent for the collection of their data. The particular storefront configuration determines whether consent can be granted or denied per data type or globally.

If a consumer does not accept any consents, the consumer's activities are not tracked, and, by extension, no data is collected.

If a consumer grants specific consents, the storefront sends a POST request to the Consent service, which responds by generating a "user" consent reference ID. The storefront uses this consent reference ID when communicating with the SAP Hybris Profile system.

When a consumer consents to the collection and storage of personal information, the consumer's activities are tracked and the consumer profile is continually enriched with new data. The information about the consumer's interactions with the storefront, such as ProductView and FrontendEntered events, is collected and subsequently delivered to the SAP Hybris Profile system.

For details on how to create a user consent reference for a consumer, see the Create a consent reference section.

Anonymous session

An example of an anonymous session is a session in which an end customer browses a storefront without signing in.

Whenever a request is made to generate a consent reference, the Consent service generates a random consent reference key for an anonymous customer. Upon such request, the Consent service returns the consent reference together with a consent reference token, which the Consent Manager and Profile Manager interfaces use to provide security in the anonymous flow of granting and revoking consents. The Consent service generates this token only once, when you create a new consent reference. You cannot request the token again so make sure you save it.

Customer-logged-in session

A customer-logged-in session is a session in which an end customer registers or logs in as a storefront user, and browses the storefront.

When a user logs in to the storefront, the SAP Commerce Enterprise system sends a userLoggedIn event with a consent reference assigned earlier upon registration. The system persists the consent reference in a browser cookie set by the Profile Tag.

Consent references are merged after logging in, which means that many consent references point to one profile. If an anonymous user browses through a storefront and logs in at some point, the Merge service associates the consent references generated for both session with one profile. All data stored in the anonymous session remains in SAP Hybris Profile, and is available under either of the consent references due to aliasing functionality.

Both the logged-in customer and the anonymous customer can grant and revoke consents on the storefront to allow or prevent SAP Hybris Profile from gathering data about their respective actions. For more information, see the grant consent or revoke consent documentation.

Tenant-manager session

An example of a tenant-manager session is a session in which a user authorized in the Builder, such as the tenant's account manager, performs operations in the Enricher Workbench. Upon every log-in attempt, the consent reference for a tenant's account manager remains the same.

Consumers can alter consent settings at any time. For example, consumers can revoke consent for a data type or for a consent class if they no longer want the system to collect specific types of data pertaining to their activities. Revoking consent immediately discontinues the collection of the specific type of data. In addition, the existing data of that type is irrevocably inaccessible.

For details about how to revoke consents, see Revoke single consent and Revoke consents by classes.

A tenant can block a user consent reference at any time. In this case, the system can no longer collect new data or access the existing data for this user. Unlike revoking a consent, blocking a consent reference does not result in data deletion. Once the tenant lifts this block, the user's data reappears and can be processed again, based on the user's consents.

An anonymous user represents a consumer who browses a storefront without signing in.

The hybris.profile_consent_manage scope allows a user to manage consent in the system. To prevent anonymous users from using another person's consent reference to alter that person's data or consent, anonymous users are not granted the hybris.profile_consent_manage scope. However, this necessary security restriction also prevents anonymous users from managing consent for their own data.

To allow anonymous users to manage their own consent, you can develop customized solutions. For example, a customized consent management UI can pass anonymous consent management requests to a customized service. This service can then automatically apply the hybris.profile_consent_manage scope to the request.

However, such a customized solution exposes the risk that an anonymous user will use another person's consent reference to manage that person's data. To address this security risk, the customized service requires an extra layer of authorization, such as a temporary password or token, included in consent management requests.

This extra layer of authorization is not required for customized consent management solutions. It is the responsibility of the developer of customized services to implement an extra layer of authorization, if desired.

Remove schemas from the metamodel

When a tenant discontinues a subscription to an enricher, some schemas might be removed from the metamodel. Even if the consumer previously granted consent for the type of data written by that enricher, it is no longer collected due to the removal of the schema that defines that data.

The data gathered before the removal of the corresponding schema becomes inaccessible, but is not deleted. The existing data becomes accessible again if the tenant resubscribes to that enricher.

Add schemas with the user encryption type

The creation of new schemas that define consumer-related data affects the consumer's consent reference. The system can add new schemas to the metamodel when the tenant subscribes to the newly-registered enricher or resubscribes to an enricher that was discontinued. Those events have different effects on the consumer's consent references. The following sections describe the effects of adding a new schema to the metamodel and re-adding a previously removed schema.

Add a newly-created schema to the metamodel

When a tenant subscribes to a newly-registered enricher, new schemas might be added to the metamodel. The consents to store and process the data items defined by those schemas are not automatically added to existing user consent references. To add user consents for the new data, the storefront must specifically ask the consumer to provide them. No data pertaining to the newly-defined schemas are collected until the consumer explicitly permits it.

Re-add a previously-removed schema to the metamodel

When a tenant resubscribes to an enricher, the original user consent reference for the associated data types is used as the active consent reference. Because consent was previously granted, the storefront does not need to ask the consumer to grant it again. The data stored before the removal of a given schema is accessible after the schema is re-added to the metamodel.

Add new schemas with the TENANT encryption type

When a tenant subscribes to an enricher that writes tenant-owned data, new schemas defining associated data types might be added to the metamodel. Consequently, SAP Hybris Profile updates the tenant's consent reference with consents for the new data types.


GDPR compliance

To comply with the GDPR provisions, SAP Hybris Profile allows you to export and remove tenant customer data, as well as export and rectify data of a single customer. Below you can read more about the process of requesting consent data, as well as to see sample files.

Export all tenant customer data

SAP Hybris Profile allows you to export tenant customer data collected in a JSON file.

[
  {
    "14066335-b87c-4503-adff-34ba83ab1e88": [
      {
        "schema": "https://api.beta.yaas.io/metamodel/v1/context/cdm/ProductView",
        "granted": true
      },
      {
        "schema": "https://api.beta.yaas.io/metamodel/v1/context/commerce/AddedToCart",
        "granted": true
      },
      {
        "schema": "https://api.beta.yaas.io/metamodel/v1/context/commerce/CategoryView",
        "granted": true
      },
      {
        "schema": "https://api.beta.yaas.io/metamodel/v1/context/commerce/FrontendEntered",
        "granted": true
      },
      {
        "schema": "https://api.beta.yaas.io/metamodel/v1/context/commerce/KeywordSearch",
        "granted": true
      }
    ]
  },
  {
    "65812389-z47c-6201-cdfg-12b5av495m77": [
      {
        "schema": "https://api.beta.yaas.io/metamodel/v1/context/cdm/ProductView",
        "granted": true
      },
      {
        "schema": "https://api.beta.yaas.io/metamodel/v1/context/commerce/AddedToCart",
        "granted": true
      },
      {
        "schema": "https://api.beta.yaas.io/metamodel/v1/context/commerce/CategoryView",
        "granted": true
      },
      {
        "schema": "https://api.beta.yaas.io/metamodel/v1/context/commerce/FrontendEntered",
        "granted": true
      },
      {
        "schema": "https://api.beta.yaas.io/metamodel/v1/context/commerce/KeywordSearch",
        "granted": false
      }
    ]
  }
]

To request the file, the tenant must contact the support team and then specify the preferred delivery method.

Export data of a single customer

To exercise the GDPR right to access their data, customers should contact their tenants. To export the data for a single customer, the tenants can use the Consent service API.

{
  "14066335-b87c-4503-adff-34ba83ab1e88": [
    {
      "schema": "https://api.beta.yaas.io/metamodel/v1/context/cdm/ProductView",
      "granted": true
    },
    {
      "schema": "https://api.beta.yaas.io/metamodel/v1/context/commerce/AddedToCart",
      "granted": true
    },
    {
      "schema": "https://api.beta.yaas.io/metamodel/v1/context/commerce/CategoryView",
      "granted": true
    },
    {
      "schema": "https://api.beta.yaas.io/metamodel/v1/context/commerce/FrontendEntered",
      "granted": true
    },
    {
      "schema": "https://api.beta.yaas.io/metamodel/v1/context/commerce/KeywordSearch",
      "granted": true
    }
  ]
}

Remove all tenant customer data

Upon the tenant's request, the support team can remove all the tenant's customer consent settings. This means that the system no longer stores any data regarding tenant's customers. If the tenant requests a data export before the deletion, the support team can restore the deleted data.

Rectify data of a single customer

In line with the GDPR provisions, SAP Hybris Profile allows customers to rectify their personal data in case it is inaccurate. Tenants can manually correct their customers' data using Consent service API.


Introduction to Tutorials

These tutorials use the Consent service API Console to describe these topics:

  • Present the lifecycle of a consent reference for anonymous and signed-in sessions
  • Create a new consent reference
  • Get all consent classes
  • Grant a single consent
  • Revoke a single consent
  • Grant consents by class
  • Revoke consents by class
  • Present the consent encryption concept

Prerequisites

  • Access to the Consent service API Console
  • A valid Bearer access token
    For more information about how to get an access token, see the /token endpoint section of the OAuth 2.0 service documentation.


Creating a consent reference

The steps shown in this example demonstrate how to create a consent reference. A consent reference is acquired by a user when they enter or log in to a storefront. When a user logs in, any consent reference that was previously generated for them as an anonymous consumer is re-fetched by the new consent reference.

To create a new consent reference, use the command shown in the example.

Example

curl -X POST -H "Authorization: Bearer Access_token" 'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consentReferences'

Command parameters

  1. HEADERS
  2. Authorization - Provide a valid Bearer access_token.
  3. URI parameters
    • {tenant} - Provide your tenant name.

Example of a POST request with real data

curl -X POST -H "Authorization: Bearer 001-ad2b1327-8888-4ce4-b2cc-d64a9bc4932e" 'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consentReferences'

Response

{
  "id": "965dcef9-da77-40bf-9e9b-65fd735df113",
  "link": "https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consents/965dcef9-da77-40bf-9e9b-65fd735df113",
  "consentReferenceToken": "Wx9WcWsISjDYSWKE5LijGLikImPA5bKfoJWk6M6EFqDMSb8Xnlu2aEseO1Dy50M9I-YRq9lKhO7rj1G7fBoEWA"
}

The id represents the consent reference key. It identifies the end customer and the consents granted and revoked by that user. The consentReferenceToken is a generated identifier which the Consent Manager and Profile Manager interfaces use to provide security in the anonymous flow of granting and revoking consents. The Consent service generates this token only once, when you create a new consent reference. You cannot request the token again so make sure you save it.

Consent creation is an asynchronous operation. The system does not generate a consent reference immediately after you submit the request, even though it instantly returns a consent reference ID. Because the operation of creating a consent reference is fairly time-consuming, SAP Hybris Profile might not persist the first few requests that you send after the system returns the consent reference ID.

To mitigate such event failures, configure your storefront accordingly, for example, by implementing a personalized solution, such as buffering the requests until the consents are available.

The system automatically generates a consent reference for a tenant when the tenant subscribes to the SAP Hybris Profile solution. Use the command in this example only if the system does not automatically generate a consent reference when a tenant subscribes.

Example

To generate a consent reference for a tenant, you must obtain a Bearer access token with the scope hybris.profile_consent_manage. For details about how to receive an access token, see the /token endpoint section of the OAuth2 service documentation.
curl -X POST -H "Authorization: Bearer Access_token" 'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consentReferences/TENANT'

Command parameters

  1. HEADERS
  2. Authorization - Provide a valid Bearer access_token.
  3. URI parameters
    • {tenant} - Provide your tenant name.

Example of POST request with real data

curl -X POST -H "Authorization: Bearer 020-ff40ae4c-4951-4438-a328-9603848076cb" 'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consentReferences/TENANT'

Response

A successful response includes an id whose value is a consent reference.

{
  "id": "TENANT",
  "link": "https://api.beta.yaas.io/hybris/consent/v1/mycomicsshop/consentReferences/TENANT"
}
Because consent creation is asynchronous, the system does not generate a consent reference immediately.


Block and unblock a user consent reference

When the tenant blocks a user consent reference, the Consent service disallows processing of all user's personal data. Blocking a consent reference does not result in data deletion.

To block a user consent reference, the Consent service requires the hybris.profile_consent_manage_blocked scope, and you must send a blocked flag set to true. Here is an example on how to do this:

Example

curl -X PATCH -H "Authorization: Bearer Access_token" -H "Content-Type: application/json" -d '{
    "blocked": true
}' "https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consentReferences/{consentReference}" -i

Command parameters

  1. HEADERS
  2. Authorization - Provide a valid Bearer access_token.
  3. URI parameters
    • {tenant} - Provide your tenant name.
    • {consentReference} - Provide the consent reference that you want to block.

Example of a PATCH request with real data

curl -X PATCH -H "Authorization: Bearer 001-ad2b1327-8888-4ce4-b2cc-d64a9bc4932e" -H "Content-Type: application/json" -d '{
    "blocked": true
}' "https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consentReferences/11a7e44f-9c76-4307-b553-b81b5c855fd5"

Response

The response with a status code of 204 indicates that the service blocked a given consent reference.

When you block a consent reference, your request triggers a notification with these values:

  • operation: The type of operation, in this case UPDATE
  • schema: The schema defining the type of event, in this case core/ConsentReference
  • payload:
    {
      "id": "11a7e44f-9c76-4307-b553-b81b5c855fd5",
      "blocked": true
    }
    

To unblock a user consent reference, send the blocked flag set to false. Use the command shown in the example.

Example

curl -X PATCH -H "Authorization: Bearer Access_token" -H "Content-Type: application/json" -d '{
    "blocked": false
}' "https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consentReferences/{consentReference}" -i

Command parameters

  1. HEADERS
  2. Authorization - Provide a valid Bearer access_token.
  3. URI parameters
    • {tenant} - Provide your tenant name.
    • {consentReference} - Provide the consent reference that you want to unblock.

Example of a PATCH request with real data

curl -X PATCH -H "Authorization: Bearer 001-ad2b1327-8888-4ce4-b2cc-d64a9bc4932e" -H "Content-Type: application/json" -d '{
    "blocked": false
}' "https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consentReferences/11a7e44f-9c76-4307-b553-b81b5c855fd5"

Response

The response with a status code of 204 indicates that the service unblocked a given consent reference.

When you unblock a consent reference, your request triggers a notification with these values:

  • operation: The type of operation, in this case UPDATE
  • schema: The schema defining the type of event, in this case core/ConsentReference
  • payload:
    {
      "id": "11a7e44f-9c76-4307-b553-b81b5c855fd5",
      "blocked": false
    }
    


Delete a consent reference

A customer can also withdraw consent to collect and store any data associated with customer activity, and represented by a specified consent reference. If a customer deletes a consent reference entirely, the Context service sends the event with the operation DELETE:

{  
   "context":{  
      "location":"https://api.beta.yaas.io/hybris/profile-context/profiletestproj/data/57709830-be52-11e4-9370-edc4d47be75d",
      "consentRefId":"ae3ade81-052f-4f36-8825-f1617180ed5e",
      "id":"57709830-be52-11e4-9370-edc4d47be75d"
   },
   "schema":"core/ConsentReference",
   "operation":"DELETE"
}

Properties

  • location: The link defining where the event is stored
  • consentRefId: The consent reference used for storing the event
  • id: The unique identifier of the event
  • schema: Defines the type of event
  • operation: The type of operation

The event triggers a dedicated enricher. The enricher uses the location link, passed within that event, to retrieve another event with the consent reference ID:

{
  "id": "consent-reference-id-1234"
}


Get consent classes

You can retrieve all consent classes, for example, to verify whether a consent class exists in support of new enricher registration.

This functionality allows public class filtering. You can define the following query parameter:

  • public: If specified and set to true, the endpoint returns only public classes. If the parameter is not specified, all classes are returned.

Example

curl -X GET -H "Authorization: Bearer {access token}" 'https://api.beta.yaas.io/hybris/profile-consent/v1/consentClasses?public={true/false}'

Command parameters

  1. HEADERS
    • Authorization - Provide a valid Bearer access_token.
  2. Query parameters
    • {public}: Provide this parameter if filtering by public or private classes is necessary.

Example of GET request with real data

curl -X GET -H "Authorization: Bearer 001-fa77890a-5d85-4b92-b29a-62ed8d469384" 'https://api.beta.yaas.io/hybris/profile-consent/v1/consentClasses?public=true'

Response

The response to the example request returns a list of the first three consent classes.


[ {
  "title" : "Page bounces",
  "description" : "Information on which pages you visit only for a very short time",
  "editable" : true,
  "enabled" : true,
  "class" : "Bounces",
  "public": true
}, {
  "title" : "Cart events",
  "description" : "Your interactions with your shopping cart",
  "editable" : true,
  "enabled" : true,
  "class" : "CartEvents",
  "public": true
 }, {
  "title" : "Category views",
  "description" : "Product categories you have been looking at",
  "editable" : true,
  "enabled" : true,
  "class" : "CategoryViews",
  "public": true
}
]


Get all consents

Get all consents

Execute the example command to retrieve all consents for a particular consent reference. Because the service grants each consent to a data item associated with a schema, the response to the example command returns a list of schemas.

Example

curl -X GET -H "Authorization: Bearer {access token}" 'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consents/{consentReference}'

Command parameters

  1. HEADERS
    • Authorization - Provide a valid Bearer access_token.
  2. URI parameters
    • {tenant} - Provide your tenant name.
    • {consentReference} - Provide a consent reference.
For details about how to generate a consent reference, see the Lifecycle of a consent reference for anonymous and logged-in sessions topic.

Example of a GET request with real data

curl -X GET -H "Authorization: Bearer 001-fa77890a-5d85-4b92-b29a-62ed8d469384" 'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consents/baa8a056-8b71-417e-9ad6-1c5069c66096'

Response

A successful response returns a list of schemas, as shown:


[
  {
    "schema": "<a href="https://api.stage.yaas.io/metamodel/v1/profiles/identities"">https://api.stage.yaas.io/metamodel/v1/profiles/identities"</a>,
    "granted": true
  },
  {
    "schema": "<a href="https://api.stage.yaas.io/metamodel/v1/profiles/identities/devices"">https://api.stage.yaas.io/metamodel/v1/profiles/identities/devices"</a>,
    "granted": true
  },
  {
    "schema": "<a href="https://api.stage.yaas.io/metamodel/v1/profiles/insights"">https://api.stage.yaas.io/metamodel/v1/profiles/insights"</a>,
    "granted": true
  },
  {
    "schema": "<a href="https://api.stage.yaas.io/metamodel/v1/profiles/insights/affinities"">https://api.stage.yaas.io/metamodel/v1/profiles/insights/affinities"</a>,
    "granted": true
  }
]
The given example shows a subsection of returned consents. The actual returned list is much longer.

Get all consents for the tenant

Execute the command in the following example to get a list all consents for the specified tenant.

You must provide the tenant's consent reference and a valid Bearer access token with the scope hybris.profile_consent_view. For details about how to receive an access token, see the /token endpoint of the OAuth2 service documentation.
curl -X GET -H "Authorization: Bearer {access token}" 'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consents/TENANT'

Command parameters

  1. HEADERS
  2. Authorization - Provide a valid Bearer access_token with proper scopes.
  3. URI parameters
    • {tenant} - Provide your tenant name.

Example of a GET request with real data

curl -X GET -H "Authorization: Bearer 020-ff40ae4c-4951-4438-a328-9603848076cb" 'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consents/TENANT'

Response

A successful response returns a list of schemas such as those in the Get all consents tutorial.


Grant single consent

A consumer can grant a single consent, for example, to track a credit card number. The consumer must grant consent from the consumer's profile on storefront. To grant a single consent, execute the command in the example.

Example

curl -X PUT -H "Authorization: Bearer {access token}" -d '{"granted"  : true}'
     'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consents/{consentReference}/schemas/{schema}'

Command parameters

  1. HEADERS
    • Authorization - Provide a Bearer access token.
  2. URI parameters

  3. BODY

    {
      "granted"  : true
    }
    

Example of a PUT request with real data

curl -X PUT -H "Authorization: Bearer 001-fa77890a-5d85-4b92-b29a-62ed8d469384" -d '{"granted"  : true}'
     'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consents/baa8a056-8b71-417e-9ad6-1c5069c66096/schemas/https%3A%2F%2Fapi.beta.yaas.io%2Fmetamodel%2Fv1%2Fcontext%2Fcommerce%2Fcaptainzbik'

Response

The command in the example sets the granted flag to true, which allows SAP Hybris Profile to collect data about the user's activity based on the granted consent class.

To grant a consent for a tenant, you must use a TENANT consent reference. For more information, see the Create consent reference for tenant tutorial.)

Example

curl -X PUT -H "Authorization: Bearer {access token}" -d '{"granted"  : true}'
     'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consents/TENANT/schemas/{schema}'

Command parameters

  1. HEADERS
    • Authorization - Provide a valid Bearer access token with an appropriate scope.
      You must obtain a Bearer access token with the scope hybris.profile_consent_manage. For details about how to receive an access token, see the /token endpoint section of the OAuth 2.0 service documentation.
  2. URI parameters
    • {tenant} - Provide your tenant name.
    • {schema} - Provide an HTML-encoded schema name.

Example with real data

curl -X PUT -H "Authorization: Bearer 020-ff40ae4c-4951-4438-a328-9603848076cb" -d '{"granted"  : true}'
     'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consents/TENANT/schemas/https%3A%2F%2Fapi.beta.yaas.io%2Fmetamodel%2Fv1%2Fcontext%2Fcommerce%2Fcaptainzbik'


Revoke single consent

Although consents are grouped in consent classes, a consumer can choose to revoke a single consent. For example, a consumer could allow SAP Hybris Profile to track their personal data, but not to track credit card information. Consents can be managed through the consumer's profile in the storefront.

You can revoke a single consent using the command in the following examples.

Example

curl -X PUT -H "Authorization: Bearer {access token}" -d '{
     "granted"  : false
}' 'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consents/{consentReference}/schemas/{schema}'

Command parameters

  1. HEADERS
    • Authorization - Provide a Bearer access token.
  2. URI parameters
    • {tenant} - Provide your tenant name.
    • {consentReference} - Provide a consent reference.
For details about how to generate a consent reference, see the Lifecycle of a consent reference for anonymous and logged-in sessions topic.
  • {schema} - Provide the schema to revoke.
    1. BODY
      {
      "granted"  : false
      }
      

Example of a PUT request with real data

curl -X PUT -H "Authorization: Bearer 001-fa77890a-5d85-4b92-b29a-62ed8d469384" -d '{
     "granted"  : false
}' 'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consents/baa8a056-8b71-417e-9ad6-1c5069c66096/schemas/https%3A%2F%2Fapi.beta.yaas.io%2Fmetamodel%2Fv1%2Fprofiles%2Finsights%2Faffinities'

Response

The command in the example sets the granted flag to false, which prevents SAP Hybris Profile from accessing existing data, or collecting new data, about the user's activity based on the granted consent class.

If a user revokes a consent associated with a given type of data, the Context service sends the event with the operation REVOKED:

{  
   "context":{  
      "location":"https://api.beta.yaas.io/hybris/profile-context/profiletestproj/data/57709830-be52-11e4-9370-edc4d47be75d",
      "consentRefId":"ae3ade81-052f-4f36-8825-f1617180ed5e",
      "id":"57709830-be52-11e4-9370-edc4d47be75d"
   },
   "schema":"core/ConsentReference",
   "operation":"REVOKED"
}

Properties

  • location: The link defining where the event is stored
  • consentRefId: The consent reference used for storing the event
  • id: The unique identifier of the event
  • schema: Defines the type of event
  • operation: The type of operation

The event triggers a dedicated enricher. The enricher uses the location link, passed within that event, to retrieve another event with the list of schemas defining the data for which the user revokes consent.

The following example shows the event containing a list of schemas that an enricher retrieves from the Context service when a user revokes consent for collecting and processing data related to the profiles/insights/affinities schema.

The example displays only a subset of the CartEvents schema list.
{
  "id": "consent-reference-id-1234",
  "revokedConsents": [
    "https://api.stage.yaas.io/metamodel/v1/profiles/insights/affinities"
  ]
}


Grant consents by class

Grant consents of the same class

You can grant consents so that SAP Hybris Profile can collect information for those consents. To grant consent for a consent class, execute the command from the example.

Example

curl -X PUT -H "Authorization: Bearer {access token}" -H -d '{
     "granted"  : true
}' 'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consents/{consentReference}/classes/{consentClass}'

Command parameters

  1. HEADERS
    • Authorization - Provide a Bearer access token.
  2. URI parameters

  3. BODY

    {
      "granted"  : true
    }
    

Example of a PUT request with real data

curl -X PUT -H "Authorization: Bearer 001-fa77890a-5d85-4b92-b29a-62ed8d469384" -H -d '{
     "granted"  : true
}' 'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consents/baa8a056-8b71-417e-9ad6-1c5069c66096/classes/comicbookview'

Response

The command in the example sets the granted flag back to true, which means that SAP Hybris Profile can start to collect data about the user's activity based on the granted consent class.

Grant consents of the same class for a tenant

To grant a consent class for a tenant, execute the command in the following example.

Example

curl -X PUT -H "Authorization: Bearer {access token}" -H -d '{
     "granted"  : true
}' 'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consents/TENANT/classes/{consentClass}'

Command parameters

  1. HEADERS
    • Authorization - Provide a Bearer access token with the appropriate scopes.
      You must obtain a Bearer access token with the scope hybris.profile_consent_manage. For details on how to get an access token, see the /token endpoint section of the OAuth 2.0 service.
  2. URI parameters
    • {tenant} - Provide your tenant name.

Example of a PUT request with real data

 curl -X PUT -H "Authorization: Bearer 020-ff40ae4c-4951-4438-a328-9603848076cb" -H -d '{
      "granted"  : true
 }' 'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consents/TENANT/classes/comicbookview'


Revoke consents by class

Revoke consents of the same class

Consumers can grant and revoke consents, grouped by consent class, through the storefront. The collected data associated with a consent becomes irrevocably inaccessible if the consumer revokes that consent. If a consumer grants consents that were formerly revoked, within the scope of a specific consent class, then SAP Hybris Profile can track new information represented by the granted consents. You can use the command in the following example to revoke consents that belong to a specific consent class.

Example

curl -X PUT -H "Authorization: Bearer {access token}" -H -d '{
     "granted"  : false
}' 'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consents/{consentReference}/classes/{consentClass}'

Command parameters

  1. HEADERS
    • Authorization - Provide a Bearer access token.
  2. URI parameters

  3. BODY

    {
      "granted"  : false
    }
    

Example of a PUT request with real data

curl -X PUT -H "Authorization: Bearer 001-fa77890a-5d85-4b92-b29a-62ed8d469384" -H -d '{
     "granted"  : false
}' 'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consents/baa8a056-8b71-417e-9ad6-1c5069c66096/classes/comicbookview'

Response

In the response, the example consent class is disabled. This means SAP Hybris Profile can no longer collect the information about the consumer's activities represented by the disabled consent class. Pre-existing data associated with this consent class becomes irrevocably inaccessible. In the consent class in the example, the granted flag is set to false.

To revoke consent for a tenant, you must use a TENANT consent reference. For more information, see the Create consent reference for tenant tutorial.

Example

curl -X PUT -H "Authorization: Bearer {access token}" -H -d '{
     "granted"  : false
}' 'https://api.beta.yaas.io/hybris/profile-consent/v1/{tenant}/consents/TENANT/classes/{consentClass}'

Command parameters

  1. HEADERS
    • Authorization - Provide a valid Bearer access token with the proper scope.
      You must obtain a Bearer access token with the scope hybris.profile_consent_manage. For details about how to receive an access token, see the /token endpoint section of the OAuth 2.0 service documentation.
  2. URI parameters
    • {tenant} - Provide your tenant name.
    • {consentClass} - Provide the consent class name.

Example with real data

curl -X PUT -H "Authorization: Bearer 020-ff40ae4c-4951-4438-a328-9603848076cb" -d '{"granted"  : false}'
      'https://api.beta.yaas.io/hybris/profile-consent/v1/mycomicsshop/consents/TENANT/classes/comicbookview'


Glossary

TermDescription
authorizationThe process of determining whether a given microservice has permission to gain consent.
consentPermission to access (read, write) specific profile data, for example, permission to read or write an age estimation or physical address. A consumer and a tenant can grant and revoke consent for subsets of their respective data.
consent classA developer-defined string alias that references a set of profile data, or "schemas", for which to grant and revoke consent.
consent referenceA unique, randomized string that serves as a passcode to decrypt data associated with one or more schemas.
consumerThe end user whose actions yield profile data. A profile describes a single consumer.
contextData that triggers enrichers. You can collect this data from consumer-triggered events or from third-party sources such as weather stations.
Context serviceAn internal microservice that manages the insertion of, and the retrieval of, context data in the Context Repository.
enricherA microservice that retrieves personal data from the Context service and other services, possibly alters or extends it, and then persists enriched data in a profile document. An enricher can interpret data points, or sets of data points, to yield new data to persist. For example, an enricher can interpret purchasing data and contemporaneous weather station data to yield new data indicating that the consumer is a rainy-day shopper.
identityOne of many independent units of data used to identify a unique profile, such as an email address, browser type, or version.
profileData about a single consumer, collected and derived from events that the consumer triggers, or events that are logically associated with that consumer.
schemaA string representation of a particular data structure, used to define read and write permissions for SAP Hybris Profile microservices.
tenantA tenant is a group of users on a project sharing common access, with specific privileges to a service.


  • Send feedback

    If you find any information that is unclear or incorrect, please let us know so that we can improve the Dev Portal content.

  • Get Help

    Use our private help channel. Receive updates over email and contact our specialists directly.

  • hybris Experts

    If you need more information about this topic, visit hybris Experts to post your own question and interact with our community and experts.