Refactor+Authorization+Framework+Specification

toc =Issue: Authorization Framework NIEM Refactoring=

Problem Statement:
Move existing Auth Framework 2010 Production Spec into the new NIEM packaging format. This priority for our workgroup was set directly by Dr. Fridsma. The purpose of this is to test and rationalize the NIEM packaging process for our Nationwide Health Information Network Exchange use.

Motivation:
Why are we doing this? The current format of creating Word-document or PDF-document based specifications in inadequate. We need a method of determining traceability from various drivers (Meaningful Use, HIPAA, etc.) to implemented features.

Methodology:
First identify the target audiences and their needs. Others have suggested a bottom up approach where content is focused on.

Target Audiences:
Identify delta in audiences between the overall Nationwide Health Information Network spec factory

1a) Nationwide Health Information Network Specification Implementers, technical leads, architects, software engineers (SOAP stack vendors?) > Definition: Those actually creating new source code to stand up services interfaces and the Nationwide Health Information Network Exchange profiles > Needs to know how to create Nationwide Health Information Network Exchange services interfaces, leveraging a SOAP stack, SAML security header, attributes, WS-I, WS-Basic Security, OASIS SAML, WS-Trust, WS-Security Policy, WS-Policy, working examples (new ref implementation) > Examples: CONNECT team, IBM, Medicity, VA, Oracle's SOAP Stack > Useful Artifacts: Flow diagrams are a key artifact, Word spec, links to relevant industry articles, WSDLs and schema, models (content payloads, RIM, ER). Are BPML or BPEL models of use to this target audience? **Need to question the audience to confirm.** Need to get updates from Ed on what his models can create? Bob Y will have Dave Carlston (from the VA), for the Open Health Tools. Perhaps have him present to the overall Spec Factory!
 * Primary Target Audience**

> Concise source code examples >> **Decision: Focus only on the primary target audience.** >> **Include active links** >> **Need a liaison to other SDOs to obtain permissions to use their artifacts** >> **What's the scope? For now, it's been proposed that this is limited to Auth Framework, but others would probably adopt the same format in the future.** >> **Decision: The ref implementation section of this package will be pointers (URIs).**

1b) Stack vendors (may be the same audience as 1a) > Definition: The organizations that create various general purpose SOAP stacks > Need to know how to support the Nationwide Health Information Network specs, applicable FIPS requirements, so that others can build Nationwide Health Information Network Exchange services interfaces utilizing that stack > Example: Stack vendors (Sun Metro, Microsoft .net, others) > This audience is under active debate > **--- IT has been suggested that this audience be collapsed into the primary audience**

Secondary

2) Configuration/Deployment Teams > Definition: An organization pulling down a Nationwide Health Information Network gateway and doing builds, configuration, operational management. > Example: Each SSA office will have a deployment team, Wright State > Deployment instructions, with ref to validation and testing > Trouble shooting guide, FAQ

3) Enterprise Security architects > Roles: Security Officer, IT Network Architects, certain Software Engineers, Chief Security Officer > Definition: An enterprise position, wants to know the impact of this project on their overall IT security architecture > Example: >> Flow diagrams, version dependencies (like SAML version)

4) Specification Compliance Testers > Definition: Individuals seeking to validate compliance against Auth Framework compliance, profiles, exchange partner expectations, etc. Act as the proxy for the Enterprise Security Architects. ONC on-boarding team. > Example: Joe > Validation and testing harness

) PEN testers perhaps > Need full spec of the architecture of the implmentation, not just the Nationwide Health Information Network Exchange services specs > have a mandate from the Enterprise Security Architecture role

5) Legal Policy Teams > Roles: Privacy Officer, HIPAA, DURSA legal team, HIT PC, State HHS boards, Technical and Policy WG > Definition: > Example: >> Five page whitepaper, license, full technical specification in word format

bar --- These target audiences may be of value to target, but we are not addressing them at this point due to capacity constants Also, these audiences are probably best addressed at higher workgroup levels Point to the overall higher level Nationwide Health Information Network E architectural overview documents

6) CIOs > Example > Five page white paper

7) SDOs > Example

8) Business people (Clinicians) > Example

Prototypes

 * **Date** || **File** || **Status** || **Description/Change Log** ||
 * 2011-03-07 || [[file:IEPD-Approved-for-Production-Use-Draft-v005.zip]] || Draft || Reviewed with Spec Factory interested participants. Added By Project organizational structure. ||
 * 2011-03-07 || [[file:IEPD-Approved-for-Production-Use-Draft-v004.zip]] || Draft || Finalized structure. Editorial changes. Ready for the Deloitte team to produce the official 2011 Q1 package. ||
 * 2011-01-13 || [[file:IEPD-Approved-for-Production-Use-Draft-v003.zip]] || Incomplete prototype || Moved most content for main html landing page to a secondary page. Cleaned up structure visually. Many editorial changes. Not approved for distribution. ||
 * 2010-12-06 || [[file:IEPD-Approved-for-Production-Use-Draft-v001.zip]] || Incomplete prototype || Removed structure for all workflow steps but Approved for Production Use. Added a change log near the end of the read-me.html file. Cleaned up physical file structure. This package only contains current specs; needs other artifact types such as models. Not approved for distribution. ||
 * 2010-12-06 || [[file:IEPD-v001.zip]] || Incomplete prototype || First posted version. Has 5 taxonomies. Navigate to the html file in the root with your browser to view this prototype's structure. Only contains current specs. Needs other artifact types. Not approved for distribution. ||

New issue: How will the artifacts be change managed, posted for users, versioned, etc? Would it be wise to have a registry of packages and versions?

**Meetings**
2011-02-28 Tcon

Proposed Agenda

2010-2-16 Tcon - __Security and Privacy Workgroup, Spec Refactoring Subworkgroup__

Proposed Agenda:
 * Created draft package, with expectation that it can be changed
 * Benson update on ONC input
 * Discuss next steps

Benson Chang - ONC feedback on IEPD Package
 * Meeting with Dr. Fridsma
 * Dr. Fridsma likes aspects of the package
 * However, there has been little insertion of direct NIEM resources into S&I Framework Initiatives and Exchange
 * Need to identify where NIEM and S&I artifacts intersect
 * Given go ahead to define a useful package in the interim of NIEM guidance
 * Only requirement is that we don’t call it an ‘IEPD’
 * Up to us to come up with what is doable between now and the March 31st publication date
 * Make sure that we have a good consensus based framework for the package by March 11
 * Give time to get specs into package for publication on the ONC website

There are some changes that will be reviewed at next NTC meeting that will be put into the package
 * QfD and Retrieve (editorial changes)
 * Doc Submission and PQRI (extensive changes)
 * The NCC will be looking at materiality concurrently

Approaches for developing the package
 * Approach 1 – create a number of packages (surrounding a profile)
 * Approach 2 – create a single package
 * Members of call agree on Approach 2
 * Overtime there might be some scalability issues if the entire history is stored in the package

There should be 3 packages,
 * Package 1: current snapshot of latest approved documents
 * Package 2: everything that was approved but is now superseded
 * Package 3: work in process

Next Steps
 * Workgroup needs to do is create a definition of the structure of the content, not the content itself
 * Deloitte will insert the latest specs into the package
 * Goal for march 31 is to create Package 1, then try and do the other packages for the future
 * quorum was not achieved on this call
 * Action Item: write up our recommendation
 * Put out a call for comment if this is the correct approach
 * Include in agenda for the next all hands

Karen Witting –
 * Workgroup was not informed that updates for Doc Submission and PQRI were up for review
 * Benson - Matt Weaver was the lead on the changes, they were updateing the spec based on problems faced during implementation
 * Karen – Worked with Matt several months ago are these the same updates
 * Benson, possibly the NTC had not been meeting for several months, will invite Matt to the next workgroup meeting

__2010-12-06 Tcon - Security and Privacy Workgroup, Spec Refactoring Subworkgroup__ Agenda: > Roll – 1 min > Goals > Agenda > Round table – >> Any new topics? > Recap plan for next week – 1 min
 * -Dan Vigano
 * -Benson Chang
 * -Monalee
 * Tom Davidson
 * David Morris
 * Wendy Laposata
 * Jeff Tunkel
 * Ed Monjay
 * Gee Chia
 * Laure Tull
 * David Roberts
 * -George Varghese
 * -Amram Ewoo
 * -Greg Fairnak
 * -Sandy Stuart
 * Scott Robertson
 * Mike Nenashev
 * -Monlee Vyas
 * -Giui
 * -Kanwarpreet Sethi
 * Junli Liu
 * Tom Davidson
 * Anjali
 * -John Donnelly
 * Kenneth Salyards
 * Serafina Versagge
 * -Chuck Hagen
 * Joe Lamy
 * Mike Mnfhev
 * John Moehrke
 * -Eric Heflin
 * Suno Kim
 * Les Westburg
 * -Karen Witting
 * -George Varghese
 * -Michael Nenashev
 * Create and upload IEPD-v001.zip file
 * Review the new prototype - Eric
 * Ask for guidance from the group on 'leaf level' structures
 * Identify new taxonomies - All
 * Identify missing content - All
 * If appropriate, ask for approval for this prototype - All

Discussion: Today we reviewed the current draft IEPD-v001.zip file. Overall positive feedback. Decided to create 4 zip files, one for each major work flow step ("Approved for Production Use", "Approved for Pilot Use", "Work in Process", and "Archive").

Question was raised: When should something be moved from current to archive? Decided that it would be a function of a (future) Nationwide Health Information Network Exchange work flow that is not yet defined and that once a given specification or related artifact is no longer appropriate for use for either current or pilot use, that it should be moved to archive. When and if the Nationwide Health Information Network Exchange defined shit version upgrade strategy, and a related sun-setting process, then the IEPD package work flow steps may need to be modified to reflect the official approved Nationwide Health Information Network E work flow.

Next: Eric will update the package to reflect today's call and post again today.

__2010-11-29 Tcon - Security and Privacy Workgroup, Spec Refactoring Subworkgroup__ Proposed Agenda: > Roll – 1 min > Goals > Agenda > Round table – >> Any new topics? > Recap plan for next week – 1 min
 * Tom Davidson
 * David Morris
 * Wendy Laposata
 * Jeff Tunkel
 * Ed Monjay
 * Gee Chia
 * Laure Tull
 * David Roberts
 * George Varghese
 * - Amram Ewoo
 * Sandy Stuart
 * Scott Robertson
 * -Mike Nenashev
 * -Monlee Vyas
 * -Giui
 * -Kanwarpreet Sethi
 * Junli Liu
 * Tom D
 * Anjali
 * John Donnelly
 * Kenneth Salyards
 * Serafina Versagge
 * Chuck Hagen
 * Joe Lamy
 * Mike Mnfhev
 * John Moehrke
 * Eric Heflin
 * Suno Kim
 * -Les Westburg
 * Karen W
 * Identify structure(s) of package that will be published
 * Create and upload IEPD.zip file
 * Identify requirements for tools team
 * Discuss new taxonomy concept - Eric
 * Identify new taxonomies - All
 * Create initial versions of each taxonomy

Discussion: Reviewed the taxonomies. Discussed the idea of using the WIki for the official specs, vs. using something like a Word document. Although Wikis have some compelling features, the overall group feels that maintaining the artifacts in Office or similar format is preferable due to portability, change management, and "single authoritative source" concerns.

__2010-11-01 Tcon - Security and Privacy Workgroup, Spec Refactoring Subworkgroup__ Proposed Agenda: > Roll – 1 min > Goals > Agenda > Round table – >> Any new topics? > Recap plan for next week – 1 min
 * Tom Davidson
 * David Morris
 * Wendy Laposata
 * Jeff Tunkel
 * - Ed Monjay
 * Gee Chia
 * Laure Tull
 * David Roberts
 * George Varghese
 * Amram Ewoo
 * Sandy Stuart
 * Scott Robertson
 * Junli Liu
 * -Tom D
 * Anjali
 * John Donnelly
 * Kenneth Salyards
 * Serafina Versagge
 * Chuck Hagen
 * Joe Lamy
 * Mike Mnfhev
 * John Moehrke
 * Eric Heflin
 * -Suno Kim
 * -Les Westburg
 * -Karen W
 * Identify structure(s) of package that will be published
 * Create and upload IEPD.zip file
 * Identify requirements for tools team
 * Discuss new taxonomy concept - Eric
 * Identify new taxonomies - All
 * Create initial versions of each taxonomy

Meeting notes:

Eric is proposing to abstract the physical layer from the logical layer for the IEPD package. See IEPD Taxonomy for the current work in this regard. The benefit to this approach is that multiple methods of navigation can be supported simultaneously.

__2010-11-01 Tcon - Security and Privacy Workgroup, Spec Refactoring Subworkgroup__ Agenda: > Roll – 1 min > Goals > Round table – >> Any new topics? > Recap plan for next week – 1 min
 * Tom Davidson
 * - David Morris
 * Wendy Laposata
 * Jeff Tunkel
 * - Ed Monjay
 * - Gee Chia
 * Laure Tull
 * David Roberts
 * - George Varghese
 * - Amram Ewoo
 * Sandy Stuart
 * Scott Robertson
 * - Junli Liu
 * - Anjali
 * - John Donnelly
 * - Kenneth Salyards
 * - Serafina Versagge
 * Chuck Hagen
 * Joe Lamy
 * - Mike Mnfhev
 * - John Moehrke
 * - Eric Heflin
 * Identify structure of package that will be published
 * Create and upload IEPD.zip file
 * Identify requirements for tools team

Meeting notes:

__2010-10-18 Tcon__ Web meeting Agenda: > Roll > Quick status update (since last tcon) > Confirmation of the target audience - Eric/Rich/All > Review of updated models - Ed M > Decision on IEPD folder structure - All > Need to define the workflow (and an associated engine?) > Decision on location of models in package - All > What artifacts are of interest? > Need to include a change log esp. for breaking or substantive changes > Tools group requests > Round table - All > Recap plan for next week – 1 min
 * Jeff Peacock
 * Ed Monjay
 * Wendy Laposata
 * Chuck H
 * Tom Davidson
 * Eric Heflin
 * Jeff Tonkel
 * Amram
 * Lincoln
 * Dave C
 * Decided to focus on primary target audience only for first phase
 * Bob Y advises that we can send requirements to Kevin P for assistance (tools esp. such as change management)
 * Question: Do stack vendors have different needs that implementers?
 * Physical package structure can/will be different from the logical structure
 * Chronologically
 * Workflow ordered (approved status, work in process status, pub status)
 * Version
 * Implementation status
 * Model driven specifications (for doc generation)
 * Versioning issues
 * Change mgmt issues

__2010-10-11 Tcon__ Web meeting __https://medicity.webex.com/medicity/e.php?AT=WMI&EventID=141179657&RT=MiM1__ Agenda: > Roll > Quick status update (since last tcon) > Confirmation of the target audience - Eric/Rich/All > Review of updated models - Ed M > Decision on IEPD folder structure - All > Decision on location of models in package - All > What artifacts are of interest? > Need to include a change log esp. for breaking or substantive changes > Versioning issues > Change mgmt issues > Round table - All > Recap plan for next week – 1 min
 * Tom D
 * Karen W
 * Wendy Laposata
 * Jeff Tunkel
 * Dave Colebert
 * Monalee
 * Bob Yencha
 * Eric Heflin
 * Presented the proposed audience definitions and package structure to the Info Services team;
 * Received generally positive feedback about our direction, esp. the draft package.
 * Not convinced about using an audience-centric approach
 * Not in agreement that stack vendors should/would read Nationwide Health Information Network specs
 * Karen suggests focusing on the key audience for the first phase
 * Definitions
 * Examples (real people if possible)
 * Needs
 * What's above the bar (of those initially targeted)?
 * Outstanding issue: Do stack vendors have different needs than implementers?
 * Model driven specifications (for doc generation)

__2010-10-03 Tcon__ Agenda (copied from main sec and priv page): > Confirmation of the target audience - Eric/Rich/All > Review of updated models - Ed - Postponed > Decision on IEPD folder structure - All > Decision on location of models in package - All > What artifacts are of interest? > Need to include a change log esp. for breaking or substantive changes > Versioning issues > A suggestion was made to use a Debian like virtual package for overall Nationwide Health Information Network > Change mgmt issues > Creating documentation content backlog - All > Documenting each SAML attribute better - Eric > Roundtable - All > Recap plan for next week – 1 min
 * Model driven specifications (for doc generation)

Rich will take the target audience definitions to the Nationwide Health Information Network governance body. Tony M suggests vendors be involved. Bob suggested a topic-focused or role-based approach. John D to specify actor (IHE technical actor) names. A suggestion was made to use a Debian like virtual package for overall Nationwide Health Information Network

Status
In Process (50% complete)

Proposed Solution As a brainstorming exercise, below please find a proposed manifest and directory (folder) structure of the new Authorization Framework NIEM Package

Package Metadata Package unique name Maintiner Version Description Dependienies More TBD

Questions
Q: Do we have a target audience for each spec, each workgroup, or just the entire Nationwide Health Information Network E Spec Factory? A: The entire spec factory for now. Q: Will the ONC profile some type of delivery search tool for documentation? A: In the future, they may. But not for now. Q: What will the specification creators, and editors, and reviewers use for content authoring? A: Word/OpenOffice and naive XML tools. Q: What will the content delivery format or formats be? A: Word, PDF, XML primarily.

To Do Reach out to the target audience groups and ask for their requirements and participation Determine a release cycle (perhaps monthly iterations, and quarterly releases) Determine how each audience can traverse the IEPD. Do we need a change management system (like SVN) **The ONC hopes to provide a change management tool.**

Possible Resolution (Brainstorming)


 * Approach Number (in no particular order) || Brief Description || Detailed Description || Pros || Cons || Ranking ||
 * 1 || No change to the Nationwide Health Information Network-E specs or operational procedures || Not an option. This request comes directly from the ONC || - No Nationwide Health Information Network Exchange specification changes || - N/A || Low ||
 * 2 || Model-only approach || It has been suggested that various models essentially become the specification. || - Highly computable || - Not consumable by all identified target audiences || Medium ||
 * 3 || Multiple artifact approach || Provide a package with artifacts meeting the needs of each target audience || - Largely ensures access to the specifications || - Potentially 3x or 10x more effort to create a specification || High ||

Next Steps
Working sessions with the Spec Factory and Security and Privacy Workgroup and other stakeholders such as the CONNECT team to create, and vote on, a proposed solution.

Contributors
Dan Vigano, Benson Chang, Tom Davidson, David Morris, Wendy Laposata, Jeff Tunkel, Ed Monjay, Gee Chia, Laure Tull, David Roberts, George Varghese, Amram Ewoo, Greg Fairnak, Sandy Stuart, Scott Robertson, Mike Nenashev, Monlee Vyas, Kanwarpreet Sethi, Junli Liu, Anjali, John Donnelly, Kenneth Salyards, Serafina Versagge, Chuck Hagen, Joe Lamy, John Moehrke, Suno Kim, Les Westburg, Karen Witting, Michael Nenashev, Eric Heflin