SecurityClaimType FHIR Resource Proposal

From HL7Wiki
Jump to: navigation, search



SecurityClaimType

Rejected due to the content of a User Claim is not a healthcare specific concept, or is sufficiently profiled elsewhere. Use of the standards identified are recommended without HL7 defined constraints. See the FHIR Security page for details.

Owning committee name

FHIR Core Project

Contributing or Reviewing Work Groups

  • Security
  • IHE

FHIR Resource Development Project Insight ID

FHIR core project

Scope of coverage

Some implementations find that it would be useful to be able to manage user accounts and rights through the FHIR interface. This is true whether they use their own user identity system, or some external identity provider such as LDAP, Windows Domain, or Facebook/Google/etc, since even when using these external identity providers, there are still rights/roles things to say that are specific about FHIR. So we (Security/FHIR core team) have decided that FHIR will provide a specific set of resources for this. Note that it will not be required for an implementation to use these resources in order to implement it's security system - they are defined for convenience should an implementation wish one.

See FHIR Security Management Subsystem for further information.

The SecurityClaimType resource allows a system to describe a claim that a principal or a group may make with regard to what rights it has or roles it plays.

  • subject: defines a claim
  • usage: manage authentication and/or authorization roles
  • this resource is not limited by discipline/context/locality

RIM scope

Notionally this is similar to a role, but it's not an entity in a role, it's a role that an entity may claim. So no direct mapping

Resource appropriateness

  • Represents a well understood, "important" concept in the business of healthcare - what roles/rights a user has
  • Is defined to allow a system to declare what roles it understands/uses. FHIR will define a set of basic roles/rights
  • Resource has 4 elements. ? use namespace - but namespace is defined more narrowly

Expected implementations

  • the FHIR reference server will implement this
  • several other connectathon attendees have asked for this functionality

Content sources

  • IHA XUA
  • OAuth
  • OpenID Connect
  • Microsoft Documentation - WCF Security & LDAP documentation

Example Scenarios

  • define claims for rights that apply to an identified user or software application
  • used to drive OAuth authorisation from a user

Resource Relationships

Referred to from SecurityPrincipal, and SecurityGroup

Timelines

For development for QA/DSTU2

gForge Users

Core team

Copyright © Health Level Seven International ® ALL RIGHTS RESERVED. The reproduction of this material in any form is strictly forbidden without the written permission of the publisher.