jorritspee
commented
3 months ago SCP distinguishes between 2 roles: CarePlanService (CPS) and CarePlanContributor (CPC) (https://santeonnl.github.io/shared-care-planning/overview.html#actors). The CPC role differs between the 3 transactions
-
Creating and responding to a Task "This actor creates and updates the care plan and tasks/orders for other (future) Care Plan Contributors." We could say that only professionals with certain jobs/specialties/roles/professions are authorized to do this. This is not yet implemented.
-
Updating CarePlan and CareTeam "This actor creates and updates the care plan and tasks/orders for other (future) Care Plan Contributors." We could say that only professionals with certain jobs/specialties/roles/professions are authorized to do this. This is not yet implemented. We do say that only the CarePlan.author can delete a CarePlan. See https://santeonnl.github.io/shared-care-planning/security-authorization.html#resource-access. N.B.: CareTeam can never be directly updated by a CPC, this is done by the CPS
-
Getting data from CareTeam members "The CP-Contributor may also retrieve data from the other Care Plan Contributor(s)" We could say that jobs/specialties/roles/professions are a parameter for authorization, commonly referred to in other contexts as the "role-zib-matrix", meaning that some roles should only be able to access zibs a, b, c, and other roles should access a, b, c, d and e. This is not implemented in SCP. Our primary focus in authorization is: step 1 active membership of CareTeam, step 2 use case specific access rules based on Condition- and Request-code, see https://santeonnl.github.io/shared-care-planning/security-authorization.html#an-example-of-use-case-specific-access-rules.
Do you agree, @bramwesselo?
bramwesselo
I think this deserves an answer in the IG, to make the scope clear (task assignment and authorisations right?), so not necessarily an overview of involved parties) and to avoid confusion.