docs.healthdata.beUnderpinning the new HD Entity Access Management system ''EAM 3.0'' is an architecture purpose-built to give the control of users back into the hands of Access Managers, ensuring an end-to-end management of the lifecycle of a user in the system.
The new architecture together with its relevant processes bring along some new concepts. We have listed them for you below, supplemented with rather familiar concepts.
Access Manager
An Access Manager is an Authenticated User having additional Access Manager rights within the EAM system. These rights are granted by healthdata.be to the first Access Manager of a certain Organization. Any additional access managers are to be appointed by the data provider and rights are to be granted by the existing Access Manager of that Organization.
An Access Manager validates and manages user accounts within the Entity Access Management system, approves and manages the accesses of these EAM users to different applications for any available projects, and has the power to create EAM users and EAM accounts by means of csv bulk upload.
Account (EAM account)
An account in EAM 3.0 is a combination of an e-mail address and a provision completed with a set of rights (access grants) giving access to a certain registry. An account thus links EAM user to the desired registry within an application.
A user can have more than one account, each with a different e-mail address, e.g. when working in different healthcare organizations (HCOs), and each with another provision.
Account state
The below overview shows the different states of an EAM account throughout the workflow.
The Label column mentions the name of the action button available for the Authenticated User and/or Access Manager in the relevant GUI screens. (Only Create New Draft and Request approval actions are available for an Authenticated User.)
Admin
The Admin or administrator is part of the healthdata.be staff and has all permissions and functionalities within the EAM system. This user type should be used sparingly and only for highly technical or emergency purposes.
Authenticated User
A person who is logged in to the EAM system via itsme or eID and has a user profile based on First name, Last name and NISS code shared when logging in via the Federal Authentication Service (FAS). An Authenticated User is able to access the EAM application, create accounts and request access grants, and has access to the own account information in case changes are necessary.
Author group
An Author Group is a group of users with equal editing and reviewing rights to a registration in a certain application of the organisation. The Author Group creation is based on First_name Last_name of the user requesting access. It is thereafter managed in the HD Entity Access Management (EAM) system.
For the HD4DP2 application the Author Group field is automatically populated for user roles 1 (Study Lead) and 2 (Study Associate). The Author Group for role 3 (Study Support) needs to be selected from the relevant drop-down list.
FAS
The Federal Authentication Service (FAS) is a system that authenticates individuals to grant them access to secure online government applications. It ensures the genuineness of users before allowing them to use protected government services in Belgium.
Grants (Access grants)
Grants define a user's access to a registry in an certain application with a specific role. They are added to a provisioned EAM account and need to be approved by the Access Manager of the relevant organization. E.g.:
Legacy requests
The Legacy requests tab retrieves the information shown under the "Requests overview" within the previous EAM version (2.7). The purpose of this overview is to follow-up on pending requests after migration to EAM 3.0.
Manager (HD Manager)
The Manager is a user type in EAM performed by healthdata.be Service Desk staff. Compared to an Access Manager the manager profile has more extensive rights for advanced actions, without the emergency functionalities of an Administrator.
Messages (log)
Messages are created whenever actions are performed on EAM account level, e.g. password reset, request of account approval, approving of grants etc. A message is the representation of something we send to or receive from Service bus. The messages will be logged within EAM for history purposes.
Organization
In full: Healthcare Organization (HCO). A list of all organizations including Name, NIHDI number and the respective list of Access Managers is managed by the HD Manager. An organization that is not active anymore, will receive the status Disabled, without being deleted from the EAM system.
Provision
The provision is the deployment of a certain Application to a certain Organization along with any specific parameters providing extra information on the deployment.
Service Bus
Is a communication layer between our EAM portal and the installations at the DP's side. Whereas the former EAM system mainly managed access requests, the new EAM 3.0 focusses on complete User management incl. access requests, account creating, feedback loop ... aiming at faster user onboarding, a better user experience and less manual intervention by Support / DevOps.
User (EAM user)
The user is the main entity within the EAM system. Once the user's profile, containing basic information such as Username, Primary e-mail address, First name, Last name, SSIN and professional NIHDI code, has been validated, the user has access to EAM, ready to interact. EAM 3.0 offers the possibility to add more than one NIHDI code. Each user can be linked to more than one Account.
User matrix
In general, a user matrix is a structured way to organize information about users and their action radius. We have used the user matrix as a starting point of our documentation of the new Entity Access Management system: a cross-table of the different functionalities of the user types Authenticated User and Access Manager. From here, you can reach the exact information.
User roles
User roles determine your access rights in HD applications such as HD4DP2 or healthstat.be for the desired project. The role hierarchy do not necessarily correspond to the staff structure within your organization. More on User roles in HD4DP2 can be found here.
User types
User types determine the level of managing rights you have within the EAM system:
- Authenticated user (Validated user)
- Access manager
- (HD) Manager
- Administrator
Different from User roles which are typical for HD applications.
Validated user
User type. Can be found in the EAM users overview after migrating validated users from EAM 2.7 to EAM 3.0. This migrated user type corresponds with the one of an Authenticated user in EAM 3.0.
After migration of your healthcare organisation from EAM 2.7 to EAM 3.0, the Access Manager might notice the user type of Validated user in the Role(s) column on the EAM Users overview page.
The label "Validated user" is a remnant of EAM version 2.7 where it meant to indicate that a user's profile had been completed and validated by the Access Manager. This migrated user type corresponds to the Authenticated user type in EAM 3.0. As such, "Validated user" is not an active role in EAM 3.0, nor does it influence the functionality of EAM 3.0.
Cette documentation est encore en construction. Nous essayons de présenter les informations aussi correctes, complètes et aussi claires que possible. Cependant, si vous voyez un élément dans la documentation qui est incorrect, ne correspond pas à votre expérience ou nécessite des éclaircissements supplémentaires, veuillez créer une demande (type : demande d'information) via notre portail (https://sciensano.service-now.com/sp) ou nous envoyer un e-mail à support.healthdata@sciensano.be pour signaler ce problème de documentation. N'oubliez pas d'inclure l'URL ou l'adresse Web de la page avec le problème de documentation. Nous ajusterons ensuite la documentation. Merci!