...
- Citizens are able to see almost all data to whom they are referenced (see RBAC and ABAC rules). Citizens are able to create and manipulate data in the eHealth Infrastructure according to the same set of RBAC and ABAC rules.
- Clinical users are able to access and manipulate data according to their affiliation to a given careteam and the role in that given careteam. The same goes for organizational data (see RBAC and ABAC rules).
The rules that apply are determined by the SAML Assertion when logging in. The SAML attributes are described below.
...
Since the OIO BPP states what privileges are available to the user, it is up to the IdP to construct the correct OIO BPPs. Valid privileges and what they map to can be seen at ABAC and RBAC rules. RBAC and ABAC.
Enhanced example:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<?xml version="1.0" encoding="UTF-8"?>
<bpp:PrivilegeList
xmlns:bpp="http://itst.dk/oiosaml/basic_privilege_profile"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
<PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:29190925">
<Constraint Name="urn:dk:gov:saml:sorIdentifier">440711000016004</Constraint>
<Constraint Name="urn:dk:sundhed:ehealth:careteam">95c7aef7-ec7f-487b-9687-6e6624d25fdb</Constraint>
<Privilege>urn:dk:sundhed:ehealth:role:monitoring_responsible</Privilege>
</PrivilegeGroup>
<PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:29190925">
<Constraint Name="urn:dk:gov:saml:sorIdentifier">440711000016004</Constraint>
<Privilege>urn:dk:sundhed:ehealth:role:clinical_content_definer</Privilege>
</PrivilegeGroup>
</bpp:PrivilegeList> |
Clinical client systems avoid the complexity associated with user registration and resumption of sessions based on pin code or biometric data. It should not be supported for clinical users.
...