/
How to link Consents? What is a Base Consent ID (consentGroupId)?

How to link Consents? What is a Base Consent ID (consentGroupId)?

Date

Jun 23, 2025

Response

The Base Consent ID (consentGroupId) serves as a persistent reference that links related consents within a TPP’s service. It allows a common identifier to persist across multiple consents that belong to the same logical group—initiated by the same user and for the same service—we use it to enable a more coherent and user-friendly presentation of consent within Consent Management Interfaces (CMIs) provided by both TPPs and LFIs.

When Should a Base Consent ID Be Used?

Here are common scenarios where a Base Consent ID is applicable:

  1. Consent Continuation

When a user's consent has expired (i.e., the ExpirationDateTime is in the past), but the user wishes to continue using the TPP’s service, the TPP must create a new consent (with a new consentId) for the same permissions.

To maintain continuity, the TPP should set the original ConsentId as the BaseConsentId for the new consent.

Important:
If the original consent already had a BaseConsentId, the TPP must reuse that same BaseConsentId, not the immediate prior ConsentId. This ensures the entire chain of consents is consistently linked.

  1. Consent Re-establishment After Revocation

If a user revokes consent and later wants to re-establish access to the TPP’s services, the TPP should create a new consent with the same permissions.

As with consent continuation, the TPP should reference the original ConsentId as the BaseConsentId—or, if applicable, reuse the existing BaseConsentId—to maintain the logical association.

 

 

  1. Consent Update (Permission Expansion)

Suppose a user originally grants consent with specific permissions (e.g., ReadAccountsBasic, ReadAccountsDetail, ReadBalances), and the TPP later introduces new functionality (e.g., access to ReadDirectDebits). If the user opts in to this expanded scope, the TPP should:

  1. Create a new consent with the updated set of permissions.

  2. Revoke the old consent.

  3. Link the new consent to the original one by referencing the appropriate BaseConsentId.

User Identity Consistency

It is assumed that all consents linked via a BaseConsentId are associated with the same end user. Therefore, if during authentication the LFI determines that the userId associated with a newly submitted consent differs from the user who authorized the previous consent in the chain, the LFI should reject the new consent.

 

 

 

© CBUAE 2025