Versions Compared

Old Version 24

changes.mady.by.user John Schneider

Saved on

compared with

New Version 25

changes.mady.by.user John Schneider

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Moved the mapping of KOMBIT roles and OIO BPP Roles to separate table.

...

Term

Description

Usersystem

(Danish: Brugervendt system)

An IT system that provides an access-controlled user interface,
accessed via a browser. That is, a system directly used by an enduserend-user.

A usersystem user-system registered in the KOMBIT STS admin enables it to use KOMBIT systems for access control of end-users.

Usersystem role

(Danish: Brugersystemrolle)

Grouping of rights or permissions that define access and access restrictions to a specific user-facing system

Data constraint

(Danish: Dataafgrænsning)

Restriction of a “user system role”, which narrows the system role's field of action

Job function role

(Danish: Jobfunktionsrolle)

Grouping of user system roles for an authority (e.g. municipality) used by the authority to assign access to the user.

Each municipality shall maintain a set in KOMBIT STS Admin.

Concerning eHealth Infrastructure, the job function role should comprise:

  • A collection of user system roles

  • An Organisation identifier

  • A possible CareTeam identifier

...

Usersystem in FK Administration

System

1

FUT - SAML Proxy (devtest)

FUT saml-proxy for the internal Systematic Test Environment.

2

FUT - SAML Proxy (inttest)

FUT saml-proxy for the eHealth Internal Test Environment

3

FUT - SAML Proxy (exttest)

FUT saml-proxy for the eHealth External Test environment (exttest) and external development environment (devenvcgi).

4

FUT - SAML Proxy (test002)

FUT saml-proxy for the eHealth Education environment (TEST002)

5

FUT - SAML Proxy (preprod)

FUT saml-proxy for the eHealth pre-production environment

6

“T-SEB”

Note

Being They are being used in the future when SEB and ContextHandler are directly connected. The name is not known by Systematic.

T-SEB for all eHealth test (incl. pre-prod) environments.

...

The following screenshot shows the “Fælleskommunalt Administrationsmodul” user interface for creating data constraints and mandatory fields.

...

User-facing system

Data Contraint Constraint Name

EntityId

(domain + “/constraint/”+ filter + version)

Syntax validation

1

DEVTEST

Careteam

http://ehealth.sundhed.dk/constraints/careteam/1

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

2

INTTEST

Careteam

http://saml-proxy.inttest.ehealth.sundhed.dk/constraints/careteam/1

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

3

EXTTEST, DEVENVCGI

Careteam

http://saml-proxy.exttest.ehealth.sundhed.dk/constraints/careteam/1

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

4

TEST002

Careteam

http://saml-proxy.test002.ehealth.sundhed.dk/constraints/careteam/1

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

5

PREPROD

Careteam

http://saml-proxy.preprod.ehealth.sundhed.dk/constraints/careteam/1

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

6

“T-SEB”

Note

Name not known by Systematic.

Careteam

Note

Does SEB require Data Constraint's names are to be prepended with “fut” or “eHealth”

http://exttest.ehealth.sundhed.dk/constraints/careteam/1

Note

We assume constraint can reuse be reused and have named as “FUT exttest” user-facing system.

([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})+(,\s*[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})*

...

  • shall have an EntityId on the form: <Domain> appended with <KOMBIT role name for the eHealth Infrastructure> and <version> (see below).

  • can have (and should have) a Danish name in Danish which is , the Danish designation https://docs.ehealth.sundhed.dk/latest-released/ig/CodeSystem-ehealth-oio-bpp-roles.html for the corresponding eHealth Infrastructure OIO BPP system role.

  • <Domain> shall reflect the eHealth Infrastructure environment for registration in the KOMBIT STS Admin. The <Domain> shall be one of the following:

...

Note

In case of change in what eHealth Infrastructure environments shall support municipal federation of authentication and authorization, the above list needs to be updated. In addition, such a change needs to be implemented in the mapping performed by the SAML Proxy.

eHealth Infrastructure User system roles for FUT Proxy (exttest)

<KOMBIT role name for the eHealth Infrastructure> shall be one from the list below:

...

Mapping between KOMBIT user system role, the corresponding OIO BPP roles

The KOMBIT user system role has a different format than the eHealth Infrastructure OIO BPP system roles. The following table shows the KOMBIT user system role , and the corresponding OIO BPP roles, and the possible data constraints and which are mandatory for “FUT Proxy (exttest).

KOMBIT user system roles for the eHealth Infrastructure

eHealth Infrastructure OIO BPP system roles

Data constraints (EXTTEST)

STS Organisationsenhed

Careteam

/roles/usersystemrole/order_placer/1

urn:dk:sundhed:ehealth:role:order_placer

Mandatory

/roles/usersystemrole/citizen_enroller/1

urn:dk:sundhed:ehealth:role:citizen_enroller

Mandatory

Mandatory

/roles/usersystemrole/careteam_administrator/1

urn:dk:sundhed:ehealth:role:careteam_administrator

Mandatory

/roles/usersystemrole/incident_reporter/1

urn:dk:sundhed:eHealth:role:incident_reporter

Mandatory

Mandatory

/roles/usersystemrole/clinical_viewer/1

urn:dk:sundhed:eHealth:role:clinical_viewer

Mandatory

Mandatory

/roles

/roles/usersystemrole/clinical_supporter/1

urn:dk:sundhed:eHealth:role:clinical_supporter

Mandatory

Mandatory

/roles/usersystemrole/monitoring_assistor/1

urn:dk:sundhed:eHealth:role:monitoring_assistor

Mandatory

Mandatory

/roles/usersystemrole/monitoring_adjuster/1

urn:dk:sundhed:eHealth:role:monitoring_adjuster

Mandatory

Mandatory

/roles/usersystemrole/report_user/1

urn:dk:sundhed:ehealth:role:report_user

Mandatory

/roles/usersystemrole/clinical_administrator/1

urn:dk:sundhed:eHealth:role:clinical_administrator

Mandatory

/roles/usersystemrole/service_and_logistics/1

urn:dk:sundhed:eHealth:role:service_and_logistics

Mandatory

Mandatory

/roles/usersystemrole/questionnaire_editor/1

urn:dk:sundhed:eHealth:role:questionnaire_editor

Mandatory

/roles/usersystemrole/incident_manager/1

urn:dk:sundhed:eHealth:role:incident_manager

Mandatory

Mandatory

/roles/usersystemrole/terminology_administrator/1

urn:dk:sundhed:eHealth:role:terminology_administrator

Mandatory

/roles/usersystemrole/ssl_catalogue_responsible/1

urn:dk:sundhed:eHealth:role:ssl_catalogue_responsible

Mandatory

/roles/usersystemrole/ssl_catalogue_annotator/1

urn:dk:sundhed:eHealth:role:ssl_catalogue_annotator

Mandatory

/roles/usersystemrole/ssl_contract_responsible/1

urn:dk:sundhed:eHealth:role:ssl_contract_responsible

Mandatory

eHealth Infrastructure User system roles for FUT Proxy (

...

exttest)

<KOMBIT role name for the eHealth Infrastructure> shall be one from the list below:

The table shows the KOMBIT user system role , the corresponding OIO BPP roles, and what data constraints are possible and and the possible data constraints, which are mandatory for “FUT Proxy (prodexttest)”.

KOMBIT user system roles for the

eHealth Infrastructure

eHealth Infrastructure

OIO BPP system roles

Data constraints

Organisation

SOR Organisationsenhed

SSL

(EXTTEST)

STS Organisationsenhed

Careteam

/roles/usersystemrole/order_placer/1

urn:dk:sundhed:ehealth:role:order_placer

Mandatory

Optional

/roles/usersystemrole/citizen_enroller/1

urn:dk:sundhed:ehealth:role:citizen_enroller

Mandatory

Mandatory

Optional

Optional

/roles/usersystemrole/careteam_administrator/1

urn:dk:sundhed:ehealth:role:careteam_administrator

Mandatory

/roles/usersystemrole/incident_reporter/1

Mandatory

Mandatory

/roles/usersystemrole/clinical_viewer/1

Mandatory

Mandatory

/roles/usersystemrole/clinical_supporter/1

Mandatory

Mandatory

/roles/usersystemrole/monitoring_assistor/1

Mandatory

Mandatory

/roles/usersystemrole/monitoring_adjuster/1

Mandatory

Mandatory

/roles/usersystemrole/report_user/1

Mandatory

/roles/usersystemrole/clinical_administrator/1

Mandatory

/roles/usersystemrole/service_and_logistics/1

Mandatory

Mandatory

/roles/usersystemrole/questionnaire_editor/1

Mandatory

/roles/usersystemrole/incident_manager/1

Mandatory

Mandatory

/roles/usersystemrole/terminology_administrator/1

Mandatory

/roles/usersystemrole/ssl_catalogue_responsible/1

Mandatory

/roles/usersystemrole/ssl_catalogue_annotator/1

Mandatory

/roles/usersystemrole/ssl_contract_responsible/1

Mandatory

eHealth Infrastructure User system roles for FUT Proxy (prod)

The table shows the KOMBIT user system role and the possible data constraints which are mandatory for “FUT Proxy (prod)”.

KOMBIT user system roles for the eHealth Infrastructure

Data constraints

Organisation

SOR Organisationsenhed

SSL Organisationsenhed

Careteam

/roles/usersystemrole/order_placer/1

Mandatory

Optional

/roles/usersystemrole/citizen_enroller/1

Mandatory

Optional

Optional

/roles/usersystemrole/careteam_administrator/1

Mandatory

Optional

/roles/usersystemrole/incident_reporter/1

urn:dk:sundhed:eHealth:role:incident_reporter

Mandatory

Optional

Optional

/roles/usersystemrole/clinical_viewer/1

urn:dk:sundhed:eHealth:role:clinical_viewer

Mandatory

Optional

/roles/usersystemrole/clinical_supporter/1

urn:dk:sundhed:eHealth:role:clinical_supporter

Mandatory

Optional

/roles/usersystemrole/

monitoring_assistor/1urn:dk:sundhed:eHealth:role:

monitoring_assistor/1

Mandatory

Optional

Optional

/roles/usersystemrole/monitoring_adjuster/1

urn:dk:sundhed:eHealth:role:monitoring_adjuster

Mandatory

Optional

Optional

/roles/usersystemrole/report_user/1

urn:dk:sundhed:ehealth:role:report_user

Mandatory

Optional

Optional

/roles/usersystemrole/clinical_administrator/1

urn:dk:sundhed:eHealth:role:clinical_administrator

Mandatory

Optional

/roles/usersystemrole

/service_and_logistics/1urn:dk:sundhed:eHealth:role:

/service_and_logistics/1

Optional

Optional

/roles/usersystemrole/questionnaire_editor/1

urn:dk:sundhed:eHealth:role:questionnaire_editor

Mandatory

Optional

/roles/usersystemrole/incident_manager/1

urn:dk:sundhed:eHealth:role:incident_manager

Optional

Optional

/roles/usersystemrole/terminology_administrator/1

urn:dk:sundhed:eHealth:role:terminology_administrator

/roles/usersystemrole/

ssl_catalogue_responsible/1urn:dk:sundhed:eHealth:role:

ssl_catalogue_responsible/1

Optional

Optional

/roles/usersystemrole/ssl_catalogue_annotator/1

urn:dk:sundhed:eHealth:role:ssl_catalogue_annotator

Optional

Optional

/roles/usersystemrole/ssl_contract_responsible/1

urn:dk:sundhed:eHealth:role:ssl_contract_responsible

Optional

Optional

eHealth Infrastructure User system roles for T-SEB (consolidated)

...

Note

When the SEB is used a user-facing system, it may not contain underscore, and names may be prepended “eHealth” or “FUT”.

KOMBIT user system roles for the eHealth Infrastructure

Note

Likely to be changed.

To remove

Remove underscores and repent with “ehealth” or “fut”.

eHealth Infrastructure OIO BPP system roles

Data constraints

Organisation

http://sts.kombit.dk/constraints/orgenhed/1

Careteam

/roles/

usersystemrole/order_placer/1urn:dk:sundhed:ehealth:role:

usersystemrole/order_placer/1

Mandatory

Mandatory

/roles/usersystemrole/citizen_enroller/1

urn:dk:sundhed:ehealth:role:citizen_enroller

Mandatory

Mandatory

/roles/usersystemrole/careteam_administrator/1

urn:dk:sundhed:ehealth:role:careteam_administrator

Mandatory

Optional

/roles/usersystemrole/incident_reporter/1

urn:dk:sundhed:eHealth:role:incident_reporter

Mandatory

Optional

/roles/usersystemrole

/clinical_viewer/1urn:dk:sundhed:eHealth:role:

/clinical_viewer/1

Mandatory

Mandatory

/roles/usersystemrole/clinical_supporter/1

urn:dk:sundhed:eHealth:role:clinical_supporter

Mandatory

Optional

/roles/usersystemrole/monitoring_assistor/1

urn:dk:sundhed:eHealth:role:monitoring_assistor

Mandatory

Mandatory

/roles/usersystemrole/monitoring_adjuster/1

urn:dk:sundhed:eHealth:role:monitoring_adjuster

Mandatory

Mandatory

/roles/

usersystemrole/report_user/1urn:dk:sundhed:ehealth:role:

usersystemrole/report_user/1

Mandatory

Optional

/roles/usersystemrole/clinical_administrator/1

urn:dk:sundhed:eHealth:role:clinical_administrator

Mandatory

Optional

/roles/usersystemrole/service_and_logistics/1

urn:dk:sundhed:eHealth:role:service_and_logistics

Mandatory

Optional

/roles/usersystemrole/questionnaire_editor/1

urn:dk:sundhed:eHealth:role:questionnaire_editor

Mandatory

Optional

/roles/usersystemrole/incident_manager/1

urn:dk:sundhed:eHealth:role:incident_manager

Mandatory

Optional

/roles/usersystemrole/terminology_administrator/1

urn:dk:sundhed:eHealth:role:terminology_administrator

Mandatory

Optional

/roles/usersystemrole/ssl_catalogue_responsible/1

urn:dk:sundhed:eHealth:role:ssl_catalogue_responsible

Mandatory

Optional

/roles/usersystemrole/ssl_catalogue_annotator/1

urn:dk:sundhed:eHealth:role:ssl_catalogue_annotator

Mandatory

Optional

/roles/usersystemrole/ssl_contract_responsible/1

urn:dk:sundhed:eHealth:role:ssl_contract_responsible

Mandatory

Optional

Note

If the OIO BPP system roles system listed above deviate from the list in https://ehealth-dk.atlassian.net/wiki/spaces/EDTW/pages/291176482/Tokens+Roles+and+RBAC+ABAC#Privilege-Roles , the above list needs to be updated.

In addition, such a change needs to be implemented in the https://ehealth-dk.atlassian.net/wiki/spaces/EDTW/pages/2172125189/SAML+Proxy#Mapning-af-privilegier-og-constraints performed by the SAML Proxy.

...