1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. HEART

Wiki

Clone wiki

HEART / 2016-08-01

View History

Attending

Debbie Bucci

Oliver Lawless

Justin Richer

Danny van Leeuwen

Jin Wen

Adrian Gropper

Scott Shorter

Dale Moberg

Cait Ryan

Eve Maler

Sarah Squire

Ken Salyards

Aaron Seib

Julie Maas

Jim Kragh

Edmund Jay

Hope Morgan

Discussion

Debbie Does what you put in a resource set have to be in the RPT?

Justin No, it can be any subset

Adrian Can scopes be heirarchical?

Justin Scopes are flat strings.

Eve Yes, but scope strings might be implemented in such a way as to have a hierarchical association, but that’s on a per-implementation basis.

Adrian If a particular resource is part of the FHIR standard already, medication order, for instance, can I withhold medication order without having to list all the positive scopes?

Oliver There’s Kathleen’s way, which is the security labeling.

Justin Security labeling could easily function as a set of scopes alongside the resource-based scopes that we’ve already defined.

Oliver But I’m concerned that the security labelling has legal implications

Justin At the level that we’re discussing it, it would just be an access management tag.

Oliver I think we should do that whole thing without using security labels.

Justin We don’t actually care how the data gets marked up and out the door.

Adrian I’m looking for a paragraph that describes our intent relative to FHIR to the extent that FHIR has standardized resource hierarchies.

Oliver These things are changing on an ongoing basis. Some of these decisions are tied to consent of the resource owner. So it can’t necessarily be decoupled.

Debbie I’d like to focus on resource sets. A resource server could define resource sets for commonly asked for information. I think we could do this using the existing spec.

Justin That’s the idea

Sarah That’s certainly possible

Adrian I just want to know if what we do will influence FHIR to make a change

Ken Trying to depend on a content structure like FHIR is going to create a huge maintenance load.

Justin We’re not doing that

Debbie This is taken directly from SMART on FHIR, right?

Justin Yes. The intent is that this would be generated based on an external list.

Debbie If we can use UMA resource sets to combine FHIR resource types, we can get authorizations for Alice to approve.

Oliver You’re making a massive assumption that you want to separate authorization from consent.

Sarah But we’re talking about the patient handing out their own data.

Oliver I don’t know if that’s possible

Debbie We’re just trying to come up with a way for us to express the results in an authorization token

Ken Can we generate scopes from consent? If so, we should look at it from a patient-process perspective. What’s the patient trying to do? Protect access to their information. We have a robust set of experience with generating consent in a standard format. You can derive information from that and apply it to whatever information sets you’re trying to manage.

Oliver This isn’t just one universe, though. We’re dealing with multiple frameworks.

Eve The style of our existing OAuth FHIR profile scopes incorporates the notion of choosing what content to see. It’s not just an action, it’s also divvying up content. We’re bundling up the object and the verb together.

Debbie I think in many cases, an RS will need to manage OAuth and UMA, so if the scopes match, why would we use a common identifier.

Eve If there’s a technical reason for them to be correlated, then great, but maybe they don’t.

Justin The scopes that we have right now do classify the request along 3 different axes, and that’s actually explaining what’s trying to go across the wire.

Oliver When you have patient/read or patent/write, what do you think you’re granting?

Justin I thought that was self-explanatory.

Debbie Could we create a resource set using Nancy’s list as a starting point? Are we doing claims gathering as well?

Justin Yes, claims gathering would have to be associated with the scopes. Alice has to be able to say what Dr. Bob can do.

Debbie How would a resource server tell an authorization server that it needs additional scopes?

Justin It registers those along with the ticket.

Adrian In order to make progress, can we have as an example the common clinical data set and doctors’ and nurses’ notes as defined by FHIR?

Debbie I think Nancy had a good list

Oliver This data set doesn’t really map to FHIR resources

Ken Part of the problem is that when you’re trying to apply policy, there are a lot of overlaps between resources. The same information can be in multiple FHIR resources, so when you’re trying to do a simple policy, it may or may not be able to actually do that.

Debbie Each resource has multiple scopes, so the resource set is an easy way to group multiple options together for Alice to respond to as far as what she would release.

Ken I’m not sure that a FHIR resource can be properly mapped to an UMA resource.

Oliver We’re definitely going to have to do some mapping and synchronization.

Justin This is a good conversation. We should move the terminology conversation to the list and pick it up next week.

Updated