PackagesCanonicalsLogsProblems
    Packages
    ihe.iti.balp@1.1.4
    https://profiles.ihe.net/ITI/BALP/StructureDefinition/IHE.BasicAudit.OAUTHaccessTokenUse.Comprehensive
JSONFHIR SchemaOther Versions
description: 'A basic AuditEvent profile for when an activity was authorized by an IUA access token. This profile is expected to be used with some other detail that explains the activity. This profile only covers the IUA access token.\n\n- Given an activity has occured\n- And OAuth is used to authorize (both app and user)\n- And the given activity is using http with authorization: bearer mechanism \n  - IUA - [3.72 Incorporate Access Token \\[ITI-72\\]](https://profiles.ihe.net/ITI/IUA/index.html#372-incorporate-access-token-iti-72)\n  - Bulk Data Access - [11. Presenting an Access Token to FHIR API](https://hl7.org/fhir/uv/bulkdata/authorization/index.html#presenting-an-access-token-to-fhir-api)\n  - SMART-app-launch - [7.1.5 Step 4: App accesses clinical data via FHIR API](http://hl7.org/fhir/smart-app-launch/index.html#step-4-app-accesses-clinical-data-via-fhir-api)\n  - [HL7 Security for Scalable Registration, Authentication, and Authorization (aka UDAP) ](http://hl7.org/fhir/us/udap-security/history.html) when it gets published \n- When an AuditEvent is recorded for the activity\n- Then that AuditEvent would follow this profile regarding recording the IUA access token details\n- note: this profile records minimal information from the IUA access token, which presumes that use of the AuditEvent at a later time will be able to resolve the given information.\n- client slice holds the application details\n  - This is likely replicated in other slices, but is consistently identified as the Application slice for ease of tracking all events caused by this client\n  - place the client_id into .who.identifier.value (system is not needed, but avaialble if you have a system)\n  - any network identification detail should be placed in .network (may be a IP address, or hostname)\n- oUser slice holds the user details\n  - user id is recorded in the .who.identifier\n  - user id is also recorded in .name to be more easy searched\n  - if roles or purposeOfUse are known record them here\n  - the JWT ID is recorded in .policy. Expecting that during audit anaysis this ID can be looked up and dereferenced'
package_name: ihe.iti.balp
derivation: constraint
name: OAUTHaccessTokenUseComprehensive
type: AuditEvent
elements:
  agent:
    index: 0
    slicing:
      rules: open
      discriminator:
      - {path: type, type: value}
      min: null
      slices:
        oClient:
          match:
            type:
              coding:
              - {code: '110150', system: 'http://dicom.nema.org/resources/ontology/DCM'}
          schema:
            _required: true
            index: 1
            elements:
              type:
                pattern:
                  type: CodeableConcept
                  value:
                    coding:
                    - {code: '110150', system: 'http://dicom.nema.org/resources/ontology/DCM'}
                index: 2
              who:
                short: client identifier
                index: 3
                elements:
                  identifier:
                    index: 4
                    elements:
                      value: {short: Token client ID (client_id), index: 5}
                    required: [value]
                required: [identifier]
              media: {index: 6}
              network: {short: The client as known by TCP connection information, mustSupport: true, index: 7}
            required: [who, type]
        oUser:
          match:
            type:
              coding:
              - {code: IRCP, system: 'http://terminology.hl7.org/CodeSystem/v3-ParticipationType'}
          schema:
            index: 8
            elements:
              role: {mustSupport: true, index: 10}
              requestor:
                pattern: {type: Boolean, value: true}
                index: 17
              who:
                short: May be a Resource, but likely just an identifier from the OAuth token
                index: 11
                elements:
                  identifier:
                    index: 12
                    elements:
                      system: {short: Token Issuer (TOKEN_ISSUER), mustSupport: true, index: 13}
                      value: {short: User ID (USER_ID), mustSupport: true, index: 14}
                  display: {short: User Name (USER_NAME), mustSupport: true, index: 15}
                required: [identifier]
              name: {short: User Name (USER_NAME), mustSupport: true, index: 16}
              type:
                pattern:
                  type: CodeableConcept
                  value:
                    coding:
                    - {code: IRCP, system: 'http://terminology.hl7.org/CodeSystem/v3-ParticipationType'}
                index: 9
              policy: {short: jti (JWT ID), index: 18}
              purposeOfUse: {mustSupport: true, index: 21}
              network: {index: 20}
              media: {index: 19}
            required: [who, policy, type]
package_version: 1.1.4
class: profile
kind: resource
url: https://profiles.ihe.net/ITI/BALP/StructureDefinition/IHE.BasicAudit.OAUTHaccessTokenUse.Comprehensive
base: http://hl7.org/fhir/StructureDefinition/AuditEvent
version: 1.1.4