FHIR Chat · Security Claims · implementers

Stream: implementers

Topic: Security Claims

view this post on Zulip Ivan May (Aug 11 2020 at 09:33):

Hi All

Just to add a little bit of background. I have a requirement to load multiple organizations data onto a single FHIR instance. Loading the organizations and their unique identifiers is relatively simple based on the provided documentation. The only caveat is that not all organizations can access all other organizations' data. I have an external authentication and authorization service that I use to manage access to the fhir integration.

So the process that we will follow is that a client will get a client id and secret that will be exchanged for a short lived access token (oauth2). The access token will be of type JWT with scope claims including allowed organizations, etc. When a resource is then requested, the claims will filter out results the user is not allowed to see.

From what I understand the security labels in the FHIR specification is to be used to filter out data that is not allowed to be seen by the requesting user.

That all being said. The way I wanted to implement this, was to add an "organization" claim to the jwt token, which is the primary organization the user belongs to. When that user then submits a resource, that organization claim is then stored under the security label on the resource. So when another resource then requests access to the resource, that user will need to have the relevant organization as part of his scope claim to access the details.

I also have a question around the Provenance and audit requirements. Is this a hard requirement that this information is stored in the FHIR server?

Would this be a correct approach to solve the authorization problem? I hope this is enough information. I used the information provided here: https://smilecdr.com/docs/security/smart_on_fhir_introduction.html and here: https://www.hl7.org/fhir/security.html

view this post on Zulip Grahame Grieve (Aug 11 2020 at 10:52):

Suggest you ask this on the #Security and Privacy channel

view this post on Zulip Ivan May (Aug 11 2020 at 12:25):

ah sorry and thanks!

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -