[Openid-specs-heart] Draft HEART Meeting Notes 2016-08-01

Sarah Squire sarah at engageidentity.com
Mon Aug 1 21:02:00 UTC 2016 

Attending:

Debbie Bucci

Oliver Lawless

Justin Richer

Danny van Leeuwen

Jin Wen

Adrian Gropper

Scott Shorter

Dale Moberg

Cait Ryan

Eve Maler

Sarah Squire

Ken Salyards

Aaron Seib

Julie Maas

Jim Kragh

Edmund Jay

Hope Morgan

Debbie

Does what you put in a resource set have to be in the RPT?

Justin

No, it can be any subset

Adrian

Can scopes be heirarchical?

Justin

Scopes are flat strings.

Eve

Yes, but scope strings might be implemented in such a way as to have a
hierarchical association, but that’s on a per-implementation basis.

Adrian

If a particular resource is part of the FHIR standard already, medication
order, for instance, can I withhold medication order without having to list
all the positive scopes?

Oliver

There’s Kathleen’s way, which is the security labeling.

Justin

Security labeling could easily function as a set of scopes alongside the
resource-based scopes that we’ve already defined.

Oliver

But I’m concerned that the security labelling has legal implications

Justin

At the level that we’re discussing it, it would just be an access
management tag.

Oliver

I think we should do that whole thing without using security labels.

Justin

We don’t actually care how the data gets marked up and out the door.

Adrian

I’m looking for a paragraph that describes our intent relative to FHIR to
the extent that FHIR has standardized resource hierarchies.

Oliver

These things are changing on an ongoing basis. Some of these decisions are
tied to consent of the resource owner. So it can’t necessarily be
decoupled.

Debbie

I’d like to focus on resource sets. A resource server could define resource
sets for commonly asked for information. I think we could do this using the
existing spec.

Justin

That’s the idea

Sarah

That’s certainly possible

Adrian

I just want to know if what we do will influence FHIR to make a change

Ken

Trying to depend on a content structure like FHIR is going to create a huge
maintenance load.

Justin

We’re not doing that

Debbie

This is taken directly from SMART on FHIR, right?

Justin

Yes. The intent is that this would be generated based on an external list.

Debbie

If we can use UMA resource sets to combine FHIR resource types, we can get
authorizations for Alice to approve.

Oliver

You’re making a massive assumption that you want to separate authorization
from consent.

Sarah

But we’re talking about the patient handing out their own data.

Oliver

I don’t know if that’s possible

Debbie

We’re just trying to come up with a way for us to express the results in an
authorization token

Ken

Can we generate scopes from consent? If so, we should look at it from a
patient-process perspective. What’s the patient trying to do? Protect
access to their information. We have a robust set of experience with
generating consent in a standard format. You can derive information from
that and apply it to whatever information sets you’re trying to manage.

Oliver

This isn’t just one universe, though. We’re dealing with multiple
frameworks.

Eve

The style of our existing OAuth FHIR profile scopes incorporates the notion
of choosing what content to see. It’s not just an action, it’s also
divvying up content. We’re bundling up the object and the verb together.

Debbie

I think in many cases, an RS will need to manage OAuth and UMA, so if the
scopes match, why would we use a common identifier.

Eve

If there’s a technical reason for them to be correlated, then great, but
maybe they don’t.

Justin

The scopes that we have right now do classify the request along 3 different
axes, and that’s actually explaining what’s trying to go across the wire.

Oliver

When you have patient/read or patent/write, what do you think you’re
granting?

Justin

I thought that was self-explanatory.

Debbie

Could we create a resource set using Nancy’s list as a starting point? Are
we doing claims gathering as well?

Justin

Yes, claims gathering would have to be associated with the scopes. Alice
has to be able to say what Dr. Bob can do.

Debbie

How would a resource server tell an authorization server that it needs
additional scopes?

Justin

It registers those along with the ticket.

Adrian

In order to make progress, can we have as an example the common clinical
data set and doctors’ and nurses’ notes as defined by FHIR?

Debbie

I think Nancy had a good list

Oliver

This data set doesn’t really map to FHIR resources

Ken

Part of the problem is that when you’re trying to apply policy, there are a
lot of overlaps between resources. The same information can be in multiple
FHIR resources, so when you’re trying to do a simple policy, it may or may
not be able to actually do that.

Debbie

Each resource has multiple scopes, so the resource set is an easy way to
group multiple options together for Alice to respond to as far as what she
would release.

Ken

I’m not sure that a FHIR resource can be properly mapped to an UMA resource.

Oliver

We’re definitely going to have to do some mapping and synchronization.

Justin
This is a good conversation. We should move the terminology conversation to
the list and pick it up next week.


Sarah Squire
Engage Identity
http://engageidentity.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20160801/88caf2de/attachment.html>

More information about the Openid-specs-heart mailing list