Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-28660

Move security elements to security section

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Persuasive with Modification
    • Icon: Highest Highest
    • CDS Hooks (FHIR)
    • 1.0
    • Clinical Decision Support
    • (NA)
    • Prefetch template
    • Hide

      Change Trusted CDS Services to include bolded sentence:

      >The authorization server is responsible for enforcing restrictions on the CDS Services that MAY be called and the scope of the FHIR resources that MAY be prefetched or retrieved from the FHIR server. In either case, the CDS Client SHALL deny access to a requested resource if it is outside the user's authorized scope. If a CDS Client is satisfying prefetch requests from a CDS Service or sends a non-null `fhirAuthorization` object to a CDS Service so that it can call the FHIR server, the CDS Service MUST be pre-registered with the authorization server protecting access to the FHIR server. Pre-registration includes registering a CDS client identifier, and agreeing upon the scope of FHIR access that is minimally necessary to provide the clinical decision support required. This specification does not address how the CDS Client, authorization server, and CDS Service perform this pre-registration.

       

      I think there's value in mentioning that pre-fetch'd resources are limited to what's available to the current user in the prefetch section, though. Changing from:

      >The CDS Client SHALL deny access to the requested resource if it is outside the user's authorized scope.

      to:

      >The CDS Client denies access to the requested resource if it is outside the user's authorized scope.

      Show
      Change Trusted CDS Services to include bolded sentence: >The authorization server is responsible for enforcing restrictions on the CDS Services that MAY be called and the scope of the FHIR resources that MAY be prefetched or retrieved from the FHIR server. In either case, the CDS Client SHALL deny access to a requested resource if it is outside the user's authorized scope. If a CDS Client is satisfying prefetch requests from a CDS Service or sends a non-null `fhirAuthorization` object to a CDS Service so that it can call the FHIR server, the CDS Service MUST be pre-registered with the authorization server protecting access to the FHIR server. Pre-registration includes registering a CDS client identifier, and agreeing upon the scope of FHIR access that is minimally necessary to provide the clinical decision support required. This specification does not address how the CDS Client, authorization server, and CDS Service perform this pre-registration.   I think there's value in mentioning that pre-fetch'd resources are limited to what's available to the current user in the prefetch section, though. Changing from: >The CDS Client SHALL deny access to the requested resource if it is outside the user's authorized scope. to: >The CDS Client denies access to the requested resource if it is outside the user's authorized scope.
    • Ricardo Quintano/Sarah Shaw: 15-0-5
    • Clarification
    • Non-substantive
    • Yes

    Description

      This should be part of the security section'

      Existing Wording:

      The CDS Client SHALL deny access to the requested resource if it is outside the user's authorized scope.

      Attachments

        Activity

          People

            Unassigned Unassigned
            bvdh Bas van den Heuvel
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: