Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-33014

Add reference to SCIM to security page

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Persuasive with Modification
    • Icon: Medium Medium
    • FHIR Core (FHIR)
    • R4
    • Security
    • Security
    • Hide

      Update secpriv-module.html#user

      6.0.5.2 User Identity and Access Context 

      Use case: "Access to protected Resources are enabled though user Role-Based, Context-Based, and/or Attribute-Based Access Control."

      Approach: Ensure that the level of assurance for identity proofing reflects the appropriate risk, given the issued party's exposure to health information. Users should be identified and should have their Functional and/or Structural role declared when these roles are related to the functionality the user is interacting with. Roles should be conveyed using standard codes from Security Role Vocabulary.

      +*The FHIR core specification does not include a "User" resource, as a User resource would be general IT and used well beyond healthcare workflows. A RESTful User resource is defined in the [System for Cross-domain Identity Management (SCIM) specification](https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management).*+

      A purpose of use should be asserted for each requested action on a Resource. Purpose of use should be conveyed using standard codes from Purpose of Use Vocabulary.

      When using OAuth, the requested action on a Resource for specified one or more purpose of use and the role of the user are managed by the OAuth authorization service (AS) and may be communicated in the security token where JWT tokens are used. For details, see Security: HCS vocabulary.

      Show
      Update secpriv-module.html#user 6.0.5.2 User Identity and Access Context  Use case:  "Access to protected Resources are enabled though user Role-Based, Context-Based, and/or Attribute-Based Access Control." Approach:  Ensure that the level of assurance for identity proofing reflects the appropriate risk, given the issued party's exposure to health information. Users should be identified and should have their Functional and/or Structural role declared when these roles are related to the functionality the user is interacting with. Roles should be conveyed using standard codes from  Security Role Vocabulary . +*The FHIR core specification does not include a "User" resource, as a User resource would be general IT and used well beyond healthcare workflows. A RESTful User resource is defined in the [System for Cross-domain Identity Management (SCIM) specification] ( https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management).*+ A purpose of use should be asserted for each requested action on a Resource. Purpose of use should be conveyed using standard codes from  Purpose of Use Vocabulary . When using OAuth, the requested action on a Resource for specified one or more purpose of use and the role of the user are managed by the OAuth authorization service (AS) and may be communicated in the security token where JWT tokens are used. For details, see  Security: HCS vocabulary .
    • Kathleen Connor / Luis Maas: 8-0-1
    • Clarification
    • Non-substantive
    • R5

    Description

      Lots of people end up having the question "How do I represent users, user accounts, privileges, etc. in FHIR" - and our answer is that "There are other RESTful specifications that can be used for that".  It would be good to have this explicitly explained and a link provided.

      Attachments

        Activity

          People

            john_moehrke John Moehrke
            lloyd Lloyd McKenzie
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: