StructureDefinition-IHE.BasicAudit.OAUTHaccessTokenUse.Comprehensive

Source

ihe.iti.balp#current:Basic Audit Log Patterns (BALP) (v4.0.1)

resourceType

StructureDefinition

IHE.BasicAudit.OAUTHaccessTokenUse.Comprehensive

canonical

https://profiles.ihe.net/ITI/BALP/StructureDefinition/IHE.BasicAudit.OAUTHaccessTokenUse.Comprehensive

version

1.1.2

status

active

publisher

IHE IT Infrastructure Technical Committee

name

OAUTHaccessTokenUseComprehensive

title

Basic AuditEvent pattern for when an activity was authorized by an IUA access token

date

2023-07-28T13:59:05+00:00

description

A basic AuditEvent profile for when an activity was authorized by an IUA access token. This profile is expected to be used with some other detail that explains the activity. This profile only covers the IUA access token. - Given an activity has occured - And OAuth is used to authorize (both app and user) - And the given activity is using http with authorization: bearer mechanism - IUA - [3.72 Incorporate Access Token \[ITI-72\]](https://profiles.ihe.net/ITI/IUA/index.html#372-incorporate-access-token-iti-72) - Bulk Data Access - [11. Presenting an Access Token to FHIR API](https://hl7.org/fhir/uv/bulkdata/authorization/index.html#presenting-an-access-token-to-fhir-api) - SMART-app-launch - [7.1.5 Step 4: App accesses clinical data via FHIR API](http://hl7.org/fhir/smart-app-launch/index.html#step-4-app-accesses-clinical-data-via-fhir-api) - [HL7 Security for Scalable Registration, Authentication, and Authorization (aka UDAP) ](http://hl7.org/fhir/us/udap-security/history.html) when it gets published - When an AuditEvent is recorded for the activity - Then that AuditEvent would follow this profile regarding recording the IUA access token details - note: this profile records minimal information from the IUA access token, which presumes that use of the AuditEvent at a later time will be able to resolve the given information. - client slice holds the application details - This is likely replicated in other slices, but is consistently identified as the Application slice for ease of tracking all events caused by this client - place the client_id into .who.identifier.value (system is not needed, but avaialble if you have a system) - any network identification detail should be placed in .network (may be a IP address, or hostname) - oUser slice holds the user details - user id is recorded in the .who.identifier - user id is also recorded in .name to be more easy searched - if roles or purposeOfUse are known record them here - the JWT ID is recorded in .policy. Expecting that during audit anaysis this ID can be looked up and dereferenced

jurisdictions

fhirVersion

4.0.1

kind

resource

abstract

false

sdTtype

AuditEvent

derivation

constraint

base

http://hl7.org/fhir/StructureDefinition/AuditEvent

Usages

IHE BALP Audit Creator (profile)
IHE ATNA Audit Record Repository supporting BALP Content (profile)
IHE BALP Audit Consumer (profile)

Name	Flags	Card.	Type	Description & Constraints
AuditEvent			AuditEvent
Slices for agent				Slice: Unordered, Open by pattern:type
agent:oClient		1..1
type		1..		Required Pattern: At least the following
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (complex)
system		1..1	uri	Identity of the terminology system Fixed Value: http://dicom.nema.org/resources/ontology/DCM
code		1..1	code	Symbol in syntax defined by the system Fixed Value: 110150
who		1..		client identifier
identifier		1..
value		1..		Token client ID (client_id)
media		.. 0
network	S			The client as known by TCP connection information
agent:oUser		0..1
type		1..		Required Pattern: At least the following
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (complex)
system		1..1	uri	Identity of the terminology system Fixed Value: http://terminology.hl7.org/CodeSystem/v3-ParticipationType
code		1..1	code	Symbol in syntax defined by the system Fixed Value: IRCP
role	S
who		1..		May be a Resource, but likely just an identifier from the OAuth token
identifier		1..
system	S			Token Issuer (TOKEN_ISSUER)
value	S			User ID (USER_ID)
display	S			User Name (USER_NAME)
name	S			User Name (USER_NAME)
requestor				Required Pattern: true
policy		1..1		jti (JWT ID)
media		.. 0
network		.. 0
purposeOfUse	S
Documentation for this format

Produced 08 Sep 2023