FHIR OAuth scope proposal using FHIR query parameters

In FHIR STU3 there are now some general query parameters. I recommend using general query parameters to promote OAuth domains today. Current SMART domains depend on simple vectors:

Patient vs. “User” –
If the “patient area” means all results should come from this patient
The user’s scope indicates that all the results refer to the user’s data rights
Resources resources
If the specified source of FHIR determines the results for the resource type
This is a set of fixed strings (for example, “hint”, etc.).
The REST process

In announcing the recording of the EBNF, the structure of the clinical dimension is:

clinic-range :: = (‘patient’ | ‘user’) ‘/’ (fhir-resource | ‘*’) ‘.’ (‘Read’ | ‘type’ | ‘*’)

For information on current OAuth coverage, see other articles:

SMART details – Areas and Operating Environment
David Hay – SMART – Rankings and Profiles
Mi – Alternatives to SMART Domains – FHIR
Mi: access control limit for medical care across different OAuth codes
If OAuth authorizes user access to required patient, as defined in the release context, for notes only and read only. It was a place

Patient / observation

The problem with this is that the actual “patient” identifier is not defined. At SMART, it is handled by the context of operation.

Suggest the use of standard patient “patient” parameters for the patient’s area
With the new standard FHIR STU3 consultation parameters we can identify the implied patient within range. There is a standard “patient” query parameter for 35 different sources. This is the advantage of being certain, but with a disability that the fields are not formed by static chains. I would suggest that using general query parameters is an alternative model for early SMART domains.

Then, instead of relying on the SMART execution context to retain the patient ID. Example of a patient from “http: //myserver.example/fhir/Patient/f5c7395”

Patient = “HTTP: //myserver.example/fhir/Patient/f5c7395” /Observation.read

Or we can add it to the end. I think it’s stronger.
Observation.read # Patient = “HTTP: //myserver.example/fhir/Patient/f5c7395″


Clinical area :: = (fhir-resource | ‘*’) ‘.’ (‘Read’ | ‘Write’ ” ” ‘)’ # ‘(Query |’ * ‘)

I suggest not working with all the questions. I just want the patient to involve the patient.

Range is a query with no query.
This is not a suggestion to set these query parameters and trust the server. It may be something to make it effective, but it does not work perfectly and not all. The use of search operators only helps with positive opportunities, but is not ideal against false positive or negative negatives. It will also fail if other parts of the query are written in a modern way to cause an error.

The scope must be fulfilled. The resource server is expected to impose a range without errors. This is what I want to say more than one simple question. The most important thing is to check the resulting package to ensure that the contents of the package are not in compliance.
The most common query parameters
Some other popular search parameters may be useful:
_id – If the domain is restricted to an exact source
_tag: if the domain is usually restricted to specific tags
_profile: if the domain is restricted by a specific _PRofile tag
_security – if the limit is limited to a particular HCS vocabulary (for example, a secret “N”)
Facing: When the range is limited to a specific meeting
But certainly missing
There are some important vectors in the lost privacy spaces:
Time frame when creating data: Hides the time frame or makes the time frame active
Authorized: Used only when the policy allows data generated by some organizations or users
Remember, the arrival is not all. If the user is banned, he / she can not get permission.

I also do not suggest the use of negative places. This user (moderator) will not see any data, but not a patient with a disease.

Leave a Reply

Your email address will not be published. Required fields are marked *