FHIR Chat · Binary.securityContext · implementers

Stream: implementers

Topic: Binary.securityContext

view this post on Zulip John Moehrke (Dec 13 2016 at 21:24):

What is this new securityContext element now in Binary? It says it is a reference to Any. The definition seems to indicate that an Access Control decision point should treat this Binary resource in the same way it would treat this other resource. How might that be used? This seems to imply that this 'other' resource is equivalent from a security 'context'?

view this post on Zulip John Moehrke (Dec 13 2016 at 21:28):

Is this for a case where some non-FHIR formatted data is imported into a FHIR system, thus it is saved as a Binary for reference purposes; then decomposed into N FHIR native resources. Is this the use-case? If so, how would one find the Binary object? In cases like where DocumentReference is used, the DocumentReference would be the way to discover the Binary object, and DocumentReference contains the metadata that is used to rule over accessibility of the Binary object. Thus in the case of DocumentReference managed Binary, the pointer is in the opposite direction. Thus I am struggling with why I would have a pointer from Binary to something else. For HL7 v2 message ingestion, wouldn't a Provenance record be the linkage between the various derived FHIR resources and the Binary copy of the original v2 message? Thus Provenance is how one discovers Binary?

view this post on Zulip Grahame Grieve (Dec 13 2016 at 22:05):

I think the main use case is for there is no reference to the binary (yet?)

view this post on Zulip John Moehrke (Dec 13 2016 at 23:06):

The frustrating part is that this was added using GF#10126 which is the CR I created with the intent to just add a "Security Considerations" section to the Binary resource page to inform the reader that Binary is different and not as clear how to protect. I don't like the solution, and my objections on the gForge tracker were ignored. Now it exists and I can't figure out how to use it.

view this post on Zulip Grahame Grieve (Dec 13 2016 at 23:11):

If you add a comment on a task resolution long after the task is resolved, you really need to alert people to that

view this post on Zulip Grahame Grieve (Dec 13 2016 at 23:11):

ok, it wasn't long after. still, it was after

view this post on Zulip Grahame Grieve (Dec 13 2016 at 23:12):

There's a gap between 'I don't need to use X' and "I don't like X'. I don't follow why you don't like it

view this post on Zulip John Moehrke (Dec 13 2016 at 23:14):

first. the solution is counter to the way that Binary would be used with DocumentReference.

view this post on Zulip John Moehrke (Dec 13 2016 at 23:16):

That can be solved by explaining DocumentReference, and saying when Binary is used with DocumentReference that the DocumentReference method is to be used.

view this post on Zulip John Moehrke (Dec 13 2016 at 23:17):

Note that it is important to recognize that the meta tags protecting DocumentReference are different than the security-tags that DocumentReference holds that are used to protect the Binary.

view this post on Zulip John Moehrke (Dec 13 2016 at 23:17):

they might be equal, but might not.

view this post on Zulip Grahame Grieve (Dec 13 2016 at 23:18):

we could add documentation about both of those

view this post on Zulip John Moehrke (Dec 13 2016 at 23:20):

okay, than what use-case is left... lets decompose that and determine if there is a solution. I think the other formally understood use-cases are less clear, they are ANY resource that has an element that is an Attachment... unfortunate we don't have them nicely grouped

view this post on Zulip John Moehrke (Dec 13 2016 at 23:20):

so, for those... we use this SecurityContext? And if so, how does that work?

view this post on Zulip Grahame Grieve (Dec 13 2016 at 23:21):

there are people out there using Binary directly without referencing it from attachment

view this post on Zulip John Moehrke (Dec 13 2016 at 23:21):

Especially for cases where the Binary has a relationship to more than one FHIR Resource (e.g. the HL7 v2 message decomposed).

view this post on Zulip John Moehrke (Dec 13 2016 at 23:21):

Binary, as in not related to anything? If so, then do they have a use for SecurityContext?

view this post on Zulip Grahame Grieve (Dec 13 2016 at 23:22):

yes. it's linked to their context somehow - typically, patient - but that is not explicit in their resources

view this post on Zulip John Moehrke (Dec 13 2016 at 23:23):

I can think of many nefarious uses for a server that will accept Binary RESTful actions...

view this post on Zulip John Moehrke (Dec 13 2016 at 23:23):

they will learn... can't mandate security-by-design

view this post on Zulip Grahame Grieve (Dec 13 2016 at 23:23):

I'm sure that if you think about it, you can also think of some valid uses

view this post on Zulip John Moehrke (Dec 13 2016 at 23:24):

I know of some, yes... but I always try to create a security risk management plan around them.

view this post on Zulip Grahame Grieve (Dec 13 2016 at 23:25):

well, here, you appear to be taking exception to a information field that exists to support various risk mgmt plans

view this post on Zulip John Moehrke (Dec 13 2016 at 23:25):

Binary is important. And securityContext might be the right solution. I started the thread with a question asking how to use it. I have new understanding, but not enlightenment

view this post on Zulip John Moehrke (Dec 13 2016 at 23:26):

is seeking enlightenment not acceptable?

view this post on Zulip Grahame Grieve (Dec 13 2016 at 23:26):

lol

view this post on Zulip John Moehrke (Dec 13 2016 at 23:27):

so, I can create text that can help people understand how to protect Binary if that binary is referenced from DocumentReference....

view this post on Zulip John Moehrke (Dec 13 2016 at 23:27):

I can do similar if I understood a reasonable set of other Attachment places...

view this post on Zulip John Moehrke (Dec 13 2016 at 23:28):

For example, When Binary is used in Patient.photo; then protecting it with the same 'security context' as Patient seems logical.

view this post on Zulip John Moehrke (Dec 13 2016 at 23:28):

and if ultimately we need bidirectional URL (which is what the current solution seems to be designing) because the current directional url is from Attachment to Binary... then I guess we create bidirectional URL, something surely going to get broken.

view this post on Zulip Grahame Grieve (Dec 13 2016 at 23:30):

well, when we dsicussed it, there were a few considerations

view this post on Zulip John Moehrke (Dec 13 2016 at 23:30):

so some reasonable subset of "Attachment is used in the following places: BodySite, Claim, Communication, CommunicationRequest, Consent, Contract, DiagnosticReport, DocumentManifest, DocumentReference, ExplanationOfBenefit, HealthcareService, Library, Media, Observation, Patient, Person, Practitioner, Questionnaire, QuestionnaireResponse and RelatedPerson"

view this post on Zulip Grahame Grieve (Dec 13 2016 at 23:30):

amybe

view this post on Zulip Grahame Grieve (Dec 13 2016 at 23:30):

in principle, if a resource references a binary, then it should be secured as for the resource that references it.

view this post on Zulip John Moehrke (Dec 13 2016 at 23:31):

what about when multiple Resources reference the same Binary

view this post on Zulip John Moehrke (Dec 13 2016 at 23:31):

for example a CDA document that is decomposed into thousands of FHIR objects...

view this post on Zulip Grahame Grieve (Dec 13 2016 at 23:32):

maybe. that is. at least, probably. Though we haven't said what the rules are - if we could - about resources that reference things that have higher privelege

view this post on Zulip John Moehrke (Dec 13 2016 at 23:32):

actually Attachment is not enough... as it is really Resource(ANY) too.. right?

view this post on Zulip John Moehrke (Dec 13 2016 at 23:33):

I am thinking about Provenance, which we are modeling to say that the source material might be something like an HL7 v2 message that is saved in a Binary...

view this post on Zulip Grahame Grieve (Dec 13 2016 at 23:33):

there was also an issue about posting order - if you aren't using transactions, the binary will be created before the thing that references it

view this post on Zulip John Moehrke (Dec 13 2016 at 23:33):

hmmm, you operational people... in theory it just happens...

view this post on Zulip Grahame Grieve (Dec 13 2016 at 23:34):

hah. the gap between theory and reality is bigger in reality than in theory

view this post on Zulip John Moehrke (Dec 13 2016 at 23:35):

So, how about three cases: ( 1 ) DocumentReference, ( 2 ) Provenance, and ( 3 ) undefined.... That is, if you have special handling needed on a Binary, then you must either have a DocumentReference or a Provenance.

view this post on Zulip Grahame Grieve (Dec 13 2016 at 23:36):

we did intend to reduce the pressure on this by introducing an operation on DocumentReference that gives you direct access to it's content in native form

view this post on Zulip Grahame Grieve (Dec 13 2016 at 23:36):

something like GET DocumentReference/[id]/$content

view this post on Zulip John Moehrke (Dec 13 2016 at 23:36):

I thought that magjic just happened with Binary

view this post on Zulip Grahame Grieve (Dec 13 2016 at 23:36):

but we didn't do that, and it's complicated since DocumentReference can acutally include multiple things

view this post on Zulip John Moehrke (Dec 13 2016 at 23:37):

OH, because the request is saying I want DocumentReference in FHIR form; but I want any Binary in native

view this post on Zulip John Moehrke (Dec 13 2016 at 23:37):

in IHE MHD, I just forced two steps...

view this post on Zulip John Moehrke (Dec 13 2016 at 23:38):

although I might have implied the impossible... hmm, better go look.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -