SecurityClaimType FHIR Resource Proposal
- 1 SecurityClaimType
- 1.1 Owning committee name
- 1.2 Contributing or Reviewing Work Groups
- 1.3 FHIR Resource Development Project Insight ID
- 1.4 Scope of coverage
- 1.5 RIM scope
- 1.6 Resource appropriateness
- 1.7 Expected implementations
- 1.8 Content sources
- 1.9 Example Scenarios
- 1.10 Resource Relationships
- 1.11 Timelines
- 1.12 gForge Users
Rejected due to the content of a User Claim is not a healthcare specific concept, or is sufficiently profiled elsewhere. Use of the standards identified are recommended without HL7 defined constraints. See the FHIR Security page for details.
Owning committee name
FHIR Core Project
Contributing or Reviewing Work Groups
FHIR Resource Development Project Insight ID
FHIR core project
Scope of coverage
Some implementations find that it would be useful to be able to manage user accounts and rights through the FHIR interface. This is true whether they use their own user identity system, or some external identity provider such as LDAP, Windows Domain, or Facebook/Google/etc, since even when using these external identity providers, there are still rights/roles things to say that are specific about FHIR. So we (Security/FHIR core team) have decided that FHIR will provide a specific set of resources for this. Note that it will not be required for an implementation to use these resources in order to implement it's security system - they are defined for convenience should an implementation wish one.
See FHIR Security Management Subsystem for further information.
The SecurityClaimType resource allows a system to describe a claim that a principal or a group may make with regard to what rights it has or roles it plays.
- subject: defines a claim
- usage: manage authentication and/or authorization roles
- this resource is not limited by discipline/context/locality
Notionally this is similar to a role, but it's not an entity in a role, it's a role that an entity may claim. So no direct mapping
- Represents a well understood, "important" concept in the business of healthcare - what roles/rights a user has
- Is defined to allow a system to declare what roles it understands/uses. FHIR will define a set of basic roles/rights
- Resource has 4 elements. ? use namespace - but namespace is defined more narrowly
- the FHIR reference server will implement this
- several other connectathon attendees have asked for this functionality
- IHA XUA
- OpenID Connect
- Microsoft Documentation - WCF Security & LDAP documentation
- define claims for rights that apply to an identified user or software application
- used to drive OAuth authorisation from a user
Referred to from SecurityPrincipal, and SecurityGroup
For development for QA/DSTU2
Copyright © Health Level Seven International ® ALL RIGHTS RESERVED. The reproduction of this material in any form is strictly forbidden without the written permission of the publisher.