continuation of: Karolinska/Stockholm procurement of Digital health platform (CDR, tools, services, consultants) - #17 by joostholslag
@Daniel.Alomar @birger.haarbrandt @erik.sundvall @tangit86 @sebastian.iancu and @Sidharth_Ramesh are probably interested.
Background:
Currently access control has limited support in the openEHR spec itself. The only thing there is an EHR_ACCESS class, which has an abstract ACCESS_CONTROL_SETTINGS which is unconstrained and lives at the EHR level.
So basically a place to record access control rules on the specific EHR in any format.
And there is a general statement that the composition is the atomic unit of commit. And āAn ENTRY
is also the minimal unit of information any query should returnā . Thus you should only set read access at the entry level (not smaller) and only write access if you can edit (and thus read) the entire composition.
As described in the SMART on openEHR there are many more scopes that are relevant to define access control for: e.g. doctors can create compositions that are instances of template composition.acp, or nurses can execute stored AQL with name āpatient_historyā. etc.
This is a generic topic to share requirements and solutions and architectural thoughts.
My specific requirement is how to define access policies to openEHR resource expression (templates, specific composition etc as defined in smart on openEHR spec) for a network of care organisations, without a single source of trust. E.g. all doctors in the netword can create composition.ACP instances. More info: