Basic Audit Log Patterns (BALP)
1.1.3 - Trial-Implementation International flag

This page is part of the IHE Basic Audit Log Patterns (BALP) (v1.1.3: Publication) based on FHIR (HL7® FHIR® Standard) R4. This is the current published version. For a full list of available versions, see the Directory of published versions

Resource Profile: Basic AuditEvent pattern for when an activity was authorized by an IUA access token

Official URL: https://profiles.ihe.net/ITI/BALP/StructureDefinition/IHE.BasicAudit.OAUTHaccessTokenUse.Comprehensive Version: 1.1.3
Active as of 2024-02-14 Computable Name: OAUTHaccessTokenUseComprehensive

A basic AuditEvent profile for when an activity was authorized by an IUA access token. This profile is expected to be used with some other detail that explains the activity. This profile only covers the IUA access token.

  • Given an activity has occured
  • And OAuth is used to authorize (both app and user)
  • And the given activity is using http with authorization: bearer mechanism
  • When an AuditEvent is recorded for the activity
  • Then that AuditEvent would follow this profile regarding recording the IUA access token details
  • note: this profile records minimal information from the IUA access token, which presumes that use of the AuditEvent at a later time will be able to resolve the given information.
  • client slice holds the application details
    • This is likely replicated in other slices, but is consistently identified as the Application slice for ease of tracking all events caused by this client
    • place the client_id into .who.identifier.value (system is not needed, but avaialble if you have a system)
    • any network identification detail should be placed in .network (may be a IP address, or hostname)
  • oUser slice holds the user details
    • user id is recorded in the .who.identifier
    • user id is also recorded in .name to be more easy searched
    • if roles or purposeOfUse are known record them here
    • the JWT ID is recorded in .policy. Expecting that during audit anaysis this ID can be looked up and dereferenced

Usage:

Formal Views of Profile Content

Description of Profiles, Differentials, Snapshots and how the different presentations work.

This structure is derived from AuditEvent

NameFlagsCard.TypeDescription & Constraintsdoco
.. AuditEvent 0..*AuditEventEvent record kept for security purposes
... Slices for agent 1..*BackboneElementActor involved in the event
Slice: Unordered, Open by pattern:type
.... agent:oClient 1..1BackboneElementActor involved in the event
..... type 1..1CodeableConceptHow agent participated
Required Pattern: At least the following
...... coding1..*CodingCode defined by a terminology system
Fixed Value: (complex)
....... system1..1uriIdentity of the terminology system
Fixed Value: http://dicom.nema.org/resources/ontology/DCM
....... code1..1codeSymbol in syntax defined by the system
Fixed Value: 110150
..... who 1..1Reference(PractitionerRole | Practitioner | Organization | Device | Patient | RelatedPerson)client identifier
...... identifier 1..1IdentifierLogical reference, when literal reference is not known
....... value 1..1stringToken client ID (client_id)
..... media 0..0
..... network S0..1BackboneElementThe client as known by TCP connection information
.... agent:oUser 0..1BackboneElementActor involved in the event
..... type 1..1CodeableConceptHow agent participated
Required Pattern: At least the following
...... coding1..*CodingCode defined by a terminology system
Fixed Value: (complex)
....... system1..1uriIdentity of the terminology system
Fixed Value: http://terminology.hl7.org/CodeSystem/v3-ParticipationType
....... code1..1codeSymbol in syntax defined by the system
Fixed Value: IRCP
..... role S0..*CodeableConceptAgent role in the event
..... who 1..1Reference(PractitionerRole | Practitioner | Organization | Device | Patient | RelatedPerson)May be a Resource, but likely just an identifier from the OAuth token
...... identifier 1..1IdentifierLogical reference, when literal reference is not known
....... system S0..1uriToken Issuer (TOKEN_ISSUER)
....... value S0..1stringUser ID (USER_ID)
...... display S0..1stringUser Name (USER_NAME)
..... name S0..1stringUser Name (USER_NAME)
..... requestor 1..1booleanWhether user is initiator
Required Pattern: true
..... policy 1..1urijti (JWT ID)
..... media 0..0
..... network 0..0
..... purposeOfUse S0..*CodeableConceptReason given for this user

doco Documentation for this format

 

Other representations of profile: CSV, Excel, Schematron