Versions Compared

Old Version 45

changes.mady.by.user Erik Nielsen

Saved on

compared with

New Version 46

changes.mady.by.user Erik Nielsen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Citizens are able to see almost all data to whom they are referenced (see Tokens, Roles and RBAC/ABAC). Citizens are able to create and manipulate data in the eHealth Infrastructure according to the same set of RBAC and ABAC rules.

  • Clinical users are able to access and manipulate data according to their affiliation to a given careteam and the role in that given careteam. The same goes for organizational data (see Tokens, Roles and RBAC/ABAC).

The rules that apply are determined by the SAML Assertion when logging in. The SAML attributes are described in https://ehealth-dk.atlassian.net/wiki/spaces/EDTW/pages/2210693130/Federated+Authentication+for+Citizens#SAML-Attributes-for-Citizen-Users .

Clinical SAML attributes

Clinical access to the eHealth Infrastructure goes through SEB. SEB provides a set of SAML attributes in a SAML assertion which is used to identify the clinical user.

...

Attribute

...

Description

...

urn:oid:2.5.4.10

...

Organization name

...

dk:gov:saml:attribute:CprNumberIdentifier

...

Required from SEB. Civil registration number (CPR)

...

dk:gov:saml:attribute:CvrNumberIdentifier

...

CVR number

...

dk:gov:saml:attribute:RidNumberIdentifier

...

RID number from certificate

...

dk:gov:saml:attribute:AssuranceLevel

...

AssuranceLevel (must be 4)

...

urn:oid:2.5.4.3

...

Required from SEB. Common name (full name)

...

urn:liberty:disco:2006-08:DiscoveryEPR

...

IDCard

...

dk:healthcare:saml:attribute:HasUserAuthorization

...

A boolean saying if the user has any healthcare authorizations

...

dk:healthcare:saml:attribute:UserAuthorizations

...

A list of the users healthcare authorizations

...

urn:oid:0.9.2342.19200300.100.1.1

...

Required from SEB. The globally unique ID of the user within his/her organization. (also known as UID)

...

dk:gov:saml:attribute:Privileges_intermediate

...

Required from SEB. A base64-encoded XML structure in OIO BPP format, listing privileges. If an employee should have any permissions, this attribute should define one or more roles in scope of an organizational unit or careteam, e.g. a SOR number, STS Organisation or careteam reference. See general structure in documentation[1].

[1] https://digst.dk/media/19020/oiosaml-basic-privilege-profile-1_1.pdf

...

dk:healthcare:ehealth:saml:attribute:scopingOIOBPPContext

...

Optional. Can be used to limit scopes expressed in the OIO BPP structure, by adding it as a constraint in each PrivilegeGroup. Only PriviledgeGroups with the constraint matching the value of scopingOIOBPPContext will be available for the user. The use of scopingOIOBPPContext is not yet used and will be ignored. Can be used to support multi affiliation in the future.

The attributes used are the CPR number (dk:gov:saml:attribute:CprNumberIdentifier), the UID and the OIO BPP format (dk:gov:saml:attribute:Privileges_intermediate). The CPR number is primarily used for delivering data to the centra NSP MinLog service. The UID uniquely identifies the user in the eHealth Infrastructure and the OIO BPP provides the roles and careteams that are accessible to the user. 

OIO BPP in the eHealth Infrastructure

Note

Municipalities MUST follow the guidelines located here: OIO-BPP URI naming precautions for municipalities

The structure of the OIO BPP, used in Privileges_intermediate, is capable of expressing multiple careteam- and organization affiliations. If only a single careteam is expressed in the OIO BPP it is automatically set in context of the user. In the case where the user is part of multiple careteams, the user needs to set the wanted careteam in context (see Switching Context). Once a careteam is set into context, the roles under that careteam applies to the user - expressed in the JWT (the internal access token of the eHealth Infrastructure).

An example:

OIO BPP
Code Block
languagexml
<?xml version="1.0" encoding="UTF-8"?>
<bpp:PrivilegeList
    xmlns:bpp="http://itst.dk/oiosaml/basic_privilege_profile"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
    <PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:29190925">
        <Constraint Name="urn:dk:gov:saml:sorIdentifier">440711000016004</Constraint>
        <Constraint Name="urn:dk:sundhed:ehealth:careteam">95c7aef7-ec7f-487b-9687-6e6624d25fdb</Constraint>
        <Privilege>urn:dk:sundhed:ehealth:role:monitoring_assistor</Privilege>
    </PrivilegeGroup>
</bpp:PrivilegeList>

The OIO BPP snippet above is listed for Practitioner 1 - Lasse Dam. This OIO BPP states that Lasse Dam has the role "urn:dk:sundhed:ehealth:role:monitoring_assistor" in the careteam identified by "95c7aef7-ec7f-487b-9687-6e6624d25fdb" in the organization "440711000016004". If this was the only content of the OIO BPP, Lasse Dam would have been handed a JWT by the infrastructure where the stated careteam and organization would be set in context. Had there been multiple PrivilegeGroups in the OIO BPP, nothing would have been set in context as the choice would not be straight forward for the AS to pick, instead the client would have to ask the user to pick among the available allowed contexts (see Switching Context).

Since the OIO BPP states what privileges are available to the user, it is up to the IdP to construct the correct OIO BPPs. Valid privileges and what they map to can be seen at Tokens, Roles and RBAC/ABAC.

Enhanced example:

Enhanced OIO BPP
Code Block
languagexml
<?xml version="1.0" encoding="UTF-8"?>
<bpp:PrivilegeList
    xmlns:bpp="http://itst.dk/oiosaml/basic_privilege_profile"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
    <PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:29190925">
        <Constraint Name="urn:dk:gov:saml:sorIdentifier">440711000016004</Constraint>
        <Constraint Name="urn:dk:sundhed:ehealth:careteam">95c7aef7-ec7f-487b-9687-6e6624d25fdb</Constraint>
        <Privilege>urn:dk:sundhed:ehealth:role:monitoring_assistor</Privilege>
	<Privilege>urn:dk:sundhed:ehealth:role:citizen_enroller</Privilege>
    </PrivilegeGroup>
    <PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:29190925">
        <Constraint Name="urn:dk:kombit:orgUnit">48df8b3d-56be-4f3a-bd0f-d3ade05348dd</Constraint>
        <Privilege>urn:dk:sundhed:ehealth:role:clinical_administrator</Privilege>
        <Privilege>urn:dk:sundhed:ehealth:role:questionnaire_editor</Privilege>
    </PrivilegeGroup>
</bpp:PrivilegeList>

Had the example instead looked like the example stated above, the user Lasse Dam would have been issued a more narrow JWT as nothing would have been set into context as the AS would be unable to choose between the whether the user should be in the context of the careteam with the role "monitoring assistor" and "citizen enroller" or in the context of the organization with the roles "clinical administrator" (capable of managing PlanDefinition and ActivityDefinitions) and "questionnaire editor".

The PrivilegeGroups provided in the OIO BPP must be unique in accordance with the following scheme:

The combination of CVR number (scope) sorIdentifer(regional)/orgUnit(municipal) (and careteam must be unique). Failing to comply with this may result in errors. This scheme is to ensure that users cannot have multiple different privileges stated differently. Do note that it is possible to list multiple (valid) privileges in any given PrivilegeGroup.

Result and impact of successful login

...