JohnMoehrke
commented
2 months ago Is this sufficient front material? Or should we do an analysis on how a Permission can reference an external standard?
Open JohnMoehrke opened 2 months ago
JohnMoehrke
commented
2 months ago Is this sufficient front material? Or should we do an analysis on how a Permission can reference an external standard?
JohnMoehrke
commented
2 months ago In theory Consent has the Consent.policyBasis that can be used for this purpose. But Permission today has no existing element. Might be good to have specific elements for this, if not core extensions.
JohnMoehrke
commented
2 months ago this might also be a good time to express what the value-add of the FHIR Consent/Permission over the existing standards. We don't want to re-invent the wheel.
costateixeira
commented
2 months ago The justification should indeed be present and derived from the options we want to explore - Permission as a way to express managed policies in a structured way (regardless of whether the rules are computable or not). We can analyse the cases and where a Permission may not need a computable policy, and the cases where (maybe) a Permission might actually point to / contain a e.g. XACML coding of a rule?
Alternatives to using a FHIR specific Resource like Permission, there are standards for Access Control Policy. These standards might be used to encode the access control rules, where a Permission resource exists for discoverability, but where that Permission does not include any FHIR encoded rules, but rather a pointer to an encoding using one of these standards.