User Management on FHIR

 The FHIR standard is a data-model and interface (API) specification for access to health-care data. As such this is a domain of data that is specific to the health of subjects. This is a very big domain, but not all encompassing. When interacting with domains outside of health-care, links between the data is done via Identifiers. FHIR has a data type structure for an Identifier that is designed to hold any kind of globally unique identifier. This identifier data structure thus would hold identifiers such as

  • Social Security Number
  • Drivers License Number
  • Medical Credential Number
  • Employee Number
  • Organization Identifier (Employer Tax Identifier, domain name, etc)
  • National Provider Identifier (NPI)
  • bank account number

and

  • User Identity (username, userId, etc)

Note that Identifier is also used for things besides human identifiers. Such as legal-case-number, global-shipment-identification-number, vehicle-identification-number (VIN),  device-serial-number, animal-identification-number.

All of these are information managed in another domain outside of FHIR. 

User Management is driven by Organization needs

The user management within an organization will be driven by the needs of the organization. Often this will be driven by early applications (aka the oldest application). Many organizations use Microsoft Active Directory, which does support Authentication and Authorization standards of SAML and OAuth. 
Other platforms for User Management would be Apache Directory, Open LDAP, or an external OAuth provider like Google/Facebook etc.

RESTful standard for User Management

There is a RESTful standard API defined in IETF — System for Cross-domain Identity Management: Protocol (SCIM) — RFC-7644

This has not received enough interest to be put into the FHIR security pages as a recommendation. I understand that Grahame has leveraged this in his reference server. There is an old, and unmanaged, page that Grahame created comparing SCIM to FHIR models., and his blog. The Health Samurai also indicates it supports SCIM.

I note that Microsoft Azure Active Directory seems to use SCIM as their API for user management. I am not an expert on Microsoft Active Directory, so I might be wrong. Would love to get comments confirming or redirecting my understanding.