The Internet User Authorization (IUA) Profile provides support for user authentication, app authentication, and authorization decisions. To allow for these features, CA:FeX actors can be grouped with IUA actors.

For the specific Canadian implementation guidance for the IUA profile, refer to the RA section IUA - Canadian Implementation Guidance.

If the grouping is in place, an actor from CA:FeX shall implement the required transactions and/or content modules in CA:FeX in addition to all the transactions required for the grouped actor (Column 2).

CA:FeX Actor

Actor(s) to be grouped with

Data Source

IUA / Authorization Client

Data Recipient

IUA / Resource Server

Data Consumer

IUA / Authorization Client

Data Responder

IUA / Resource Server

The CA:FeX Data Source and Data Consumer actors, when grouped with IUA Authorization Client, shall use Get Access Token [ITI-71] to request the corresponding scope from the IUA Authorization Server.

This enables the CA:FeX actor to submit the corresponding CA:FeX transaction with the combined transaction Incorporate Access Token [ITI-72].

The CA:FeX Data Recipient and Data Responder actors. When grouped with IUA Resource Server, shall require Incorporate Access Token [ITI-72] in all CA:FeX transaction requests, shall enforce the authorization decision in the token, and may further enforce policies beyond those made by the Authorization Server such as consent or business rules.

There are additional security and privacy functionalities enabled by this grouping.

  • Transactions are combined with IUA transactions requiring access tokens
  • There are additional requirements and functionality enabled through scope definitions that are transaction specific.

Actors

Transactions

IUA/OIDC Scopes

Data Source

Submit Data [CA:FeX-1]

CAFEX-1

Data Recipient

Submit Data [CA:FeX-1]

CAFEX-1

Data Consumer

Search Data [CA:FeX-2]

CAFEX-2

Retrieve Data [CA:FeX-3]

CAFEX-3

Data Responder

Search Data [CA:FeX-2]

CAFEX-2

Retrieve Data [CA:FeX-3]

CAFEX-3

Each scope authorizes the full CA:FeX transaction. This scope implicitly allows for patient-specific CRUD/S operations in line with and supported by the corresponding CA:FeX transaction.

Further scope refinement is allowed in realm or project-specific situations; these scopes would be in addition to the scopes defined here.

  • No labels