Setting the available context
In order to set the available context, the AS can be requested with a base64 encoded PrivilegeList xml document. This is enabled on a special test client with id "oio_mock".
Mocking context supports acces token requests using either refresh token or username/password.
Pararmeter name | Description | Since vesion |
---|---|---|
client_id | Required. The OAuth2 client id | |
grant_type | Required. Value ‘refresh_token’ or 'password' | |
refresh_token (grant_type = refresh_token ) | Required. The refresh token of the current session | |
username (grant_type = password) | Required. The username of a keycloak user. | |
password (grant_type = password) | Required. The password of the keycloak user. | |
oio_bpp (available context) | Optional. Base 64 encode PrivilegeList xml document | |
practitioner_upn (available context) | Optional. An unique identifier of a Practitioner. Maps to a FHIR Practitioner resource. | |
practitioner_name (available context) | Optianal. The name of the pratitioner. Sets the name of the FHIR Practitioner. | |
practitioner_email (available context) | Optional. The email of the practitioner. | |
practitioner_authcode | Optional. The authorization code of the practitioner, e. g. "FUT01" | 1.8.8 |
practitioner_cpr | Optional. The CPR of the practitioner. | 1.8.8 |
user_type | Optional. The user type. "SSL" or "PRACTITIONER" (default) | 1.7.8 |
care_team_id (context) | Optional. A valid absolute FHIR URI pointing to a Careteam resource. This adds implicit organization context given the organization constraint in the OIO BPP structure | |
organization_id (context) | Optional. A valid absolute FHIR URI pointing to an Organization resource | |
episode_of_care_id (context) | Optional. This adds implicit patient context. A valid absolute FHIR URI pointing to an Episode of Care resource | |
patient_id (context) | Optional. A valid absolute FHIR URI pointing to a Patient resource |
Examples of PrivilegeList:
<?xml version="1.0"?> <PrivilegeList xmlns="http://itst.dk/oiosaml/basic_privilege_profile"> <PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:20921897"> <Constraint Name="urn:dk:gov:saml:sorIdentifier">eeeeeeee-b760-11e9-a2a3-2a2ae2dbcce4</Constraint> <Constraint Name="urn:dk:sundhed:ehealth:careteam">cccccccc-b760-11e9-a2a3-2a2ae2dbcce4</Constraint> <Privilege>urn:dk:healthcare:futTreatmentResponsible_0_3</Privilege> <Privilege>urn:dk:healthcare:futMonitoringResponsible_0_3</Privilege> </PrivilegeGroup> <PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:20921897"> ... </PrivilegeGroup> </PrivilegeList>
Contents of a PrivilegeList
A PrivilegeList must contain at least one PrivilegeGroup with Scope = "urn:dk:gov:saml:cvrNumberIdentifier:<some number>".
A PrivilegeGroup has the following elements:
- Exactly one Constraint specifying an organization identifier (see Organization Constraints)
- At most one Constraint specifying a care team identifier (see Care Team Constraints)
- At least one Privilege element
Organization Constraints
An organization constraint identifies an Organization resource by an external identifier and type.
There are three types of organizations:
- SOR organizations:
- Identified by Constraints with Name attribute = "urn:dk:gov:saml:sorIdentifier" and value = {sor-id}
- Refers to Fhir Organization with Identifier.system = "urn:oid:1.2.208.176.1.1" and Identifier.value = {sor-id}
- Example:
- Constraint:
<Constraint Name="urn:dk:gov:saml:sorIdentifier">950531000016003</Constraint>
- Refers to Organization with:
"Identifier": [{"system": "urn:oid:1.2.208.176.1.1", "value": "950531000016003"}]
- Constraint:
- STS organizations
- Identified by Constraints with Name attribute = "urn:dk:kombit:orgUnit" and value = {sts-id}
- Refers to Fhir Organization with Identifier.system = "https://www.kombit.dk/sts/organisation" and Identifier.value = {sts-id}
- Example:
- Contraint:
<Constraint Name="urn:dk:kombit:orgUnit">eeeeeeee-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>
- Refers to Organization with:
"Identifier": [{"system": "https://www.kombit.dk/sts/organisation", "value": "eeeeeeee-b760-11e9-a2a3-2a2ae2dbcce4"}]
- Contraint:
- SSL organizations
- Identified by Constraints with Name attribute = "urn:dk:sundhed:ehealth:sslOrg"
- Refers to Fhir Organization with Identifier.system = "http://ehealth.sundhed.dk/organization/ssl" and Identifier.value = {ssl-id}
- Example:
- Constraint:
<Constraint Name="urn:dk:sundhed:ehealth:sslOrg">aaaaaaaa-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>
- Refers to Organization with:
"Identifier": [{"system": "http://ehealth.sundhed.dk/organization/ssl", "value": "aaaaaaaa-b760-11e9-a2a3-2a2ae2dbcce4"}]
- Constraint:
Care Team Constraints
A care team constraint identifies a CareTeam resource by an external identifier.
Care team constraints always have Name attribute = "urn:dk:sundhed:ehealth:careteam".
A care team constraint with value = {careteam-id} refers to Fhir CareTeam with Identifier.system = "urn:ietf:rfc:3986" and Identifier.value = {careteam-id}
Example:
- Constraint:
<Constraint Name="urn:dk:sundhed:ehealth:careteam">cccccccc-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>
- Refers to CareTeam with:
"Identifier": [{"system": "urn:ietf:rfc:3986", "value": "cccccccc-b760-11e9-a2a3-2a2ae2dbcce4"}]
Privileges:
Allowed privileges:
urn:dk:sundhed:ehealth:role:tele_medicine_actor
urn:dk:sundhed:ehealth:role:administrative_personnel
urn:dk:sundhed:ehealth:role:healthcare_professional
urn:dk:sundhed:ehealth:role:report_generator
urn:dk:sundhed:ehealth:role:questionnaire_editor
urn:dk:sundhed:ehealth:role:administrator
urn:dk:sundhed:ehealth:role:clinical_administrator
urn:dk:sundhed:ehealth:role:team_administrator
urn:dk:sundhed:ehealth:role:order_placer
urn:dk:sundhed:ehealth:role:service_and_logistics
urn:dk:sundhed:ehealth:role:incident_reporter
urn:dk:sundhed:ehealth:role:supporter
urn:dk:sundhed:ehealth:role:ssl_catalogue_annotator
urn:dk:sundhed:ehealth:role:ssl_catalogue_responsible
urn:dk:sundhed:ehealth:role:ssl_contract_responsible
urn:dk:sundhed:ehealth:role:treatment_responsible
urn:dk:sundhed:ehealth:role:monitoring_responsible