none
Can I have fine-grained user permissions dictate access levels to a record that is being accessed through an application? RRS feed

  • Question

  • I am looking into using a HealthVault app to allow multiple people access to a single person's record, but for each of those people to have different access levels. Think multiple caregivers for a child. For instance, there will of course be a custodian that can do anything with that person's record, but additionally, there may be other caregivers that have different access to the record depending on their caregiving role. So Caregiver1 may need read access to data types A, B, and C and update access to types D, E, and F, while Caregiver2 may only need read access to types A-F. I am looking at using online access.

    I have not found specific documentation that says so (not sure if it's out there and I just missed it or what), but what I *assume* (and please correct me if I am wrong) is that if a user gives the app all update rights to, say, types A-F for a record, then if that record is shared with Caregiver1, and Caregiver1 accesses the record using the app (maybe it's more appropriate to say that the app accesses the record on behalf of Caregiver1), then HealthVault uses the more restrictive permissions -- still only giving read access to types A-C, since Caregiver1 does not have write access to types A-C. Is that correct?

    Following up on that, is there actually a way for a custodian to share access to a record with that level of granularity? From what I've seen so far on the web site, a custodian can only make a single rule when sharing with another user that applies one access type to a group of record types, and I don't see a way to give a different access type to a different group of record types. Am I missing something here?

    Basically, is there a way, using only online permissions, for an app to access a record on behalf of different people and have its permissions be dictated by what permissions the accessing user has in a fine-grained manner?

    Help would be much appreciated, and feel free to ask for clarifications!

    Wednesday, March 6, 2013 4:00 PM

Answers

  • There are only 3 levels of access granularity that is currently supported for sharing a record: view, view and modify, and custodian. You can pick and choose the data types you want to grant access: but you can't have multiple levels of access for group of data types. You may have already seen the documentation here.


    Wednesday, March 6, 2013 5:33 PM
  • The problem you will encounter is that your app cannot ask for ALL permissions as required.  During the app auth process, the user can only authorize applications that it has enough permissions to on the record. For example say your app wants:

    Weight, BP, Height, Meds.  And the record was only shared with Weight, and Height permissions. During the app auth process, that record will not be able to be used for that app.

    To work around a situation like this your application will need to use optional auth. Might not be the best article but here's a start

    http://msdn.microsoft.com/en-us/healthvault/cc539985.aspx

    • Marked as answer by bleeattech Wednesday, March 6, 2013 7:14 PM
    Wednesday, March 6, 2013 5:36 PM

All replies

  • There are only 3 levels of access granularity that is currently supported for sharing a record: view, view and modify, and custodian. You can pick and choose the data types you want to grant access: but you can't have multiple levels of access for group of data types. You may have already seen the documentation here.


    Wednesday, March 6, 2013 5:33 PM
  • The problem you will encounter is that your app cannot ask for ALL permissions as required.  During the app auth process, the user can only authorize applications that it has enough permissions to on the record. For example say your app wants:

    Weight, BP, Height, Meds.  And the record was only shared with Weight, and Height permissions. During the app auth process, that record will not be able to be used for that app.

    To work around a situation like this your application will need to use optional auth. Might not be the best article but here's a start

    http://msdn.microsoft.com/en-us/healthvault/cc539985.aspx

    • Marked as answer by bleeattech Wednesday, March 6, 2013 7:14 PM
    Wednesday, March 6, 2013 5:36 PM
  • Yeah, I saw that was was really hoping I'd missed something or maybe there was some other approach I could take.... :/ Thanks, though.
    Wednesday, March 6, 2013 7:12 PM