New and familiar concepts of HD EAM

New and familiar concepts of HD EAM

Last updated: 2024-04-03 13:34

Underlying to the new HD Entity Access Management system "EAM 3.0" is a new architecture that has been built with the idea to give the control of the users back into the hands of the Access Managers, ensuring an end-to-end management of the life cycle of a user in the system.

the new EAM 3.0 architecture

The new architecture together with its relevant processes bring along some new concepts. We have listed them for you below, supplemented with rather familiar concepts.

Access Manager

An Access Manager is an authenticated user within the EAM system having access manager rights. These rights are granted by healthdata.be to the first Access Manager within a certain organization. Any additional access managers are to be appointed by the data provider and rights are to be granted by the first Access Manager.

An Access Manager validates and manages user accounts within the Entity Access Management system, approves and manages the accesses of these EAM users to different applications and any available projects, and has the power to create users and accounts with csv bulk upload.

Account (EAM account)

An EAM 3.0 account is a combination of an E-mail address, a Provision and a number of Access Grants, acting as a "bridge" between Users, Organizations and Applications. A user can create one or more accounts each with a separate e-mail address, e.g. when working in different healthcare organizations (HCOs) with each another application.

Account state

The table below offers an overview of the different states of an account throughout the workflow. The Label denotes the action by the Access Manager. Also, moderation state. The moderation state of an account indicates the current approval state throughout the process.

Admin

User type. A Healthdata.be employee (Support, Onboarding) manages the system.

Authenticated User

User type. A person who is logged in to the EAM system through itsme or eID and has a profile based on shared first name, last name and NISS code. An Authenticated User can login into the application, create accounts and request access grants, change their own account information.

Author group

The Author Group is created based on the First name en Last name of the user requesting access. It is automatically populated and available in the drop-down list on the Add Acces grant window.

Grants (Access grants)

On account level a user needs to be granted access to a project for an application to a certain organization as is determined by the provision during creation of the account. Currently, there are two different types of Access grants:

  • HD4DP2 Access grant: this grant will feature a project, a user role (study lead, study assistant, study support) and an author group.
  • Healthstat Access grant: this grant will feature a project

Legacy requests

This is the former "Requests overview"

Manager (HD Manager)

User type. The management of the Entity Access Management system is exclusive to healthdata.be technical staff with more extensive rights for advanced actions.

Organization

The EAM holds a list of all organizations with their Name, NIHDI number, list of Access Managers. If an organization is not active anymore, it will receive the status Disabled. They are not deleted from the EAM system.

Moderation state

See Account state.

Messages (log)

Messages are created whenever actions are involved on account level, e.g. change of password, request of account update, permission of grants etc. A message is the representation of something we send to or receive from Service bus. The messages will be logged within EAM for history purposes.

Provision

The provision is the deployment of a certain Application to a certain Organization along with any specific parameters providing extra information on the deployment.

Service Bus

Is a communication layer between our EAM portal and the installations at the DP's side. Whereas the former EAM system mainly managed access requests, the new EAM 3.0 focusses on complete User management incl. access requests, account creating, feedback loop ... aiming at faster user onboarding, a better user experience and less manual intervention by Support / DevOps.

User

The user is the main entity in the EAM system, containing basic information such as Username, Primary e-mail address, First name, Last name, SSIN and professional NIHDI code. The user represents a person interacting with the EAM. This EAM version offers the possibility to add more than one NIHDI code. Each user can be linked up to multiple Accounts (see above).

User matrix

The introduction of the HD Entity Access Management system leads to some new concepts. In this section, we explain these new concepts and complement them with some familiar ones.

In general, a user matrix is a structured way to organize information about user segments and their characteristics: in our case, by plotting the two axes in relation to each other, the user matrix provides a comprehensive view of the user types and their respective functionalities.

User roles

Or HD4DP2/Healthstat.be User Roles. They determine your access options as requestor in the HD application for the relevant project and does not necessarily corresponds to the staff structure within your organization. More on User roles in HD4DP2 can be found here.

User types

There are several EAM User Types denoting the level of rights you have within the EAM system:

  • Authenticated user
  • Access manager
  • (HD) Manager
  • Administrator
  • Validated User

Different from user roles that are typical for applications.

Validated user

User type. Can be found in the EAM users overview after migrating validated users from EAM 2.7 to EAM 3.0. This migrated user type corresponds with the one of an Authenticated user in EAM 3.0.

After migration of your healthcare organisation from EAM 2.7 to EAM 3.0, the Access Manager might notice the user type of Validated user in the Role(s) column on the EAM Users overview page.

The label "Validated user" is a remnant of EAM version 2.7 where it meant to indicate that a user's profile had been completed and validated by the Access Manager. This migrated user type corresponds to the Authenticated user type in EAM 3.0. As such, "Validated user" is not an active role in EAM 3.0, nor does it influence the functionality of EAM 3.0.

This documentation is being updated regularly. We try to provide as correct, complete and clear as possible information on these pages. Nevertheless, if you see anything in the documentation that is not correct, does not match your experience or requires further clarification, please create a support ticket via our portal (https://healthdatabe.atlassian.net/servicedesk/customer/portals) or send us an e-mail via support.healthdata@sciensano.be to report this documentation issue. Please, do not forget to mention the URL or web address of the page with the documentation issue. We will then adjust the documentation as soon as possible. Thank you!