...
...
...
...
...
...
...
...
...
Child pages (Children Display) | ||||
---|---|---|---|---|
|
Description
Service to manage time-limited access to users resources.
All the approvals are stored centralized. Unfortunately we cannot use JWT because of the patient use cases.
Approvals are used by ABAC service as a data source to make decisions based on rules
Approvals are persistently stored in the medical events MongoDB.
There should be no MPI_id in DB, only mpi-hash.
Use cases
As a Secondary care doctor I want to be able to get access to some specific patient resources So that I can provide the healthcare services for any patient that has asked me to help.
As a Secondary care doctor I want to be able to get access to the patient resources that has been included in the Service Request So that I can provide the healthcare services and process service request
TBD: As a Patient I want to provide access to my medical data resources for the specific eHealth user So that I can get the healthcare consultation from whoever I want.
As a Patient I want to authorize all the grant access to my profile actions using the authorization methods that I have chosen in the declaration So that I can be sure that my medical data is protected.
TBD: As a Patient I want to see all the granted approvals So that I can understand who can access my medical data
TBD: As a Patient I want to be able to deactivate any of the approval that has been granted by me So that I can manage access to my medical data.
TBD: As a Patient I want to provide access to my medical data resources for the specific Medical Service Provider So that I can get the healthcare consultation from whoever I want.
TBD: As a Patient I want to restrict access to some sensitive episodes So that some sensitive data will not be accessible by anyone even if it is allowed by the ABAC or approvals.
Description
Create approval options
TBD: Resource owner - can be created directly only for my resources using token with the 'approval:create' scope. This scope can be received only by PIS.
Not a resource owner - two-step process. Can be initiated by any user with the scope 'approval_request:create'
TBD: System process - two-step process.
User can directly send list of resources or pass referral.
Data model
Approvals
Object name: approvals
Name | Type | M/O | Description and constraints |
---|---|---|---|
id | string | m | id of approval |
patient_id | string | m | mpi_id hash |
granted_resources | Reference | m | list of resources that are allowed by approval |
granted_to | Reference | m | type and identifier of entity to whom access has been granted (employee or legal_entity) |
expires_at | timestamp | m | expiration date-time timestamp |
granted_by | Reference | m | type and identifier of entity who has granted access. It can be MPI_id, duarantee or MOZ/NSZU in future. |
reason | Reference | o | type and identifier of entity based on which approval has been created |
|
|
|
|
access_level | string | m | only `read` is supported |
urgent | Object | m | authentication_type and phone number |
inserted_at | datetime | m | |
inserted_by | guid | m | |
updated_at | datetime | m | |
updated_by | guid | m | |
is_verified | bool | m | identifies if Verify approval was called for record |
created_by | Reference | m | type and identifier of entity who has created approval. Reference on prm.employees.id |
Data example:
approval
Code Block | ||
---|---|---|
| ||
{ "data_id" : {UUID("fc15b8a3-d7cb-41f7-8cbc-7317e9ad515f"), "idaccess_level" : "d5a5d991-0bf7-476f-b3cf-bec73f044b2eread", "patientexpires_idat" : ISODate("d5a5d9912019-0bf7-476f-b3cf-bec73f044b2e"12-27T12:54:27.000Z"), "granted_resourcesby" : { [ {"display_value" : null, "identifier" : { "type" : { "coding" : [ { "system" "code" : "eHealth/resourcesmpi-hash", "codesystem" : "episode_of_care"eHealth/resources" } ], "text" : null }, "value" : "d5a5d991-0bf7-476f-b3cf-bec73f044b2eE7F9B8B5D5F1779A83CE29DC2E2A3F0BA525A31C75E645092AAD3A67B8B56291" } }, } "granted_resources" : [ { ], "granteddisplay_tovalue" : { null, "identifier" : { "type" : { "coding" : [ { "systemcode" : "eHealth/resources",episode_of_care", "codesystem" : "employee"eHealth/resources" } ], "text" : null }, "value" : UUID("9183a36b17f31552-4d45f4f1-42444bf1-9339bd49-63d81cd08d9c5da282e517bf") } } ], "expiresgranted_atto" : 1498749591, { "granteddisplay_byvalue" : null, { "identifier" : { "type" : { "coding" : [ { "system" "code" : "eHealth/resourcesemployee", "codesystem" : "mpi-hash"eHealth/resources" } ], "text" : null }, "value" : "9183a5432532tcecsdfgvery6w43ctrtc342"UUID("7583111f-7c90-4cb0-9941-b5414bb71ca0") } }, "inserted_at" : ISODate("2019-12-26T12:54:27.379Z"), "inserted_by" : UUID("20349bbf-726c-4d13-9f6a-b8a1bcdfd2b5"), "patient_id" : "E7F9B8B5D5F1779A83CE29DC2E2A3F0BA525A31C75E645092AAD3A67B8B56291", "reason" : { "display_value" : null, "identifier" : { "type" : { "coding" : [ { { "system": "eHealth/resources", "code" : "employeeservice_request", } ] "system" : "eHealth/resources" }, "value": "9183a36b-4d45-4244-9339-63d81cd08d9c" } } }, "status": "new", "access_level": "read",], "urgent": { "authentication_method_currenttext" : {null "type": "OTP"}, "numbervalue" : "+38093*****85"UUID("d8cf4081-eaf4-4039-8248-a00a0d44481f") } }, "insertedis_verified" : "true", "updated_at" : ISODate("20182019-0812-02T1026T12:4555:1611.000Z944Z"), "insertedupdated_by" : UUID("d5a5d99120349bbf-0bf7726c-476f4d13-b3cf9f6a-bec73f044b2eb8a1bcdfd2b5"), "urgent" : { "updatedphone_atnumber" : "2018-08-02T10:45:16.000Z+38095*****95", "updated_by" "type" : "d5a5d991-0bf7-476f-b3cf-bec73f044b2e"OTP" } } |