Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

Table of Contents

Description

  1. Service to manage time-limited access to users resources.

  2. All the approvals are stored centralized. Unfortunately we cannot use JWT because of the patient use cases.

  3. Approvals are used by ABAC service as a data source to make decisions based on rules

  4. Approvals are persistently stored in the medical events MongoDB.

  5. There should be no MPI_id in DB, only mpi-hash.

Use cases

  1. As a Secondary care doctor I want to be able to get access to some specific patient resources So that I can provide the healthcare services for any patient that has asked me to help.

  2. As a Secondary care doctor I want to be able to get access to the patient resources that has been included in the Service Request So that I can provide the healthcare services and process service request

  3. TBD: As a Patient I want to provide access to my medical data resources for the specific eHealth user So that I can get the healthcare consultation from whoever I want.

  4. As a Patient I want to authorize all the grant access to my profile actions using the authorization methods that I have chosen in the declaration So that I can be sure that my medical data is protected.

  5. TBD: As a Patient I want to see all the granted approvals So that I can understand who can access my medical data

  6. TBD: As a Patient I want to be able to deactivate any of the approval that has been granted by me So that I can manage access to my medical data.

  7. TBD: As a Patient I want to provide access to my medical data resources for the specific Medical Service Provider So that I can get the healthcare consultation from whoever I want.

  8. TBD: As a Patient I want to restrict access to some sensitive episodes So that some sensitive data will not be accessible by anyone even if it is allowed by the ABAC or approvals.

Description

  1. Create approval options

    1. TBD: Resource owner - can be created directly only for my resources using token with the 'approval:create' scope. This scope can be received only by PIS.

    2. Not a resource owner - two-step process. Can be initiated by any user with the scope 'approval_request:create'

    3. TBD: System process - two-step process.

  2. User can directly send list of resources or pass referral.

Data model

Approvals

Object name: approvals

Name

Type

M/O

Description and constraints

id

string

m

id of approval

patient_id

string

m

mpi_id hash

granted_resources

Reference

m

list of resources that are allowed by approval

granted_to

Reference

m

type and identifier of entity to whom access has been granted (employee or legal_entity)

expires_at

timestamp

m

expiration date-time timestamp

granted_by

Reference

m

type and identifier of entity who has granted access. It can be MPI_id, duarantee or MOZ/NSZU in future.

reason

Reference

o

type and identifier of entity based on which approval has been created

status

string

m

new, active

access_level

string

m

only `read` is supported

urgent

Object

m

authentication_type and phone number

inserted_at

datetime

m


inserted_by

guid

m


updated_at

datetime

m


updated_by

guid

m


Data example:

approval
Code Block
languagejstitleapproval
{
  "data": {
    "id": "d5a5d991-0bf7-476f-b3cf-bec73f044b2e",
    "patient_id": "d5a5d991-0bf7-476f-b3cf-bec73f044b2e",
    "granted_resources": [
      {
        "identifier": {
          "type": {
            "coding": [
              {
                "system": "eHealth/resources",
                "code": "episode_of_care"
              }
            ]
          },
          "value": "d5a5d991-0bf7-476f-b3cf-bec73f044b2e"
        }
      }
    ],
    "granted_to": {
      "identifier": {
        "type": {
          "coding": [
            {
              "system": "eHealth/resources",
              "code": "employee"
            }
          ]
        },
        "value": "9183a36b-4d45-4244-9339-63d81cd08d9c"
      }
    },
    "expires_at": 1498749591,
    "granted_by": {
      "identifier": {
        "type": {
          "coding": [
            {
              "system": "eHealth/resources",
              "code": "mpi-hash"
            }
          ]
        },
        "value": "9183a5432532tcecsdfgvery6w43ctrtc342"
      }
    },
    "reason": {
      "identifier": {
        "type": {
          "coding": [
            {
              "system": "eHealth/resources",
              "code": "employee"
            }
          ]
        },
        "value": "9183a36b-4d45-4244-9339-63d81cd08d9c"
      }
    },
    "status": "new",
    "access_level": "read",
    "urgent": {
        "authentication_method_current": {
            "type": "OTP",
            "number": "+38093*****85"
        }
    },
    "inserted_at": "2018-08-02T10:45:16.000Z",
    "inserted_by": "d5a5d991-0bf7-476f-b3cf-bec73f044b2e",
    "updated_at": "2018-08-02T10:45:16.000Z",
    "updated_by": "d5a5d991-0bf7-476f-b3cf-bec73f044b2e"
  }
}

...