Authentication and Authorisation

Introduction

Access to the NRLS will not be without restriction. The security section outlines the need for any client to be able to take part in a mutual authentication session at the transport layer. This will protect traffic flowing between client and server and to some extent gives the NRLS server confidence in the identity of the client system. However, this transport layer security does not address authorisation. Additionally the level of granularity in terms of establishing identity stops at the system level.

Authentication

The NRLS is aligning itself with the Care Access Service which will become NHS Digital’s national Authentication and Authorisation service. As well as providing support for existing smartcard-based mechanisms CAS will provide an array of other authentication types. Clients will need to integrate with CAS to access the NRLS.

Authorisation

The NRLS uses the well established ASID + interactionId approach to control access to the API. Each RESTful endpoint is associated with a unique interactionId. Each system that is accredited by NHS Digital as being a Consumer or Provider will have a set of interactions that they have been authorised to perform. These interactions are mapped to interactionIds. Each ASID is associated with a set of interactionIds. It is this combination of interactionIds that govern what RESTful endpoints a particular system can interact with.