locked
Access to records that have been shared RRS feed

  • Question

  • I have some questions regarding access to shared records in HealthVault.  I have done some investigation into this area and I think I understand how it works, but I wanted to make sure

     

    I've been playing with the Health and Fitness example to try and figure this out.  Here is what I have seen so far - please let me know if any of these are incorrect:

    • If the “isMRA=True” parameter has been passed to HealthVault when logging in, you will be allowed to select one or more HV record(s) that you can grant the application permission to work with (checkboxes appear instead of radio buttons)
    • In addition to the self record associated with your Live ID, any additional records you have created in HV under your Live ID will be displayed in the list of possible records on the permissions page.  Since you created the additional records, you are a custodian of those records, and thus have full access to them.
    • If another user has shared their HV record with you, the only way that record will show up on your list of possible records on the permission page is if the other user granted you Custodian access.  (At least that's what I saw with Health and Fitness) If you now grant the application access to the shared record, the data in that record can be manipulated by the application, even if the person who shared it with you has not granted permission to that application.

    When playing with the Health and Fitness example, I noticed that the shared HV record shows up on the PersonInfo.AuthorizedRecords collection, even though I did not select that record on the permissions page.  Is this correct behavior? 

     

    Also, I tried sharing the record with View/Modify permissions, but not Custodian.  The shared record did not appear on the permissions page, but did appear in AuthorizedRecords.  In Health and Fitness, I was able to select the shared record within the application, but received an "access denied" error when trying to fetch health record items for that record.

     

    Thanks for looking this over and providing any feedback!

    Monday, January 7, 2008 7:20 PM

Answers

  • We found the issue and are making a short-term fix to the base auth for these two sample apps.  That should get you moving ahead.  The same configuration problem may exist for other apps but it will take a bit longer to get those fixed up.  We are also working on a fix to make us a little more resilient to these sort of configuration problems.

     

    You should be able to try out the scenario later tonight or tomorrow.

     

    Jeff Jones

    Thursday, May 15, 2008 12:47 AM

All replies

  • This looks like it could be a bug.  The expected behavior for "ismra=true" is as follows:

    1. The AppAuth page should show all records that meet the minimum requirements for the application that you have been granted rights to.  You should not be required to be the custodian. So, for example, if an app has base online auth XML that requires Create, Read, Update, and Delete rights on Allergy things. You have your Self record for which you are a custodian and full rights, and Joe has shared his record to you with Read access to all thing types. Then you will only see your Self record on the AppAuth page because you have not been give Create, Update, and Delete rights on Joe's record.
    2. Only those records which you have given the app rights to should show up in the AuthorizedRecords collection. This is where I think the bug is.

    We are looking into the issue. Thanks for reporting it.

     

    Jeff Jones

     

    Monday, January 7, 2008 11:07 PM
  • Hi

     

    I'm still seeing this issue.  Unless I share a record with Custodian access, I cannot select that record

    when running the Health and Fitness SDK sample.  I tried sharing the record with read/write access to

    ALL data types, and still the record cannot be selected from the sample application (and our own IsMra

    application).

     

    Can you verify whether or not this issue was supposed to be addressed?

     

    Thanks,

    Mark

     

    Thursday, May 1, 2008 5:47 PM
  • I am also facing the same issue.

    I don't see the records for which I have "view" or "view and edit" access on the permissions page.
    Only the records for which I have "custodian" level access appear on the permissions page.

    I am thus unable to give access to my application to view data of the records for which I have 
    "view" or "view and edit" access.

    Here's is what I tried:

    1. I have two accounts Patient1 and Patient3 with one record each.
    2. I logged into HV Browser using Patient1 and invited Patient3 with "view and edit" role.
    3. Patient3 approves the invitation and Patient1 appears in Sharing info the record of Patient1
    3. I logged into Patient3 and from the Programs I removed access for my application for all the records so as to be able to see the permission page when I login from my application

    4. When I login from my application using Patient3 I am taken to the permissions page but that showed only Patient3's record. It should have shown Patient1's record also (i see this record when I login to HV Browser)

    5. Logged in to HV Browser using Patient1 and made Patient3 "custodian" of Patient1's record from "view and edit"
    6. Now when I logged in from my application using Patient3 (as step 4 above), on the permissions page I could see both patient3's self record and patient1's record, which patient3 is custodian of.

    Looks like a bug to me.
    Let me know if I have missed something.


    Thursday, May 8, 2008 3:23 AM
  •  

    I had a similiar question posted sometime back

     

    http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=2993732&SiteID=1

     

     

    But the answer seem to suggest (I am still not very sure) that if U1 gives U2 permissions to read write (as against custodian) his record, U2 still cannot access U1's record thru the application A1.

     

    Since this is a very common scenario, any clarity on expected behaviour from the dev team (and if there is a bug) will greatly help. 

     

    Thanks

     

    Rajesh

    Saturday, May 10, 2008 10:43 AM
  • Sorry.  I've been out for a little while.  I'm looking into it now.

     

    Jeff Jones

    Monday, May 12, 2008 3:56 PM
  • We found the issue and are making a short-term fix to the base auth for these two sample apps.  That should get you moving ahead.  The same configuration problem may exist for other apps but it will take a bit longer to get those fixed up.  We are also working on a fix to make us a little more resilient to these sort of configuration problems.

     

    You should be able to try out the scenario later tonight or tomorrow.

     

    Jeff Jones

    Thursday, May 15, 2008 12:47 AM
  • I tried this today (22nd May) on dev server (https://account.healthvault-ppe.com/) but this didn't work.
    Can you please confirm that the hotfix has been applied ?

    I simply shared a record of A to B in "view information" role and was expecting it to show in the Authorized Records list of B (after the invitation was accepted) but it didn't show up.


    Friday, May 23, 2008 2:39 AM