Health System - Research Informatics Portal
3. Service Provider Information
Service Name: | Health System - Research Informatics Portal |
Entity ID: | https://portal.ri.ucdavis.edu/shibboleth |
Shibboleth SP Version: | 2.x |
Contact: | Chris Lambertus (cmlambertus AT ucdavis.edu) |
Service Providers are trusted to ask for only the information necessary to make an appropriate access control decision, and to not misuse information provided to them by Identity Providers. Service Providers must describe the basis on which access to resources is managed and their practices with respect to attribute information they receive from other Participants.
3.1 What attribute information about an individual do you require in order to manage access to resources you make available to other Participants? Describe separately for each service ProviderID that you have registered.
eppn, givenName, sn, mail, eduPersonScopedAffiliation
3.2 What use do you make of attribute information that you receive in addition to basic access control decisions? For example, do you aggregate session access records or records of specific information accessed based on attribute information, or make attribute information available to partner organizations, etc.?
eppn is used as the login/screen name. givenName/sn/mail are used to provision the account within Liferay. eduPersonScopedAffiliation is a required field in liferay’s shib provisioner, but is not presently used. it may be leveraged in the future to provide group memberships based on institution.
3.3 What human and technical controls are in place on access to and use of attribute information that might refer to only one specific person (i.e., personally identifiable information)? For example, is this information encrypted?
Access to and use of attribute information is controlled by the superuser/administrator account within Liferay. The information is used only to provision accounts, but the account’s screen name (eppn) is visible to other authenticated users of the system. This will be addressed with a privacy policy. No encryption is used.
3.4 Describe the human and technical controls that are in place on the management of super-user and other privileged accounts that might have the authority to grant access to personally identifiable information?
Superuser access is only granted to the immediate system administration staff of the Research Informatics unit for. There are no other privileged accounts or roles in use.
3.5 If personally identifiable information is compromised, what actions do you take to notify potentially affected individuals?
Unauthorized access to PII will be reported through the UC Davis Health IT Security team and handled according to UC Health policy.