<div dir="ltr">Hi John-- (I changed the subject line and deleted older parts of the thread.)<div class="gmail_extra"><br></div><div class="gmail_extra">When you say "scope" here, I suspect you mean "scope" of the sharing use case, rather than something like an OAuth or UMA scope, so I'm just checking. So a "single-patient scope" means that the only human we're paying attention to in the use case is the patient, and "any application with users that are authorized to multiple patients" seems to mean a use case that involves party-to-party sharing, with multiple humans involved. However, you follow the latter with "would need to get multiple scopes", so I'm not sure. Note that "getting multiple scopes" as a technical construct doesn't have anything to do with sharing with an autonomous third party.</div><div class="gmail_extra"><br></div><div class="gmail_extra">FWIW, here is how I think, at a high level, about <b>configuring the delegation of rights to access resources</b>. It's all about <b>parts of speech</b>.</div><div class="gmail_extra"><br></div><div class="gmail_extra">OAuth lets a user (patient) do this configuration at run time while using a client app, by opting in to the authorization server's issuance of an access token to that app. By contrast, UMA lets a user (patient) do this configuration anytime, generally by instructing the authorization server to check whether some combination of the client app and the requesting party using the app meet various requirements (policy). So OAuth is kind of an attenuated version of UMA wrt the constraints on delegation of access rights.</div><div class="gmail_extra"><br></div><div class="gmail_extra"><font face="monospace, monospace">system subject verb object adjective</font></div><div class="gmail_extra"><font face="monospace, monospace" size="1">OAuth client ID OAuth scopes (implicitly some endpoints) n/a</font></div><div class="gmail_extra"><font face="monospace, monospace" size="1"> (and always Alice)</font></div><div class="gmail_extra"><font face="monospace, monospace" size="1">UMA claims-based eg Bob, UMA scopes over... UMA resource sets claims-based e.g. TPO,</font></div><div class="gmail_extra"><font face="monospace, monospace" size="1"> client ID/type, etc. time limitations, etc.</font></div><div class="gmail_extra"><br></div><div class="gmail_extra">It's possible to conflate purpose-of-use into the UMA scopes system, but it's as awkward as conflating (ordinarily implicit) resource sets into the OAuth scopes system (resource1.read, resource1.write, etc.), which is why OAuth has invented the audience parameter to try and solve the problem of a single authorization server protecting several APIs. This is why I suggest using a claims-based system above.</div><div class="gmail_extra"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr">
<p><b>Eve Maler<br></b>ForgeRock Office of the CTO | VP Innovation & Emerging Technology<br>Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl<br>Join our <a href="http://forgerock.org/openuma/" target="_blank">ForgeRock.org OpenUMA</a> community!</p></div></div></div></div></div>
<br><div class="gmail_quote">On Mon, Dec 7, 2015 at 2:00 PM, Moehrke, John (GE Healthcare) <span dir="ltr"><<a href="mailto:John.Moehrke@med.ge.com" target="_blank">John.Moehrke@med.ge.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The discussion on the call today was too hard to break into. Even for a big mouth like me.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I am okay with limiting our next couple of profiles to single patient scopes. As much of the email discussion has pointed out patient controlled access is our primary scope, and logically (if not technically) this is easy to understand with scopes that are single patient. <u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Yes this means that any application with users that are authorized to multiple patients would need to get multiple scopes; so be it. For now… For Enterprise use, this is troubling; but for most uses that happen from outside of an enterprise or between enterprises this limitation is not unreasonable. The most common APIs in healthcare for this are already patient centric. So it is not a big problem.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The user experience does not need to be impacted by this profiled limitation<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The future does not need to be impacted by this profiled limitation.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Which means that one viewpoint for scope can be the identity of the patient that one is asking for access to. This is not the only scope we will ever support; but is one method that would satisfy some use-cases today.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Another view on scope, that I have been involved with in other groups, is to use a high-level vocabulary that is used often in the Access Control policy – PurposeOfUse. This vocabulary is items like: Treatment, Payment, Research, Emergency, etc…<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">To go deeper than these two vectors through scopes in a general purpose healthcare access control infrastructure is futile.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Next level deeper in scopes would come from workflow centric implementation guides. That is a specification that is defining a workflow, could define a scope(s) for that workflow.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">John<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> </span></p></div></div>_______________________________________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net">Openid-specs-heart@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br>
<br></blockquote></div><br></div></div>