0

I'm looking to implement a document repository (not to the extend of XDS). We could always roll our own service interface but are looking to instead leverage either the DocumentManifest or DocumentReference resource implemented in FHIR REST services using ASP.NET.

One thing we need to capture though is the identity of the submitter (a person). This service is called from other software that would handle authentication of users. We need a way for those applications to pass the identity of the submitting user to the rest service. That identity isn't modelled in the DocumentManifest or DocumentReference resources because the user uploading the document isn't an attribute of the document, it's metadata about the transaction.

Any suggestions on how we should best go about doing this? Should we use an extension, resource metadata or other approach?

Jeremy
  • 44,950
  • 68
  • 206
  • 332

1 Answers1

0

Inbound, identity information for authorization purposes is normally conveyed in the HTTP header. On retrieval, information about who did what, when is generally conveyed in Provenance, though extensions can be used.

Lloyd McKenzie
  • 6,345
  • 1
  • 13
  • 10
  • Thanks. Are there specific headers for this? The HL7 RESTful API doesn't seem to list any headers being the basic information about verbs, url format and content type header. – Jeremy Mar 14 '17 at 04:25
  • How to do this is outside HL7's scope. If you want non-secure user identification, you can use the "From" header. If you want secure user identification/verification, you can use the Authentication header - there are a variety of protocols covering how to use the latter. If you want to be consistent with most FHIR systems, I'd look at the Smart on FHIR guidelines for using OAuth2 as that approach is supported by a large number of FHIR systems. – Lloyd McKenzie Mar 14 '17 at 16:29
  • We often use SOAP web services would use WS-Security, either with user/password, or NTLM/Kerberos. In the HL7 world we typically haven't had to concern ourselves with identity as communications happen in within systems on the intranet. In this scenario we want to know the person performing the action. – Jeremy Mar 17 '17 at 16:22