Versions Compared

Old Version 19

changes.mady.by.user Jens Kristian Villadsen

Saved on

compared with

New Version 20

changes.mady.by.user Jens Kristian Villadsen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Citizens are able to see almost all data to whom they are referenced (see Tokens, roles and RBAC and /ABAC). Citizens are able to create and manipulate data in the eHealth Infrastructure according to the same set of RBAC and ABAC rules.
  • Clinical users are able to access and manipulate data according to their affiliation to a given careteam and the role in that given careteam. The same goes for organizational data (see Tokens, roles and RBAC and /ABAC).

The rules that apply are determined by the SAML Assertion when logging in. The SAML attributes are described below.

...

Since the OIO BPP states what privileges are available to the user, it is up to the IdP to construct the correct OIO BPPs. Valid privileges and what they map to can be seen at Tokens, roles and RBAC and /ABAC.

Enhanced example:

Code Block
languagexml
titleEnhanced OIO BPP
<?xml version="1.0" encoding="UTF-8"?>
<bpp:PrivilegeList
    xmlns:bpp="http://itst.dk/oiosaml/basic_privilege_profile"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >
    <PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:29190925">
        <Constraint Name="urn:dk:gov:saml:sorIdentifier">440711000016004</Constraint>
        <Constraint Name="urn:dk:sundhed:ehealth:careteam">95c7aef7-ec7f-487b-9687-6e6624d25fdb</Constraint>
        <Privilege>urn:dk:sundhed:ehealth:role:monitoring_responsible</Privilege>
		<Privilege>urn:dk:sundhed:ehealth:role:treatment_resposible</Privilege>
    </PrivilegeGroup>
    <PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:29190925">
        <Constraint Name="urn:dk:gov:saml:sorIdentifier">440711000016004</Constraint>
        <Privilege>urn:dk:sundhed:ehealth:role:clinical_content_definer</Privilege>
    </PrivilegeGroup>
</bpp:PrivilegeList>

Had the example instead looked like the example stated above, the user Lasse Dam would have been issued a more narrow JWT as nothing would have been set into context as the AS would be unable to choose between the whether the user should be in the context of the careteam with the role "monitoring responsible" and "treatment responsible" or in the context of the organization with the role "clinical content definer".

...