FHIR Chat · Remove security tags from a resource? · implementers

Stream: implementers

Topic: Remove security tags from a resource?

view this post on Zulip Sean McIlvenna (Mar 29 2019 at 18:22):

How do you remove a security tag (Resource.meta.security) from a resource? At least in the HAPI server I'm playing with, I can add security tags with a PUT on the resource, but when I try to remove the security tags from the resource with a subsequent PUT, they are still there when I do a GET.

view this post on Zulip John Moehrke (Mar 29 2019 at 18:25):

security tags are no different than any other element. normal REST verbs apply.

view this post on Zulip Grahame Grieve (Mar 29 2019 at 19:13):

not so simple - they're a special case. in my system, security tags auto-migrate across versions. you have to $meta-delete them

view this post on Zulip John Moehrke (Mar 29 2019 at 19:29):

why is this? This kind of merging-only behavior has never been discussed in the Security WG, and doesn't appear on a security page.

view this post on Zulip Sean McIlvenna (Mar 29 2019 at 19:31):

@Grahame Grieve , yup, just found $meta-delete

view this post on Zulip Grahame Grieve (Mar 29 2019 at 19:34):

it was in the spec from very early - long before security got involved. but the use case is simple:
- I (the patient) label a resource with a security code "confidential"
- an application updates it. it doesn't care about my confidentiality, so it doesn't set the label
- I don't want to to be unlabeled because of that

so tags and labels are special - the only way to remove them is through $meta-delete. Because we anticipate that they are a special case

view this post on Zulip John Moehrke (Mar 29 2019 at 19:38):

That use-case today would be better handled with a Consent resource that addresses that instance of the resource specifically. This is the use-case that drove the element Consent.provision.data. We had no knowledge of this historic text.

view this post on Zulip Grahame Grieve (Mar 29 2019 at 19:43):

I do not think that it should be handled by consent at all. The consent resource is no some magic wand; unless you propose to remove all security labels and replace them with consent

view this post on Zulip Lloyd McKenzie (Mar 29 2019 at 19:43):

Setting a flag isn't a consent. If I set a flag saying "do not share with the patient" - how could that be a consent?

view this post on Zulip John Moehrke (Mar 29 2019 at 19:58):

I created GF#20631 to carry this discussion further and into Security WG

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -