Stream: smart
Topic: Consent to record user's authorization
Shamil Nizamov (Dec 01 2020 at 15:49):
I'm puzzled a bit if it's possible to use the Consent resource to store the fact that user has authorized a third-party app to access his data? To me this sounds more as a AuditLog rather than the Consent, but may be someone does that. Any thoughts?
John Moehrke (Dec 01 2020 at 15:55):
an audit log entry would be useful too. but audit log entries tend to not be persisted forever. The intended use of Consent for this use-case is to enable a record that would be useful.
As to the question of if it is possible... would love to get any community feedback on the Consent resource to make it more useful, and to provide more informative examples and discussion/notes. There is one example, but it is very old and thus likely missing useful information.
David Pyke (Dec 01 2020 at 16:52):
The Consent.provision.actor in a Consent can be a device, so it is possible to use it as a record of software access.
Shamil Nizamov (Dec 01 2020 at 18:06):
The possibility to stretch the Consent in this direction is great, but what I'm trying to understand if is this a recommended practice or simply one of the possible applications of the resource not explicitly mentioned in the resource narrative?
Josh Mandel (Dec 01 2020 at 18:17):
Just to be clear, SMART doesn't have an opinionated stance about how servers record a patient's authorization decision; this can be using FHIR or some server-internal tracking mechanism. Clients learn about approval decisions (ultimately) in the access token response.
Josh Mandel (Dec 01 2020 at 18:17):
Using things like Consent or Permission seems like a good area for servers to explore, though!
Shamil Nizamov (Dec 01 2020 at 18:24):
Using things like Consent or Permission seems like a good area for servers to explore, though!
You mean Provenance, do you? It was in one of the John's blog posts that Provenance is more for create/update, and AuditLog for access/delete/etc.
Josh Mandel (Dec 01 2020 at 19:30):
I mean Permission (a new resource; work in progress; I think it's pretty abstract which might make it challenging to use, but figured I'd point it out in case you haven't come across it.)
David Pyke (Dec 01 2020 at 19:31):
Using Consent this was is a possible action. WE have not specifically outlined that use case but have made Consent as extendable as possible to allow for it. It could be done via the patient-privacy scope or through a custom scope.
John Moehrke (Dec 01 2020 at 19:49):
the Permission resource is very drafty... but yes, it is intended to hold access control rules for ANY purpose. Once fully developed it is likely that Consent would leverage Permission, but Permission would be useful for other use-cases such as B-2-B permissions, or app-permissions, or etc... But we need to develop it further to prove this vision
John Moehrke (Dec 01 2020 at 19:54):
David Pyke said:
Using Consent this was is a possible action. WE have not specifically outlined that use case but have made Consent as extendable as possible to allow for it. It could be done via the patient-privacy scope or through a custom scope.
there is an example that has been in the Consent resource examples all along - http://build.fhir.org/consent-example-smartonfhir.html
Shamil Nizamov (Dec 01 2020 at 20:17):
there is an example that has been in the Consent resource examples all along - http://build.fhir.org/consent-example-smartonfhir.html
Oh, I missed this one, thank you for pointing.
Last updated: Apr 12 2022 at 19:14 UTC
