Authorization+Framework+Page+2

2.1 Definition
Along with the Messaging Platform, this specification forms the NHIN’s messaging, security, and privacy foundation. It employs SAML 2.0 assertions The purpose of this exchange is to provide the responder with the information needed to make an authorization decision for the requested function. Each initiating message must convey information regarding end user attributes and authentication using SAML 2.0 assertions. Note that the term “subject” in SAML and XACML refers to the individual making the request. In this specification, the term “User” is generally used with the same meaning, but when referring to attributes defined in SAML or XACML, the naming convention of the standard is retained.
 * The Authorization Framework defines the exchange of metadata used to characterize the initiator of an NHIN request so that it may be evaluated by responding NHIOs in local authorization decisions.**

2.1.1 Request Definition
NHIN requests are defined by the applicable service interface, the interface operation, and the identity of the record target (unambiguous person identity in the responding NHIO, when known).

2.1.2 Identity of the Record Target
In most NHIN requests, Patient Discovery a notable exception, the record target is the unambiguous person identity in the responding NHIO. The assertion contained in the Authorization Framework declares that the initiating user is authorized by the initiating NHIO to access information about this person. It is also required for HIPAA Privacy Disclosure Accounting.

2.2 Design Principles and Assumptions
The following assumptions or design principles underlie this specification:
 * All inter-node requests on the NHIN must utilize the Authorization Framework.
 * There is not assumed to be Cross Provisioning of users between NHIOs
 * The initiating NHIO is required to and is responsible for the authentication and authorization of its users. Refer to Local Accountability, as described in section 1.3 of this specification.
 * The responding NHIO uses the information conveyed via the Authorization Framework to inform its local authorization decision. Refer to Local Autonomy, as described in section 1.3 of this specification.
 * NHIO architectures are decoupled and externally opaque. While each NHIO must conform to the NHIN messaging, security, and privacy foundations for inter-NHIO transactions, internal security mechanisms and standards are to be defined by each NHIO.
 * The initiating NHIO must include all REQUIRED attributes in each request. It is at the discretion of the receiving NHIO to decide which attributes to consider in it’s local authorization decision
 * The assertion attribute definitions specified in this document are not intended to be an exhaustive and restrictive list of attributes that may be specified in the SAML assertions. Additionally, this document recognizes that some integration profiles may have a need for custom assertion statements, and does not preclude their use.

2.3 Triggers
NHIN Authorization Framework is central to the messaging, security, and privacy foundation. All NHIN requests must conform to this specification.

2.4 Transaction Standard
The NHIN Authorization Framework is based on the Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0, the Authentication Context for SAML V2.0, the Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of SAML for Healthcare Version 1.0 and the OASIS Web Services Security: SAML Token Profile 1.1 specifications. **Previous PageNext Page**