This project has moved and is read-only. For the latest updates, please go here.

Privacy Enforcement

The Open Immunize IMS system has been designed to protected PHI (protected health information). This is done via a flexible access control system based loosely on XACML concepts. OpenIZ’s plugin model allows third party access control schemes to be used, however the general call structure is illustrated below:

  1. An external service (such as a message handler, workflow, forecasting process, etc.) makes a request for disclosure of a piece of information from the data store known as a securable.
  2. The data persistence service retrieves the data from the data persistence store
  3. The data persistence service fires the Queried or Retrieved event which a policy enforcement provider subscribes to.
  4. The PEP will make a call to the policy decision service configured in the IMS’ application context. The policy decision provider uses information from the current authorization context (i.e. security principal in the current request pipeline) and collects a “most restrictive” series of decisions based on policies.
  5. If the PDP has made a GRANT or ELEVATE decision an policy identifier, it may contact the policy information provider to retrieve additional information about the policy to determine if elevation or grant is permitted.
  6. The policy enforcement service will use this information to filter/censor the results.


There are three outcomes of a policy decision :

  • Deny – The Policy Decision Point has determined the current user principal DOES NOT HAVE sufficient rights to access the requested securable. The enforcement point will remove the result from the result set.
  • Elevate – The Policy Decision Point has determined that the current user principal WOULD HAVE access to the securable if they were to elevate their current session. This decision is equivalent to the Microsoft Windows User Access Control (UAC) prompt and can be used by consumers to request the client re-authenticate with a different purpose of use, under a different credential, with a second level password, two factor authentication or whatever on-site policy is required.
  • Grant – The Policy Decision Point has determined that the user principal has sufficient authorization to access the requested securable object.

Last edited Jan 13, 2016 at 9:06 PM by jf03cg, version 3