...
...
...
...
...
...
...
...
...
...
...
Excerpt |
---|
Access to eHealth services and eHealth data in the eHealth Infrastructure are |
...
controlled by authentication and authorization based on tokens. |
...
The Token based security is described in Token Based Security. This page described how services in the eHealth Infrastructure rely on fields in the JWT access token to perform the access control. This access control comprises Role |
...
Based Access Control (RBAC) and Attribute Based Access Control (ABAC). |
Content on this page
Table of Contents |
---|
Role-Based Access Control
...
Access Token Field | Meaning | Example Value | |||||
---|---|---|---|---|---|---|---|
context | List of items that are set in context. context in combination with items in realm_access governs the access to all resources in the eHealth infrastructure. |
| |||||
user_id | Id of the user. Can be either an FHIR patient Id, FHIR practitioner Id or a KeyCloak ID | "user_id": " e03ccef7-b0b1-4f68-8e16-6fc2f865a922" | |||||
user_type | Can be either SYSTEM, PATIENT, PRACTITIONER or SSL | "user_type": "PATIENT" |
Each resource type (see IG Profiles) has certain restrictions to what context is required to allow data retrieval or data manipulation.
...
ClinicalImpression.search | ||||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context | |
---|---|---|---|---|
Practitioner | optional but when
| optional must match searchparam: subject Only checked if EOC context is not present: | required: either searchparam: episodeOfCare or searchparam: careplan must be provided:
| |
Patient | optional but when present: must match searchparam: episodeOfCare | required when EpisodeOfCare Context is not present: must match searchparam: subject |
| |
System | - | - | - |
...
Task create/read/update | ||||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context / UserId | Extra Permission |
---|---|---|---|---|
Practitioner | optional but when present: must match Task.episodeOfCare | optional, but when present: must match Task.episis odeOfCareepisodeOfCare.subject | CareTeam Context must match Task.responsible | User must have at least one corresponding restriction category privilege in Task.restriction-category. |
UserID must match Task.responsible, Task.owner or Task.requester | ||||
Patient | optional but when present: must match Task.episodeOfCare | required when EOC context is not present: must match Task.episodeOfCare.subject | UserID must match Task.responsible, Task.owner or Task.requester | |
System | - | - | - |
...
Task search | ||||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context / UserId | Extra Permission |
---|---|---|---|---|
Practitioner | optional but when present: must match searchparam episodeOfCare | optional must match searchparam ContextEpisodeOfCare.subject Only checked if EOC context is not present: | CareTeam Context must match searchparam responsible | Users must have all restriction category privileges corresponding to the list in searchparam restriction-category. |
UserID must match searchparam: Responsible, Owner or Requester | ||||
Patient | optional but when present: must match searchparam episodeOfCare | required when EpisodeOfCare Context is not present: must match searchparam theContextEpisodeOfCare.subject | UserID must match searchparam: Responsible, Owner or Requester | |
System | - | - | - |
Draft of FUTURE change as a consequence of CCR0219: Task create/read/update | ||||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context / UserId | Extra Permission |
---|---|---|---|---|
Practitioner | optional but when present: must match Task.episodeOfCare | optional, but when present: must match Task.episodeOfCare.subject | CareTeam Context must match Task.responsible | User must have at least one corresponding restriction category privilege in Task.restriction-category. |
CareTeam Context must match one of Task.episodeOfCare.team (list) | ||||
UserID must match Task.responsible, Task.owner or Task.requester | (not checked when UserID match searchparam: Responsible, Owner or Requester) | |||
Patient | optional but when present: must match Task.episodeOfCare | required when EOC context is not present: must match Task.episodeOfCare.subject | UserID must match Task.responsible, Task.owner or Task.requester | - |
System | - | - | - | - |
Draft of FUTURE change as a consequence of CCR0219: Task search | ||||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context / UserId | Extra Permission |
---|---|---|---|---|
Practitioner | optional, but when present must match searchparam episodeOfCare | (Not checked as EOC context when present) | CareTeam Context must match searchparam responsible | Users must have all restriction category privileges corresponding to the list in searchparam restriction-category. |
CareTeam Context must match one of Task.episodeOfCare.team (list) | ||||
UserID must match searchparam: Responsible, Owner or Requester | (not checked when UserID match searchparam: Responsible, Owner or Requester) | |||
(not present) | Checked when EOC context is not present: | CareTeam Context must match searchparam responsible | Users must have all restriction category privileges corresponding to the list in searchparam restriction-category. | |
CareTeam Context must match one of Task.episodeOfCare.team (list) | ||||
UserID must match searchparam: Responsible, Owner or Requester | (not checked if when UserID match searchparam: Responsible, Owner or Requester) | |||
Patient | optional but when present: must match searchparam episodeOfCare | required when EpisodeOfCare Context is not present: must match searchparam EpisodeOfCare.subject | UserID must match searchparam: Responsible, Owner or Requester | - |
System | - | - | - | - |
When searching for tasks based on careteam, it is possible, but not necessary to specify restriction categories. If they are not specified as search criteria, then they will be inferred from the privileges in the security token.
...
realm_access.role | Patient Context | Episode of Care Context | CareTeam Context | Organization Context | Extra Rules / Comments |
---|---|---|---|---|---|
Patient.read | R* | R* | REGULAR SEARCH: To perform a regular Patient Search, the user MUST have the Patient Context. LIMITED SEARCH (Dashboard Search): It is also possible to perform a patient search witha CareTeam Context instead of a Patient Context. In that case, the patients are then retrieved from EpisodesOfCare and CarePlan objects that the CareTeam is involved in. NOTE: The patient resources that are returned from this search are limited and as such only the following information is returned:
*R - THE CONTEXTS ARE MUTUALLY EXCLUSIVE, AS SUCH IF BOTH CONTEXTS ARE PROVIDED IN THE TOKEN, ONLY THE PATIENT CONTEXT IS USED. | ||
Patient.write | R | 1: FHIR operations "create" and "update" are not available on the Patient resource. 2: Only certain attributes are allowed to be patched using HTTP PATCH | |||
Patient$updatePatientWithSKRSData | |||||
Patient$createPatient | |||||
Appointment.read | U | U | For non-group appointments: 1: If an appointment involves a patient, then that patient must be in context 2: The appointment can be read if
3: Searching
| ||
Appointment.write | U | U | For non-group appointments: 1: If an appointment involves a patient, then that patient must be in context 2: The appointment can be written if
| ||
Appointment$exportAsiCal | U | U | The same rules apply to reading appointments Note: Only PRACTITIONER/SSL users can see the names of Practitioner participants in the exported iCal object | ||
RelatedPerson.read | R | Only related persons to the patient in context can be read | |||
RelatedPerson.write | R | Only related persons to the patient in context can be written | |||
Communication.read | U | If the message has a restriction category X, the corresponding RestrictionCategory.X role must be present in the realm_access list. 1: PATIENT users can read
2: PRACTITIONER and SSL users can read
3: Only SYSTEM users can read communication from DEVICE senders | |||
Communication.write | U | 1: Communication must have exactly one sender and one recipient 2: Communication with the category "note" can only be created/patched/deleted if user = sender and (recipient = sender or recipient = a CareTeam). 3: PATIENT users
4: PRACTITIONER and SSL users
| |||
Person$match | Only requires the role “Person$match” Used to lookup person data by CPR, including name and a patient reference, if one exists. This is only a read operation and will not create any resources. The operations are audit logged. |
...