ashaban
commented
4 years ago @eric-jahn we are adding this on the to do list. Thank you for suggesting this
Open eric-jahn opened 4 years ago
ashaban
commented
4 years ago @eric-jahn we are adding this on the to do list. Thank you for suggesting this
eric-jahn
commented
4 years ago @ashaban: The company I work for, hslynk.com, is open source, and we use OpenCR, so we would be happy to test this with you, as you develop it. We use OAuth2.
We can't use the CRUX UI equivalent, because users would be able to see patient records from outside their organization. So we will have to make a new, restricted UI for viewing matched clients which were added already by their organization, or which were shared from another organization. Some HIE implementations may allow the Client Registry participating member organizations to see all identifiers across all organizations, but we can't have that for our human services purposes.
I think this could be implemented by allowing an external ACL system (OAuth 2 implementation) to determine if the user requesting access to CRUX for a given person/patient id should be granted access, based on group "ownership" or sharing permissions, for that record. In our system, the ACL uses a combination of client consent, agency internal roles, and inter-agency sharing rules, to determine whether access should be granted. I imagine every system using Open CR will use a different ACL regime, so Open CR could just rely on that external ACL system's "accept" or "reject" response.