Provider Directory Service — Security Model

Status: populated Owner: TBD Last updated: 2026-04-17 Companion: 13 Security/Compliance/Tenancy

1. Authentication

Flow	Mechanism
Edge	JWT validated against identity-service JWKS
Service-to-service	mTLS + service JWT
Platform admin	`platform:admin` scope

2. Authorization

All writes authorised via POST /internal/access/evaluate.

2.1 RBAC

Role	Read	Write practitioner	Add credential	Assign role	Admin actions
`tenant.viewer`	✓	–	–	–	–
`tenant.provider_user`	✓	–	–	–	–
`tenant.credentialing_admin`	✓	✓	✓	–	–
`tenant.facility_admin`	✓	✓	✓	✓	–
`tenant.admin`	✓	✓	✓	✓	✓
`platform.admin`	✓	✓	✓	✓	✓

2.2 Scopes

Scope	Purpose
`provider_directory:read`	GETs
`provider_directory:write`	Non-admin writes
`provider_directory:admin`	Deactivate, revoke credential, end role
`internal:any-service`	Privilege check

3. Encryption

Layer	Tech
At rest	Postgres TDE
In transit	TLS 1.3
Field-level	Credential `number` encrypted via platform KMS DEK if regional policy requires

4. Audit Events

Event	When
`provider_directory.audit.practitioner.created`	Create
`provider_directory.audit.practitioner.suspended`	Suspend
`provider_directory.audit.credential.revoked`	Revoke credential
`provider_directory.audit.role.privilege_change`	Privilege delta
`provider_directory.audit.endpoint.auth_method_changed`	Sensitive config change

Participates in erasure saga. If practitioner has no downstream clinical history, their record is anonymized (name fields redacted, identifiers nulled). If clinical history exists (orders, notes), retention policy overrides erasure per RESEARCH_AND_SECONDARY_USE.md.

6. Data Residency

Per tenant region. AFG / UAE / EU stored in-region.

7. Rate Limits

Abuse	Control
Directory scraping	500 rps/tenant; throttle-by-IP on `/fhir/R4/Practitioner` search
Credential enumeration	50 rps/tenant on credential search

1. Authentication​

2. Authorization​

2.1 RBAC​

2.2 Scopes​

3. Encryption​

4. Audit Events​

5. GDPR​

6. Data Residency​

7. Rate Limits​