Versions Compared

Old Version 4

changes.mady.by.user Erik Nielsen

Saved on

compared with

New Version 5

changes.mady.by.user John Schneider

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated to link to nspop minlog2

...

The attributes used are the CPR number (dk:gov:saml:attribute:CprNumberIdentifier), the UID and the OIO BPP format (dk:gov:saml:attribute:Privileges_intermediate). The CPR number is primarily used for delivering data to the central NSP MinLog MinLog2 service. The UID uniquely identifies the user in the eHealth Infrastructure and the OIO BPP provides the roles and careteams that are accessible to the user.

...

The structure of the OIO BPP, used in Privileges_intermediate, is capable of expressing multiple careteam- and organization affiliations. If only a single careteam is expressed in the OIO BPP it is automatically set in the context of the user. In the case where the user is part of multiple careteams, the user needs to set the wanted careteam in context (see Switching Context). Once a careteam is set into context, the roles under that careteam applies apply to the user - expressed in the JWT (the internal access token of the eHealth Infrastructure).

...

The OIO BPP snippet above is listed for Practitioner 1 - Lasse Dam. This OIO BPP states that Lasse Dam has the role "urn:dk:sundhed:ehealth:role:monitoring_assistor" in the careteam identified by "95c7aef7-ec7f-487b-9687-6e6624d25fdb" in the organization "440711000016004". If this was the only content of the OIO BPP, Lasse Dam would have been handed a JWT by the infrastructure where the stated careteam and organization would be set in context. Had there been multiple PrivilegeGroups in the OIO BPP, nothing would have been set in context as the choice would not be straight forward straightforward for the AS to pick, instead the client would have to ask the user to pick among the available allowed contexts (see Switching Context).

...

Had the example instead looked like the example stated above, the user Lasse Dam would have been issued a more narrow JWT as nothing would have been set into context as the AS would be unable to choose between the whether the user should be in the context of the careteam with the role "monitoring assistor" and "citizen enroller" or in the context of the organization with the roles "clinical administrator" (capable of managing PlanDefinition and ActivityDefinitions) and "questionnaire editor".

...