Internet User Authorization (IUA) Grouping

The Internet User Authorization (IUA) Profile provides support for user authentication, app authentication, and authorization decisions. To allow for these features, CA:FeX actors can be grouped with IUA actors.

For the specific Canadian implementation guidance for the IUA profile, refer to the RA v0.1.1 DFT, section IUA - Canadian Implementation Guidance.

If the grouping is in place, an actor from CA:FeX shall implement the required transactions and/or content modules in CA:FeX in addition to all the transactions required for the grouped actor (Column 2).

The CA:FeX Data Source and Data Consumer actors, when grouped with IUA Authorization Client, shall use Get Access Token [ITI-71] to request the corresponding scope from the IUA Authorization Server.

This enables the CA:FeX actor to submit the corresponding CA:FeX transaction with the combined transaction Incorporate Access Token [ITI-72].

The CA:FeX Data Recipient and Data Responder actors. When grouped with IUA Resource Server, shall require Incorporate Access Token [ITI-72] in all CA:FeX transaction requests, shall enforce the authorization decision in the token, and may further enforce policies beyond those made by the Authorization Server such as consent or business rules.

There are additional security and privacy functionalities enabled by this grouping.

• Transactions are combined with IUA transactions requiring access tokens
• There are additional requirements and functionality enabled through scope definitions that are transaction specific.

Each scope authorizes the full CA:FeX transaction. This scope implicitly allows for patient-specific CRUD/S operations in line with and supported by the corresponding CA:FeX transaction.

Further scope refinement is allowed in realm or project-specific situations; these scopes would be in addition to the scopes defined here.