2015May core #975b - Add authorization qualifier to 'read'

XMLWordPrintableJSON

    • Type: Change Request
    • Resolution: Not Persuasive with Modification
    • Priority: Medium
    • FHIR Core (FHIR)
    • DSTU1 [deprecated]
    • FHIR Infrastructure
    • REST (http)
    • Hide

      Missed as part of initial load due to duplicate comment number.

      Grahame:?extend the security section (2.1.0.3) to note that all operations are subject to RBAC /ABAC, consent etc. - though I really don't think we need to actually say that. And I don't think that we can actually prescribe how the decisions are made?

      Show
      Missed as part of initial load due to duplicate comment number. Grahame:?extend the security section (2.1.0.3) to note that all operations are subject to RBAC /ABAC, consent etc. - though I really don't think we need to actually say that. And I don't think that we can actually prescribe how the decisions are made?
    • James Agnew / Grahame Grieve: 4-0-0
    • Enhancement
    • Non-substantive
    • DSTU1 [deprecated]

      Submitted by: Ioana Singureanu (Eversolve (on behalf of SAMHSA))

      Proposed Wording: Add something like: ".Only authorized systems/user (those that meet the access control including "Consent" directives) will be allowed to "vread" the resource based on version."

      Comment:

      This operation needs additional explicit caveats to protect unauthorized "vread".

      We need to explain precisely how the security guidance should be applied to this *specific" operation including the use of Consent and Provenance to make access control decisions. (/security.html) including consent to make sure only authorized systems an users are viewing, changing, updating, or reviewing the update history of a resource.

            Assignee:
            Unassigned
            Reporter:
            Ioana Singureanu
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: