Description

Service to manage time-limited access to users resources.
All the approvals are stored centralized. Unfortunately we cannot use JWT because of the patient use cases.
Approvals are used by ABAC service as a data source to make decisions based on rules
Approvals are persistently stored in the medical events MongoDB.
There should be no MPI_id in DB, only mpi-hash.

Use cases

As a Secondary care doctor I want to be able to get access to some specific patient resources So that I can provide the healthcare services for any patient that has asked me to help.
As a Secondary care doctor I want to be able to get access to the patient resources that has been included in the Service Request So that I can provide the healthcare services and process service request
TBD: As a Patient I want to provide access to my medical data resources for the specific eHealth user So that I can get the healthcare consultation from whoever I want.
As a Patient I want to authorize all the grant access to my profile actions using the authorization methods that I have chosen in the declaration So that I can be sure that my medical data is protected.
TBD: As a Patient I want to see all the granted approvals So that I can understand who can access my medical data
TBD: As a Patient I want to be able to deactivate any of the approval that has been granted by me So that I can manage access to my medical data.
TBD: As a Patient I want to provide access to my medical data resources for the specific Medical Service Provider So that I can get the healthcare consultation from whoever I want.
TBD: As a Patient I want to restrict access to some sensitive episodes So that some sensitive data will not be accessible by anyone even if it is allowed by the ABAC or approvals.

Description

Create approval options
1. TBD: Resource owner - can be created directly only for my resources using token with the 'approval:create' scope. This scope can be received only by PIS.
2. Not a resource owner - two-step process. Can be initiated by any user with the scope 'approval_request:create'
3. TBD: System process - two-step process.
User can directly send list of resources or pass referral.

Data model

Approvals

Object name: approvals

Name	Type	M/O	Description and constraints

Name	Type	M/O	Description and constraints
id	string	m	id of approval
patient_id	string	m	mpi_id hash
granted_resources	Reference	m	list of resources that are allowed by approval
granted_to	Reference	m	type and identifier of entity to whom access has been granted (employee or legal_entity)
expires_at	timestamp	m	expiration date-time timestamp
granted_by	Reference	m	type and identifier of entity who has granted access. It can be MPI_id, duarantee or MOZ/NSZU in future.
reason	Reference	o	type and identifier of entity based on which approval has been created
status	string	m	new, active
access_level	string	m	only `read` is supported
urgent	Object	m	authentication_type and phone number
inserted_at	datetime	m
inserted_by	guid	m
updated_at	datetime	m
updated_by	guid	m
is_verified	bool	m	identifies if Verify approval was called for record
created_by	Reference	m	type and identifier of entity who has created approval. Reference on prm.employees.id

Data example:

approval

{
    "_id" : UUID("fc15b8a3-d7cb-41f7-8cbc-7317e9ad515f"),
    "access_level" : "read",
    "expires_at" : ISODate("2019-12-27T12:54:27.000Z"),
    "granted_by" : {
        "display_value" : null,
        "identifier" : {
            "type" : {
                "coding" : [ 
                    {
                        "code" : "mpi-hash",
                        "system" : "eHealth/resources"
                    }
                ],
                "text" : null
            },
            "value" : "E7F9B8B5D5F1779A83CE29DC2E2A3F0BA525A31C75E645092AAD3A67B8B56291"
        }
    },
    "granted_resources" : [ 
        {
            "display_value" : null,
            "identifier" : {
                "type" : {
                    "coding" : [ 
                        {
                            "code" : "episode_of_care",
                            "system" : "eHealth/resources"
                        }
                    ],
                    "text" : null
                },
                "value" : UUID("17f31552-f4f1-4bf1-bd49-5da282e517bf")
            }
        }
    ],
    "granted_to" : {
        "display_value" : null,
        "identifier" : {
            "type" : {
                "coding" : [ 
                    {
                        "code" : "employee",
                        "system" : "eHealth/resources"
                    }
                ],
                "text" : null
            },
            "value" : UUID("7583111f-7c90-4cb0-9941-b5414bb71ca0")
        }
    },
    "inserted_at" : ISODate("2019-12-26T12:54:27.379Z"),
    "inserted_by" : UUID("20349bbf-726c-4d13-9f6a-b8a1bcdfd2b5"),
    "patient_id" : "E7F9B8B5D5F1779A83CE29DC2E2A3F0BA525A31C75E645092AAD3A67B8B56291",
    "reason" : {
        "display_value" : null,
        "identifier" : {
            "type" : {
                "coding" : [ 
                    {
                        "code" : "service_request",
                        "system" : "eHealth/resources"
                    }
                ],
                "text" : null
            },
            "value" : UUID("d8cf4081-eaf4-4039-8248-a00a0d44481f")
        }
    },
    "is_verified" : "true",
    "updated_at" : ISODate("2019-12-26T12:55:11.944Z"),
    "updated_by" : UUID("20349bbf-726c-4d13-9f6a-b8a1bcdfd2b5"),
    "urgent" : {
        "phone_number" : "+38095*****95",
        "type" : "OTP"
    }
}