ЕСОЗ - публічна документація

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

WIP

Description

  1. Service to manage time-limited access to users resources.
  2. All the approvals are stored centralized. Unfortunately we cannot use JWT because of the patient use cases.
  3. Approvals are used by ABAC service as a data source to make decisions based on rules
  4. Approvals are persistently stored in the medical events MongoDB.
  5. There should be no MPI_id in DB, only mpi-hash.

Use cases

  1. As a Secondary care doctor I want to be able to get access to some specific patient resources So that I can provide the healthcare services for any patient that has asked me to help.
  2. As a Secondary care doctor I want to be able to get access to the patient resources that has been included in the Service Request So that I can provide the healthcare services and process service request
  3. TBD: As a Patient I want to provide access to my medical data resources for the specific eHealth user So that I can get the healthcare consultation from whoever I want.
  4. As a Patient I want to authorize all the grant access to my profile actions using the authorization methods that I have chosen in the declaration So that I can be sure that my medical data is protected.
  5. TBD: As a Patient I want to see all the granted approvals So that I can understand who can access my medical data
  6. TBD: As a Patient I want to be able to deactivate any of the approval that has been granted by me So that I can manage access to my medical data.
  7. TBD: As a Patient I want to provide access to my medical data resources for the specific Medical Service Provider So that I can get the healthcare consultation from whoever I want.
  8. TBD: As a Patient I want to restrict access to some sensitive episodes So that some sensitive data will not be accessible by anyone even if it is allowed by the ABAC or approvals.

Description

  1. Create approval options
    1. TBD: Resource owner - can be created directly only for my resources using token with the 'approval:create' scope. This scope can be received only by PIS.
    2. Not a resource owner - two-step process. Can be initiated by any user with the scope 'approval_request:create'
    3. TBD: System process - two-step process.
  2. User can directly send list of resources or pass referral.

Data model

Approvals

Object name: approvals

NameTypeM/ODescription and constraints
id
string
m
id of approval
patient_id
string
m
mpi_id hash
granted_resources
Referencemlist of resources that are allowed by approval
granted_to
Referencemtype and identifier of entity to whom access has been granted (employee or legal_entity)
expires_at
timestampmexpiration date-time timestamp
granted_by
Referencemtype and identifier of entity who has granted access. It can be MPI_id, duarantee or MOZ/NSZU in future.
reason
Referenceotype and identifier of entity based on which approval has been created
status
stringmnew, active
access_level
stringmonly `read` is supported
urgent
Objectmauthentication_type and phone number
inserted_at
datetimem
inserted_by
guidm
updated_at
datetimem
updated_by
guidm

Data example:

approval
{
  "data": {
    "id": "d5a5d991-0bf7-476f-b3cf-bec73f044b2e",
    "patient_id": "d5a5d991-0bf7-476f-b3cf-bec73f044b2e",
    "granted_resources": [
      {
        "identifier": {
          "type": {
            "coding": [
              {
                "system": "eHealth/resources",
                "code": "episode_of_care"
              }
            ]
          },
          "value": "d5a5d991-0bf7-476f-b3cf-bec73f044b2e"
        }
      }
    ],
    "granted_to": {
      "identifier": {
        "type": {
          "coding": [
            {
              "system": "eHealth/resources",
              "code": "employee"
            }
          ]
        },
        "value": "9183a36b-4d45-4244-9339-63d81cd08d9c"
      }
    },
    "expires_at": 1498749591,
    "granted_by": {
      "identifier": {
        "type": {
          "coding": [
            {
              "system": "eHealth/resources",
              "code": "mpi-hash"
            }
          ]
        },
        "value": "9183a5432532tcecsdfgvery6w43ctrtc342"
      }
    },
    "reason": {
      "identifier": {
        "type": {
          "coding": [
            {
              "system": "eHealth/resources",
              "code": "employee"
            }
          ]
        },
        "value": "9183a36b-4d45-4244-9339-63d81cd08d9c"
      }
    },
    "status": "new",
    "access_level": "read",
    "urgent": {
        "authentication_method_current": {
            "type": "OTP",
            "number": "+38093*****85"
        }
    },
    "inserted_at": "2018-08-02T10:45:16.000Z",
    "inserted_by": "d5a5d991-0bf7-476f-b3cf-bec73f044b2e",
    "updated_at": "2018-08-02T10:45:16.000Z",
    "updated_by": "d5a5d991-0bf7-476f-b3cf-bec73f044b2e"
  }
}
  • No labels

ЕСОЗ - публічна документація