[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Comments for XSPA 2.0 SAML profile
1. The NwHIN Authorization guide specifies the use of a pseudo xspa subject id attribute of "urn:oasis:names:tc:xspa:1.0:subject:subject-id" instead of using the XACML subject-id as called out in the XSPA 1.0 and 2.0 draft. Should we care? 2. The NwHIN Authorization gude specifies the use of a structured HL7 type as the attribute value for the purpose of use and role attributes. We decided to reference other sources for the value of these attributes, but should we copy the concept of a coded type or just leave the value lacking the notion of a code system? The commonly accepted health care IT practice when it comes to standards seems to prefer using coded or strongly typed values, so I advocate a similar approach for consistency sake. 3. We have "urn:oasis:names:tc:xspa:2.0:resource:type" and "urn:gov:hhs:fha:nhinc:service-type". The XACML action-id is still unused and I suggest eliminating both of these attributes in favor of the XACML action-id. 4. The patient id is represented by the XACML resource-id attribute, and the provider is represented by the NPI. However, the NPI can represent both a provider and a clinic. We should break this attribute into provider and clinic NPI attributes to avoid any mixup and allow for the reliable identification of a physical location in a privacy policy. 5. The subject-id is reserved for the requestors free-text name. Names are not unique identifiers and are not suggested for access control decisions. I suggest changing the XACML profile to make the subject-id optional and the NPI mandatory. 6. Alternate suggestion for the handling of unique identifiers is to replace the NPI attributes with equivalent attributes for a subject unique identifier, provider unique identifier, and clinic unique identifiers. Regards, Michael Dufel Jericho Systems Corporation Toll Free: 877.231.2200 Local: 972.231.2000 Fax: 972.234.1100 EnterSpace Technology: Tools that Rule® All rights reserved. Product names are trademarked by their respective companies. EnterSpace Technology is covered under United States Patents 7,779,247, 7,792,828, and 8,060,504. The information contained in this e-mail and all attachments transmitted with it is the Confidential and Proprietary information of Jericho Systems Corporation. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, copying, or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender immediately by replying to this message and please delete it from your computer.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]