The eHealth infrastructure uses OIO Basic Privilege Profile 1.2 to express user privileges as attributes in SAML Assertions.
The infrastructure also supports version 1.1, the only difference being the xml-namespace of the schema:
Version | Namespace |
|---|---|
1.1 |
|
1.2 |
|
Examples of PrivilegeList:
<?xml version="1.0"?> <PrivilegeList xmlns="http://itst.dk/oiosaml/basic_privilege_profile"> <PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:20921897"> <Constraint Name="urn:dk:gov:saml:sorIdentifier">eeeeeeee-b760-11e9-a2a3-2a2ae2dbcce4</Constraint> <Constraint Name="urn:dk:sundhed:ehealth:careteam">cccccccc-b760-11e9-a2a3-2a2ae2dbcce4</Constraint> <Privilege>urn:dk:sundhed:ehealth:role:monitoring_assistor</Privilege> <Privilege>urn:dk:sundhed:ehealth:role:citizen_enroller</Privilege> </PrivilegeGroup> <PrivilegeGroup Scope="urn:dk:gov:saml:cvrNumberIdentifier:20921897"> ... </PrivilegeGroup> </PrivilegeList> |
Contents of a PrivilegeList
Municipalities MUST follow the guidelines located here: OIO-BPP URI naming precautions for municipalities
A PrivilegeList must contain at least one PrivilegeGroup with Scope = "urn:dk:gov:saml:cvrNumberIdentifier:<some number>".
A PrivilegeGroup has the following elements:
Exactly one Constraint specifying an organization identifier (see Organization Constraints)
At most one Constraint specifying a care team identifier (see Care Team Constraints)
At least one Privilege element
Organization Constraints
An organization constraint identifies an Organization resource by an external identifier and type.
There are three types of organizations:
SOR organizations:
Identified by Constraints with Name attribute = "urn:dk:gov:saml:sorIdentifier" and value = {sor-id}
Refers to Fhir Organization with Identifier.system = "urn:oid:1.2.208.176.1.1" and Identifier.value = {sor-id}
Example:
Constraint:
<Constraint Name="urn:dk:gov:saml:sorIdentifier">950531000016003</Constraint>
Refers to Organization with:
"Identifier": [{"system": "urn:oid:1.2.208.176.1.1", "value": "950531000016003"}]
STS organizations
Identified by Constraints with Name attribute = "urn:dk:kombit:orgUnit" and value = {sts-id}
Refers to Fhir Organization with Identifier.system = "https://www.kombit.dk/sts/organisation" and Identifier.value = {sts-id}
Example:
Contraint:
<Constraint Name="urn:dk:kombit:orgUnit">eeeeeeee-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>
Refers to Organization with:
"Identifier": [{"system": "https://www.kombit.dk/sts/organisation", "value": "eeeeeeee-b760-11e9-a2a3-2a2ae2dbcce4"}]
SSL organizations
Identified by Constraints with Name attribute = "urn:dk:sundhed:ehealth:sslOrg"
Refers to Fhir Organization with Identifier.system = "http://ehealth.sundhed.dk/organization/ssl" and Identifier.value = {ssl-id}
Example:
Constraint:
<Constraint Name="urn:dk:sundhed:ehealth:sslOrg">aaaaaaaa-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>
Refers to Organization with:
"Identifier": [{"system": "http://ehealth.sundhed.dk/organization/ssl", "value": "aaaaaaaa-b760-11e9-a2a3-2a2ae2dbcce4"}]
Care Team Constraints
A care team constraint identifies a CareTeam resource by an external identifier.
Care team constraints always have Name attribute = "urn:dk:sundhed:ehealth:careteam".
A care team constraint with value = {careteam-id} refers to Fhir CareTeam with Identifier.system = "urn:ietf:rfc:3986" and Identifier.value = {careteam-id}
Example:
Constraint:
<Constraint Name="urn:dk:sundhed:ehealth:careteam">cccccccc-b760-11e9-a2a3-2a2ae2dbcce4</Constraint>
Refers to CareTeam with:
"Identifier": [{"system": "urn:ietf:rfc:3986", "value": "urn:uuid:cccccccc-b760-11e9-a2a3-2a2ae2dbcce4"}]
Privileges:
Allowed privileges: