Basic AuditEvent pattern for when an activity was authorized by an IUA access token - Basic Audit Log Patterns (BALP) v1.1.4-current

Basic Audit Log Patterns (BALP), published by IHE IT Infrastructure Technical Committee. This guide is not an authorized publication; it is the continuous build for version 1.1.4-current built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/IHE/ITI.BasicAudit/ and changes regularly. See the Directory of published versions

Resource Profile: Basic AuditEvent pattern for when an activity was authorized by an IUA access token

Official URL: https://profiles.ihe.net/ITI/BALP/StructureDefinition/IHE.BasicAudit.OAUTHaccessTokenUse.Comprehensive				Version: 1.1.4-current
Active as of 2024-07-17				Computable Name: OAUTHaccessTokenUseComprehensive

A basic AuditEvent profile for when an activity was authorized by an IUA access token. This profile is expected to be used with some other detail that explains the activity. This profile only covers the IUA access token.

Given an activity has occured
And OAuth is used to authorize (both app and user)
And the given activity is using http with authorization: bearer mechanism
- IUA - 3.72 Incorporate Access Token [ITI-72]
- Bulk Data Access - 11. Presenting an Access Token to FHIR API
- SMART-app-launch - 7.1.5 Step 4: App accesses clinical data via FHIR API
- HL7 Security for Scalable Registration, Authentication, and Authorization (aka UDAP) when it gets published
When an AuditEvent is recorded for the activity
Then that AuditEvent would follow this profile regarding recording the IUA access token details
note: this profile records minimal information from the IUA access token, which presumes that use of the AuditEvent at a later time will be able to resolve the given information.
client slice holds the application details
- This is likely replicated in other slices, but is consistently identified as the Application slice for ease of tracking all events caused by this client
- place the client_id into .who.identifier.value (system is not needed, but avaialble if you have a system)
- any network identification detail should be placed in .network (may be a IP address, or hostname)
oUser slice holds the user details
- user id is recorded in the .who.identifier
- user id is also recorded in .name to be more easy searched
- if roles or purposeOfUse are known record them here
- the JWT ID is recorded in .policy. Expecting that during audit anaysis this ID can be looked up and dereferenced

Usage:

Examples for this Resource Profile: AuditEvent/ex-auditBasicReadOServer

Formal Views of Profile Content

Description of Profiles, Differentials, Snapshots and how the different presentations work.

Differential Table
Key Elements Table
Snapshot Table
Statistics/References
All

This structure is derived from AuditEvent

Name	Flags	Card.	Type	Description & Constraints
AuditEvent		0..*	AuditEvent	Event record kept for security purposes
Slices for agent		1..*	BackboneElement	Actor involved in the event Slice: Unordered, Open by pattern:type
agent:oClient		1..1	BackboneElement	Actor involved in the event
type		1..1	CodeableConcept	How agent participated Required Pattern: At least the following
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (complex)
system		1..1	uri	Identity of the terminology system Fixed Value: http://dicom.nema.org/resources/ontology/DCM
code		1..1	code	Symbol in syntax defined by the system Fixed Value: 110150
who		1..1	Reference(PractitionerRole \| Practitioner \| Organization \| Device \| Patient \| RelatedPerson)	client identifier
identifier		1..1	Identifier	Logical reference, when literal reference is not known
value		1..1	string	Token client ID (client_id)
media		0..0
network	S	0..1	BackboneElement	The client as known by TCP connection information
agent:oUser		0..1	BackboneElement	Actor involved in the event
type		1..1	CodeableConcept	How agent participated Required Pattern: At least the following
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (complex)
system		1..1	uri	Identity of the terminology system Fixed Value: http://terminology.hl7.org/CodeSystem/v3-ParticipationType
code		1..1	code	Symbol in syntax defined by the system Fixed Value: IRCP
role	S	0..*	CodeableConcept	Agent role in the event
who		1..1	Reference(PractitionerRole \| Practitioner \| Organization \| Device \| Patient \| RelatedPerson)	May be a Resource, but likely just an identifier from the OAuth token
identifier		1..1	Identifier	Logical reference, when literal reference is not known
system	S	0..1	uri	Token Issuer (TOKEN_ISSUER)
value	S	0..1	string	User ID (USER_ID)
display	S	0..1	string	User Name (USER_NAME)
name	S	0..1	string	User Name (USER_NAME)
requestor		1..1	boolean	Whether user is initiator Required Pattern: true
policy		1..1	uri	jti (JWT ID)
media		0..0
network		0..0
purposeOfUse	S	0..*	CodeableConcept	Reason given for this user
Documentation for this format

Name	Flags	Card.	Type	Description & Constraints
AuditEvent		0..*	AuditEvent	Event record kept for security purposes
implicitRules	?!Σ	0..1	uri	A set of rules under which this content was created
modifierExtension	?!	0..*	Extension	Extensions that cannot be ignored
type	Σ	1..1	Coding	Type/identifier of event Binding: AuditEventID (extensible): Type of event.
recorded	Σ	1..1	instant	Time when the event was recorded
Slices for agent		1..*	BackboneElement	Actor involved in the event Slice: Unordered, Open by pattern:type
agent:All Slices				Content/Rules for all slices
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
requestor	Σ	1..1	boolean	Whether user is initiator
agent:oClient		1..1	BackboneElement	Actor involved in the event
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
type		1..1	CodeableConcept	How agent participated Binding: ParticipationRoleType (extensible): The Participation type of the agent to the event. Required Pattern: At least the following
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (complex)
system		1..1	uri	Identity of the terminology system Fixed Value: http://dicom.nema.org/resources/ontology/DCM
code		1..1	code	Symbol in syntax defined by the system Fixed Value: 110150
who	Σ	1..1	Reference(PractitionerRole \| Practitioner \| Organization \| Device \| Patient \| RelatedPerson)	client identifier
identifier	Σ	1..1	Identifier	Logical reference, when literal reference is not known
use	?!Σ	0..1	code	usual \| official \| temp \| secondary \| old (If known) Binding: IdentifierUse (required): Identifies the purpose for this identifier, if known .
value	Σ	1..1	string	Token client ID (client_id) Example General: 123456
requestor	Σ	1..1	boolean	Whether user is initiator
network	S	0..1	BackboneElement	The client as known by TCP connection information
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
agent:oUser		0..1	BackboneElement	Actor involved in the event
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
type		1..1	CodeableConcept	How agent participated Binding: ParticipationRoleType (extensible): The Participation type of the agent to the event. Required Pattern: At least the following
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (complex)
system		1..1	uri	Identity of the terminology system Fixed Value: http://terminology.hl7.org/CodeSystem/v3-ParticipationType
code		1..1	code	Symbol in syntax defined by the system Fixed Value: IRCP
role	S	0..*	CodeableConcept	Agent role in the event Binding: SecurityRoleType (example): What security role enabled the agent to participate in the event.
who	Σ	1..1	Reference(PractitionerRole \| Practitioner \| Organization \| Device \| Patient \| RelatedPerson)	May be a Resource, but likely just an identifier from the OAuth token
identifier	Σ	1..1	Identifier	Logical reference, when literal reference is not known
use	?!Σ	0..1	code	usual \| official \| temp \| secondary \| old (If known) Binding: IdentifierUse (required): Identifies the purpose for this identifier, if known .
system	SΣ	0..1	uri	Token Issuer (TOKEN_ISSUER) Example General: http://www.acme.com/identifiers/patient
value	SΣ	0..1	string	User ID (USER_ID) Example General: 123456
display	SΣ	0..1	string	User Name (USER_NAME)
name	S	0..1	string	User Name (USER_NAME)
requestor	Σ	1..1	boolean	Whether user is initiator Required Pattern: true
policy		1..1	uri	jti (JWT ID)
purposeOfUse	S	0..*	CodeableConcept	Reason given for this user Binding: PurposeOfUse (extensible): The reason the activity took place.
source		1..1	BackboneElement	Audit Event Reporter
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
observer	Σ	1..1	Reference(PractitionerRole \| Practitioner \| Organization \| Device \| Patient \| RelatedPerson)	The identity of source detecting the event
Documentation for this format

Terminology Bindings

Path	Conformance	ValueSet / Code	URI
AuditEvent.type	extensible	AuditEventID `http://hl7.org/fhir/ValueSet/audit-event-type` from the FHIR Standard
AuditEvent.agent:oClient.type	extensible	Pattern: 110150 `http://hl7.org/fhir/ValueSet/participation-role-type` from the FHIR Standard
AuditEvent.agent:oClient.who.identifier.use	required	IdentifierUse `http://hl7.org/fhir/ValueSet/identifier-use\|4.0.1` from the FHIR Standard
AuditEvent.agent:oUser.type	extensible	Pattern: IRCP `http://hl7.org/fhir/ValueSet/participation-role-type` from the FHIR Standard
AuditEvent.agent:oUser.role	example	SecurityRoleType `http://hl7.org/fhir/ValueSet/security-role-type` from the FHIR Standard
AuditEvent.agent:oUser.who.identifier.use	required	IdentifierUse `http://hl7.org/fhir/ValueSet/identifier-use\|4.0.1` from the FHIR Standard
AuditEvent.agent:oUser.purposeOfUse	extensible	PurposeOfUse `http://terminology.hl7.org/ValueSet/v3-PurposeOfUse`

Description & Constraints

AuditEvent

0..*

AuditEvent

Event record kept for security purposes

0..1

Logical id of this artifact

Meta

Metadata about the resource

implicitRules

?!Σ

0..1

uri

A set of rules under which this content was created

language

0..1

code

Language of the resource content
Binding: CommonLanguages (preferred): A human language.

Additional Bindings

Purpose

AllLanguages

Max Binding

text

0..1

Narrative

Text summary of the resource, for human interpretation

contained

0..*

Resource

Contained, inline Resources

extension

0..*

Extension

Additional content defined by implementations

modifierExtension

0..*

Extension

Extensions that cannot be ignored

type

1..1

Coding

Type/identifier of event
Binding: AuditEventID (extensible): Type of event.

subtype

0..*

Coding

More specific type/id for the event
Binding: AuditEventSub-Type (extensible): Sub-type of event.

action

0..1

code

Type of action performed during the event
Binding: AuditEventAction (required): Indicator for type of action performed during the event that generated the event.

period

0..1

Period

When the activity occurred

recorded

1..1

instant

Time when the event was recorded

outcome

0..1

code

Whether the event succeeded or failed
Binding: AuditEventOutcome (required): Indicates whether the event succeeded or failed.

outcomeDesc

0..1

string

Description of the event outcome

purposeOfEvent

0..*

CodeableConcept

The purposeOfUse of the event
Binding: PurposeOfUse (extensible): The reason the activity took place.

Slices for agent

1..*

BackboneElement

Actor involved in the event
Slice: Unordered, Open by pattern:type

agent:All Slices

Content/Rules for all slices

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

modifierExtension

?!Σ

0..*

Extension

Extensions that cannot be ignored even if unrecognized

type

0..1

CodeableConcept

How agent participated
Binding: ParticipationRoleType (extensible): The Participation type of the agent to the event.

role

0..*

CodeableConcept

Agent role in the event
Binding: SecurityRoleType (example): What security role enabled the agent to participate in the event.

who

0..1

Identifier of who

altId

0..1

string

Alternative User identity

name

0..1

string

Human friendly name for the agent

requestor

1..1

boolean

Whether user is initiator

location

0..1

Reference(Location)

Where

policy

0..*

uri

Policy that authorized event

media

0..1

Coding

Type of media
Binding: MediaTypeCode (extensible): Used when the event is about exporting/importing onto media.

network

0..1

BackboneElement

Logical network location for application activity

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

modifierExtension

?!Σ

0..*

Extension

Extensions that cannot be ignored even if unrecognized

address

0..1

string

Identifier for the network access point of the user device

type

0..1

code

The type of network access point
Binding: AuditEventAgentNetworkType (required): The type of network access point of this agent in the audit event.

purposeOfUse

0..*

CodeableConcept

Reason given for this user
Binding: PurposeOfUse (extensible): The reason the activity took place.

agent:oClient

1..1

BackboneElement

Actor involved in the event

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

modifierExtension

?!Σ

0..*

Extension

Extensions that cannot be ignored even if unrecognized

type

1..1

CodeableConcept

How agent participated
Binding: ParticipationRoleType (extensible): The Participation type of the agent to the event.

Required Pattern: At least the following

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

coding

1..*

Coding

Code defined by a terminology system
Fixed Value: (complex)

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

system

1..1

uri

Identity of the terminology system
Fixed Value: http://dicom.nema.org/resources/ontology/DCM

version

0..1

string

Version of the system - if relevant

code

1..1

code

Symbol in syntax defined by the system
Fixed Value: 110150

display

0..1

string

Representation defined by the system

userSelected

0..1

boolean

If this coding was chosen directly by the user

text

0..1

string

Plain text representation of the concept

role

0..*

CodeableConcept

Agent role in the event
Binding: SecurityRoleType (example): What security role enabled the agent to participate in the event.

who

1..1

client identifier

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations
Slice: Unordered, Open by value:url

reference

ΣC

0..1

string

Literal reference, Relative, internal or absolute URL

type

0..1

uri

Type the reference refers to (e.g. "Patient")
Binding: ResourceType (extensible): Aa resource (or, for logical models, the URI of the logical model).

identifier

1..1

Identifier

Logical reference, when literal reference is not known

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations
Slice: Unordered, Open by value:url

use

?!Σ

0..1

code

usual | official | temp | secondary | old (If known)
Binding: IdentifierUse (required): Identifies the purpose for this identifier, if known .

type

0..1

CodeableConcept

Description of identifier
Binding: Identifier Type Codes (extensible): A coded type for an identifier that can be used to determine which identifier to use for a specific purpose.

system

0..1

uri

The namespace for the identifier value
Example General: http://www.acme.com/identifiers/patient

value

1..1

string

Token client ID (client_id)
Example General: 123456

period

0..1

Period

Time period when id is/was valid for use

assigner

0..1

Reference(Organization)

Organization that issued id (may be just text)

display

0..1

string

Text alternative for the resource

altId

0..1

string

Alternative User identity

name

0..1

string

Human friendly name for the agent

requestor

1..1

boolean

Whether user is initiator

location

0..1

Reference(Location)

Where

policy

0..*

uri

Policy that authorized event

network

0..1

BackboneElement

The client as known by TCP connection information

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

modifierExtension

?!Σ

0..*

Extension

Extensions that cannot be ignored even if unrecognized

address

0..1

string

Identifier for the network access point of the user device

type

0..1

code

The type of network access point
Binding: AuditEventAgentNetworkType (required): The type of network access point of this agent in the audit event.

purposeOfUse

0..*

CodeableConcept

Reason given for this user
Binding: PurposeOfUse (extensible): The reason the activity took place.

agent:oUser

0..1

BackboneElement

Actor involved in the event

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

modifierExtension

?!Σ

0..*

Extension

Extensions that cannot be ignored even if unrecognized

type

1..1

CodeableConcept

How agent participated
Binding: ParticipationRoleType (extensible): The Participation type of the agent to the event.

Required Pattern: At least the following

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

coding

1..*

Coding

Code defined by a terminology system
Fixed Value: (complex)

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

system

1..1

uri

Identity of the terminology system
Fixed Value: http://terminology.hl7.org/CodeSystem/v3-ParticipationType

version

0..1

string

Version of the system - if relevant

code

1..1

code

Symbol in syntax defined by the system
Fixed Value: IRCP

display

0..1

string

Representation defined by the system

userSelected

0..1

boolean

If this coding was chosen directly by the user

text

0..1

string

Plain text representation of the concept

role

0..*

CodeableConcept

Agent role in the event
Binding: SecurityRoleType (example): What security role enabled the agent to participate in the event.

who

1..1

May be a Resource, but likely just an identifier from the OAuth token

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations
Slice: Unordered, Open by value:url

reference

ΣC

0..1

string

Literal reference, Relative, internal or absolute URL

type

0..1

uri

Type the reference refers to (e.g. "Patient")
Binding: ResourceType (extensible): Aa resource (or, for logical models, the URI of the logical model).

identifier

1..1

Identifier

Logical reference, when literal reference is not known

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations
Slice: Unordered, Open by value:url

use

?!Σ

0..1

code

usual | official | temp | secondary | old (If known)
Binding: IdentifierUse (required): Identifies the purpose for this identifier, if known .

type

0..1

CodeableConcept

Description of identifier
Binding: Identifier Type Codes (extensible): A coded type for an identifier that can be used to determine which identifier to use for a specific purpose.

system

SΣ

0..1

uri

Token Issuer (TOKEN_ISSUER)
Example General: http://www.acme.com/identifiers/patient

value

SΣ

0..1

string

User ID (USER_ID)
Example General: 123456

period

0..1

Period

Time period when id is/was valid for use

assigner

0..1

Reference(Organization)

Organization that issued id (may be just text)

display

SΣ

0..1

string

User Name (USER_NAME)

altId

0..1

string

Alternative User identity

name

0..1

string

User Name (USER_NAME)

requestor

1..1

boolean

Whether user is initiator
Required Pattern: true

location

0..1

Reference(Location)

Where

policy

1..1

uri

jti (JWT ID)

purposeOfUse

0..*

CodeableConcept

Reason given for this user
Binding: PurposeOfUse (extensible): The reason the activity took place.

source

1..1

BackboneElement

Audit Event Reporter

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

modifierExtension

?!Σ

0..*

Extension

Extensions that cannot be ignored even if unrecognized

site

0..1

string

Logical source location within the enterprise

observer

1..1

The identity of source detecting the event

type

0..*

Coding

The type of source where event originated
Binding: AuditEventSourceType (extensible): Code specifying the type of system that detected and recorded the event.

entity

0..*

BackboneElement

Data or objects used
sev-1: Either a name or a query (NOT both)

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

modifierExtension

?!Σ

0..*

Extension

Extensions that cannot be ignored even if unrecognized

what

0..1

Reference(Resource)

Specific instance of resource

type

0..1

Coding

Type of entity involved
Binding: AuditEventEntityType (extensible): Code for the entity type involved in the audit event.

role

0..1

Coding

What role the entity played
Binding: AuditEventEntityRole (extensible): Code representing the role the entity played in the audit event.

lifecycle

0..1

Coding

Life-cycle stage for the entity
Binding: ObjectLifecycleEvents (extensible): Identifier for the data life-cycle stage for the entity.

securityLabel

0..*

Coding

Security labels on the entity
Binding: All Security Labels (extensible): Security Labels from the Healthcare Privacy and Security Classification System.

name

ΣC

0..1

string

Descriptor for entity

description

0..1

string

Descriptive text

query

ΣC

0..1

base64Binary

Query parameters

detail

0..*

BackboneElement

Additional Information about the entity

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

modifierExtension

?!Σ

0..*

Extension

Extensions that cannot be ignored even if unrecognized

type

1..1

string

Name of the property

value[x]

1..1

Property value

valueString

string

valueBase64Binary

base64Binary

Documentation for this format

Terminology Bindings

Path Conformance ValueSet / Code URI

AuditEvent.language

preferred

CommonLanguages

Additional Bindings

Purpose

AllLanguages

Max Binding

http://hl7.org/fhir/ValueSet/languages

from the FHIR Standard

AuditEvent.type

extensible

AuditEventID

http://hl7.org/fhir/ValueSet/audit-event-type

from the FHIR Standard

AuditEvent.subtype

extensible

AuditEventSub-Type

http://hl7.org/fhir/ValueSet/audit-event-sub-type

from the FHIR Standard

AuditEvent.action

required

AuditEventAction

http://hl7.org/fhir/ValueSet/audit-event-action|4.0.1

from the FHIR Standard

AuditEvent.outcome

required

AuditEventOutcome

http://hl7.org/fhir/ValueSet/audit-event-outcome|4.0.1

from the FHIR Standard

AuditEvent.purposeOfEvent

extensible

PurposeOfUse

http://terminology.hl7.org/ValueSet/v3-PurposeOfUse

AuditEvent.agent.type

extensible

ParticipationRoleType

http://hl7.org/fhir/ValueSet/participation-role-type

from the FHIR Standard

AuditEvent.agent.role

example

SecurityRoleType

http://hl7.org/fhir/ValueSet/security-role-type

from the FHIR Standard

AuditEvent.agent.media

extensible

MediaTypeCode

http://hl7.org/fhir/ValueSet/dicm-405-mediatype

from the FHIR Standard

AuditEvent.agent.network.type

required

AuditEventAgentNetworkType

http://hl7.org/fhir/ValueSet/network-type|4.0.1

from the FHIR Standard

AuditEvent.agent.purposeOfUse

extensible

PurposeOfUse

http://terminology.hl7.org/ValueSet/v3-PurposeOfUse

AuditEvent.agent:oClient.type

extensible

Pattern: 110150

http://hl7.org/fhir/ValueSet/participation-role-type

from the FHIR Standard

AuditEvent.agent:oClient.role

example

SecurityRoleType

http://hl7.org/fhir/ValueSet/security-role-type

from the FHIR Standard

AuditEvent.agent:oClient.who.type

extensible

ResourceType

http://hl7.org/fhir/ValueSet/resource-types

from the FHIR Standard

AuditEvent.agent:oClient.who.identifier.use

required

IdentifierUse

http://hl7.org/fhir/ValueSet/identifier-use|4.0.1

from the FHIR Standard

AuditEvent.agent:oClient.who.identifier.type

extensible

Identifier Type Codes

http://hl7.org/fhir/ValueSet/identifier-type

from the FHIR Standard

AuditEvent.agent:oClient.network.type

required

AuditEventAgentNetworkType

http://hl7.org/fhir/ValueSet/network-type|4.0.1

from the FHIR Standard

AuditEvent.agent:oClient.purposeOfUse

extensible

PurposeOfUse

http://terminology.hl7.org/ValueSet/v3-PurposeOfUse

AuditEvent.agent:oUser.type

extensible

Pattern: IRCP

http://hl7.org/fhir/ValueSet/participation-role-type

from the FHIR Standard

AuditEvent.agent:oUser.role

example

SecurityRoleType

http://hl7.org/fhir/ValueSet/security-role-type

from the FHIR Standard

AuditEvent.agent:oUser.who.type

extensible

ResourceType

http://hl7.org/fhir/ValueSet/resource-types

from the FHIR Standard

AuditEvent.agent:oUser.who.identifier.use

required

IdentifierUse

http://hl7.org/fhir/ValueSet/identifier-use|4.0.1

from the FHIR Standard

AuditEvent.agent:oUser.who.identifier.type

extensible

Identifier Type Codes

http://hl7.org/fhir/ValueSet/identifier-type

from the FHIR Standard

AuditEvent.agent:oUser.network.type

required

AuditEventAgentNetworkType

http://hl7.org/fhir/ValueSet/network-type|4.0.1

from the FHIR Standard

AuditEvent.agent:oUser.purposeOfUse

extensible

PurposeOfUse

http://terminology.hl7.org/ValueSet/v3-PurposeOfUse

AuditEvent.source.type

extensible

AuditEventSourceType

http://hl7.org/fhir/ValueSet/audit-source-type

from the FHIR Standard

AuditEvent.entity.type

extensible

AuditEventEntityType

http://hl7.org/fhir/ValueSet/audit-entity-type

from the FHIR Standard

AuditEvent.entity.role

extensible

AuditEventEntityRole

http://hl7.org/fhir/ValueSet/object-role

from the FHIR Standard

AuditEvent.entity.lifecycle

extensible

ObjectLifecycleEvents

http://hl7.org/fhir/ValueSet/object-lifecycle-events

AuditEvent.entity.securityLabel

extensible

All Security Labels

http://hl7.org/fhir/ValueSet/security-labels

from the FHIR Standard

This structure is derived from AuditEvent

Summary

Mandatory: 5 elements(4 nested mandatory elements)
Must-Support: 7 elements
Prohibited: 3 elements

Slices

This structure defines the following Slices:

The element 1 is sliced based on the value of AuditEvent.agent

Differential View

This structure is derived from AuditEvent

Name	Flags	Card.	Type	Description & Constraints
AuditEvent		0..*	AuditEvent	Event record kept for security purposes
Slices for agent		1..*	BackboneElement	Actor involved in the event Slice: Unordered, Open by pattern:type
agent:oClient		1..1	BackboneElement	Actor involved in the event
type		1..1	CodeableConcept	How agent participated Required Pattern: At least the following
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (complex)
system		1..1	uri	Identity of the terminology system Fixed Value: http://dicom.nema.org/resources/ontology/DCM
code		1..1	code	Symbol in syntax defined by the system Fixed Value: 110150
who		1..1	Reference(PractitionerRole \| Practitioner \| Organization \| Device \| Patient \| RelatedPerson)	client identifier
identifier		1..1	Identifier	Logical reference, when literal reference is not known
value		1..1	string	Token client ID (client_id)
media		0..0
network	S	0..1	BackboneElement	The client as known by TCP connection information
agent:oUser		0..1	BackboneElement	Actor involved in the event
type		1..1	CodeableConcept	How agent participated Required Pattern: At least the following
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (complex)
system		1..1	uri	Identity of the terminology system Fixed Value: http://terminology.hl7.org/CodeSystem/v3-ParticipationType
code		1..1	code	Symbol in syntax defined by the system Fixed Value: IRCP
role	S	0..*	CodeableConcept	Agent role in the event
who		1..1	Reference(PractitionerRole \| Practitioner \| Organization \| Device \| Patient \| RelatedPerson)	May be a Resource, but likely just an identifier from the OAuth token
identifier		1..1	Identifier	Logical reference, when literal reference is not known
system	S	0..1	uri	Token Issuer (TOKEN_ISSUER)
value	S	0..1	string	User ID (USER_ID)
display	S	0..1	string	User Name (USER_NAME)
name	S	0..1	string	User Name (USER_NAME)
requestor		1..1	boolean	Whether user is initiator Required Pattern: true
policy		1..1	uri	jti (JWT ID)
media		0..0
network		0..0
purposeOfUse	S	0..*	CodeableConcept	Reason given for this user
Documentation for this format

Key Elements View

Name	Flags	Card.	Type	Description & Constraints
AuditEvent		0..*	AuditEvent	Event record kept for security purposes
implicitRules	?!Σ	0..1	uri	A set of rules under which this content was created
modifierExtension	?!	0..*	Extension	Extensions that cannot be ignored
type	Σ	1..1	Coding	Type/identifier of event Binding: AuditEventID (extensible): Type of event.
recorded	Σ	1..1	instant	Time when the event was recorded
Slices for agent		1..*	BackboneElement	Actor involved in the event Slice: Unordered, Open by pattern:type
agent:All Slices				Content/Rules for all slices
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
requestor	Σ	1..1	boolean	Whether user is initiator
agent:oClient		1..1	BackboneElement	Actor involved in the event
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
type		1..1	CodeableConcept	How agent participated Binding: ParticipationRoleType (extensible): The Participation type of the agent to the event. Required Pattern: At least the following
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (complex)
system		1..1	uri	Identity of the terminology system Fixed Value: http://dicom.nema.org/resources/ontology/DCM
code		1..1	code	Symbol in syntax defined by the system Fixed Value: 110150
who	Σ	1..1	Reference(PractitionerRole \| Practitioner \| Organization \| Device \| Patient \| RelatedPerson)	client identifier
identifier	Σ	1..1	Identifier	Logical reference, when literal reference is not known
use	?!Σ	0..1	code	usual \| official \| temp \| secondary \| old (If known) Binding: IdentifierUse (required): Identifies the purpose for this identifier, if known .
value	Σ	1..1	string	Token client ID (client_id) Example General: 123456
requestor	Σ	1..1	boolean	Whether user is initiator
network	S	0..1	BackboneElement	The client as known by TCP connection information
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
agent:oUser		0..1	BackboneElement	Actor involved in the event
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
type		1..1	CodeableConcept	How agent participated Binding: ParticipationRoleType (extensible): The Participation type of the agent to the event. Required Pattern: At least the following
coding		1..*	Coding	Code defined by a terminology system Fixed Value: (complex)
system		1..1	uri	Identity of the terminology system Fixed Value: http://terminology.hl7.org/CodeSystem/v3-ParticipationType
code		1..1	code	Symbol in syntax defined by the system Fixed Value: IRCP
role	S	0..*	CodeableConcept	Agent role in the event Binding: SecurityRoleType (example): What security role enabled the agent to participate in the event.
who	Σ	1..1	Reference(PractitionerRole \| Practitioner \| Organization \| Device \| Patient \| RelatedPerson)	May be a Resource, but likely just an identifier from the OAuth token
identifier	Σ	1..1	Identifier	Logical reference, when literal reference is not known
use	?!Σ	0..1	code	usual \| official \| temp \| secondary \| old (If known) Binding: IdentifierUse (required): Identifies the purpose for this identifier, if known .
system	SΣ	0..1	uri	Token Issuer (TOKEN_ISSUER) Example General: http://www.acme.com/identifiers/patient
value	SΣ	0..1	string	User ID (USER_ID) Example General: 123456
display	SΣ	0..1	string	User Name (USER_NAME)
name	S	0..1	string	User Name (USER_NAME)
requestor	Σ	1..1	boolean	Whether user is initiator Required Pattern: true
policy		1..1	uri	jti (JWT ID)
purposeOfUse	S	0..*	CodeableConcept	Reason given for this user Binding: PurposeOfUse (extensible): The reason the activity took place.
source		1..1	BackboneElement	Audit Event Reporter
modifierExtension	?!Σ	0..*	Extension	Extensions that cannot be ignored even if unrecognized
observer	Σ	1..1	Reference(PractitionerRole \| Practitioner \| Organization \| Device \| Patient \| RelatedPerson)	The identity of source detecting the event
Documentation for this format

Terminology Bindings

Path	Conformance	ValueSet / Code	URI
AuditEvent.type	extensible	AuditEventID `http://hl7.org/fhir/ValueSet/audit-event-type` from the FHIR Standard
AuditEvent.agent:oClient.type	extensible	Pattern: 110150 `http://hl7.org/fhir/ValueSet/participation-role-type` from the FHIR Standard
AuditEvent.agent:oClient.who.identifier.use	required	IdentifierUse `http://hl7.org/fhir/ValueSet/identifier-use\|4.0.1` from the FHIR Standard
AuditEvent.agent:oUser.type	extensible	Pattern: IRCP `http://hl7.org/fhir/ValueSet/participation-role-type` from the FHIR Standard
AuditEvent.agent:oUser.role	example	SecurityRoleType `http://hl7.org/fhir/ValueSet/security-role-type` from the FHIR Standard
AuditEvent.agent:oUser.who.identifier.use	required	IdentifierUse `http://hl7.org/fhir/ValueSet/identifier-use\|4.0.1` from the FHIR Standard
AuditEvent.agent:oUser.purposeOfUse	extensible	PurposeOfUse `http://terminology.hl7.org/ValueSet/v3-PurposeOfUse`

Snapshot View

Description & Constraints

AuditEvent

0..*

AuditEvent

Event record kept for security purposes

0..1

Logical id of this artifact

Meta

Metadata about the resource

implicitRules

?!Σ

0..1

uri

A set of rules under which this content was created

language

0..1

code

Language of the resource content
Binding: CommonLanguages (preferred): A human language.

Additional Bindings

Purpose

AllLanguages

Max Binding

text

0..1

Narrative

Text summary of the resource, for human interpretation

contained

0..*

Resource

Contained, inline Resources

extension

0..*

Extension

Additional content defined by implementations

modifierExtension

0..*

Extension

Extensions that cannot be ignored

type

1..1

Coding

Type/identifier of event
Binding: AuditEventID (extensible): Type of event.

subtype

0..*

Coding

More specific type/id for the event
Binding: AuditEventSub-Type (extensible): Sub-type of event.

action

0..1

code

Type of action performed during the event
Binding: AuditEventAction (required): Indicator for type of action performed during the event that generated the event.

period

0..1

Period

When the activity occurred

recorded

1..1

instant

Time when the event was recorded

outcome

0..1

code

Whether the event succeeded or failed
Binding: AuditEventOutcome (required): Indicates whether the event succeeded or failed.

outcomeDesc

0..1

string

Description of the event outcome

purposeOfEvent

0..*

CodeableConcept

The purposeOfUse of the event
Binding: PurposeOfUse (extensible): The reason the activity took place.

Slices for agent

1..*

BackboneElement

Actor involved in the event
Slice: Unordered, Open by pattern:type

agent:All Slices

Content/Rules for all slices

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

modifierExtension

?!Σ

0..*

Extension

Extensions that cannot be ignored even if unrecognized

type

0..1

CodeableConcept

How agent participated
Binding: ParticipationRoleType (extensible): The Participation type of the agent to the event.

role

0..*

CodeableConcept

Agent role in the event
Binding: SecurityRoleType (example): What security role enabled the agent to participate in the event.

who

0..1

Identifier of who

altId

0..1

string

Alternative User identity

name

0..1

string

Human friendly name for the agent

requestor

1..1

boolean

Whether user is initiator

location

0..1

Reference(Location)

Where

policy

0..*

uri

Policy that authorized event

media

0..1

Coding

Type of media
Binding: MediaTypeCode (extensible): Used when the event is about exporting/importing onto media.

network

0..1

BackboneElement

Logical network location for application activity

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

modifierExtension

?!Σ

0..*

Extension

Extensions that cannot be ignored even if unrecognized

address

0..1

string

Identifier for the network access point of the user device

type

0..1

code

The type of network access point
Binding: AuditEventAgentNetworkType (required): The type of network access point of this agent in the audit event.

purposeOfUse

0..*

CodeableConcept

Reason given for this user
Binding: PurposeOfUse (extensible): The reason the activity took place.

agent:oClient

1..1

BackboneElement

Actor involved in the event

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

modifierExtension

?!Σ

0..*

Extension

Extensions that cannot be ignored even if unrecognized

type

1..1

CodeableConcept

How agent participated
Binding: ParticipationRoleType (extensible): The Participation type of the agent to the event.

Required Pattern: At least the following

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

coding

1..*

Coding

Code defined by a terminology system
Fixed Value: (complex)

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

system

1..1

uri

Identity of the terminology system
Fixed Value: http://dicom.nema.org/resources/ontology/DCM

version

0..1

string

Version of the system - if relevant

code

1..1

code

Symbol in syntax defined by the system
Fixed Value: 110150

display

0..1

string

Representation defined by the system

userSelected

0..1

boolean

If this coding was chosen directly by the user

text

0..1

string

Plain text representation of the concept

role

0..*

CodeableConcept

Agent role in the event
Binding: SecurityRoleType (example): What security role enabled the agent to participate in the event.

who

1..1

client identifier

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations
Slice: Unordered, Open by value:url

reference

ΣC

0..1

string

Literal reference, Relative, internal or absolute URL

type

0..1

uri

Type the reference refers to (e.g. "Patient")
Binding: ResourceType (extensible): Aa resource (or, for logical models, the URI of the logical model).

identifier

1..1

Identifier

Logical reference, when literal reference is not known

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations
Slice: Unordered, Open by value:url

use

?!Σ

0..1

code

usual | official | temp | secondary | old (If known)
Binding: IdentifierUse (required): Identifies the purpose for this identifier, if known .

type

0..1

CodeableConcept

Description of identifier
Binding: Identifier Type Codes (extensible): A coded type for an identifier that can be used to determine which identifier to use for a specific purpose.

system

0..1

uri

The namespace for the identifier value
Example General: http://www.acme.com/identifiers/patient

value

1..1

string

Token client ID (client_id)
Example General: 123456

period

0..1

Period

Time period when id is/was valid for use

assigner

0..1

Reference(Organization)

Organization that issued id (may be just text)

display

0..1

string

Text alternative for the resource

altId

0..1

string

Alternative User identity

name

0..1

string

Human friendly name for the agent

requestor

1..1

boolean

Whether user is initiator

location

0..1

Reference(Location)

Where

policy

0..*

uri

Policy that authorized event

network

0..1

BackboneElement

The client as known by TCP connection information

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

modifierExtension

?!Σ

0..*

Extension

Extensions that cannot be ignored even if unrecognized

address

0..1

string

Identifier for the network access point of the user device

type

0..1

code

The type of network access point
Binding: AuditEventAgentNetworkType (required): The type of network access point of this agent in the audit event.

purposeOfUse

0..*

CodeableConcept

Reason given for this user
Binding: PurposeOfUse (extensible): The reason the activity took place.

agent:oUser

0..1

BackboneElement

Actor involved in the event

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

modifierExtension

?!Σ

0..*

Extension

Extensions that cannot be ignored even if unrecognized

type

1..1

CodeableConcept

How agent participated
Binding: ParticipationRoleType (extensible): The Participation type of the agent to the event.

Required Pattern: At least the following

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

coding

1..*

Coding

Code defined by a terminology system
Fixed Value: (complex)

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

system

1..1

uri

Identity of the terminology system
Fixed Value: http://terminology.hl7.org/CodeSystem/v3-ParticipationType

version

0..1

string

Version of the system - if relevant

code

1..1

code

Symbol in syntax defined by the system
Fixed Value: IRCP

display

0..1

string

Representation defined by the system

userSelected

0..1

boolean

If this coding was chosen directly by the user

text

0..1

string

Plain text representation of the concept

role

0..*

CodeableConcept

Agent role in the event
Binding: SecurityRoleType (example): What security role enabled the agent to participate in the event.

who

1..1

May be a Resource, but likely just an identifier from the OAuth token

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations
Slice: Unordered, Open by value:url

reference

ΣC

0..1

string

Literal reference, Relative, internal or absolute URL

type

0..1

uri

Type the reference refers to (e.g. "Patient")
Binding: ResourceType (extensible): Aa resource (or, for logical models, the URI of the logical model).

identifier

1..1

Identifier

Logical reference, when literal reference is not known

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations
Slice: Unordered, Open by value:url

use

?!Σ

0..1

code

usual | official | temp | secondary | old (If known)
Binding: IdentifierUse (required): Identifies the purpose for this identifier, if known .

type

0..1

CodeableConcept

Description of identifier
Binding: Identifier Type Codes (extensible): A coded type for an identifier that can be used to determine which identifier to use for a specific purpose.

system

SΣ

0..1

uri

Token Issuer (TOKEN_ISSUER)
Example General: http://www.acme.com/identifiers/patient

value

SΣ

0..1

string

User ID (USER_ID)
Example General: 123456

period

0..1

Period

Time period when id is/was valid for use

assigner

0..1

Reference(Organization)

Organization that issued id (may be just text)

display

SΣ

0..1

string

User Name (USER_NAME)

altId

0..1

string

Alternative User identity

name

0..1

string

User Name (USER_NAME)

requestor

1..1

boolean

Whether user is initiator
Required Pattern: true

location

0..1

Reference(Location)

Where

policy

1..1

uri

jti (JWT ID)

purposeOfUse

0..*

CodeableConcept

Reason given for this user
Binding: PurposeOfUse (extensible): The reason the activity took place.

source

1..1

BackboneElement

Audit Event Reporter

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

modifierExtension

?!Σ

0..*

Extension

Extensions that cannot be ignored even if unrecognized

site

0..1

string

Logical source location within the enterprise

observer

1..1

The identity of source detecting the event

type

0..*

Coding

The type of source where event originated
Binding: AuditEventSourceType (extensible): Code specifying the type of system that detected and recorded the event.

entity

0..*

BackboneElement

Data or objects used
sev-1: Either a name or a query (NOT both)

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

modifierExtension

?!Σ

0..*

Extension

Extensions that cannot be ignored even if unrecognized

what

0..1

Reference(Resource)

Specific instance of resource

type

0..1

Coding

Type of entity involved
Binding: AuditEventEntityType (extensible): Code for the entity type involved in the audit event.

role

0..1

Coding

What role the entity played
Binding: AuditEventEntityRole (extensible): Code representing the role the entity played in the audit event.

lifecycle

0..1

Coding

Life-cycle stage for the entity
Binding: ObjectLifecycleEvents (extensible): Identifier for the data life-cycle stage for the entity.

securityLabel

0..*

Coding

Security labels on the entity
Binding: All Security Labels (extensible): Security Labels from the Healthcare Privacy and Security Classification System.

name

ΣC

0..1

string

Descriptor for entity

description

0..1

string

Descriptive text

query

ΣC

0..1

base64Binary

Query parameters

detail

0..*

BackboneElement

Additional Information about the entity

0..1

string

Unique id for inter-element referencing

extension

0..*

Extension

Additional content defined by implementations

modifierExtension

?!Σ

0..*

Extension

Extensions that cannot be ignored even if unrecognized

type

1..1

string

Name of the property

value[x]

1..1

Property value

valueString

string

valueBase64Binary

base64Binary

Documentation for this format

Terminology Bindings

Path Conformance ValueSet / Code URI

AuditEvent.language

preferred

CommonLanguages

Additional Bindings

Purpose

AllLanguages

Max Binding

http://hl7.org/fhir/ValueSet/languages

from the FHIR Standard

AuditEvent.type

extensible

AuditEventID

http://hl7.org/fhir/ValueSet/audit-event-type

from the FHIR Standard

AuditEvent.subtype

extensible

AuditEventSub-Type

http://hl7.org/fhir/ValueSet/audit-event-sub-type

from the FHIR Standard

AuditEvent.action

required

AuditEventAction

http://hl7.org/fhir/ValueSet/audit-event-action|4.0.1

from the FHIR Standard

AuditEvent.outcome

required

AuditEventOutcome

http://hl7.org/fhir/ValueSet/audit-event-outcome|4.0.1

from the FHIR Standard

AuditEvent.purposeOfEvent

extensible

PurposeOfUse

http://terminology.hl7.org/ValueSet/v3-PurposeOfUse

AuditEvent.agent.type

extensible

ParticipationRoleType

http://hl7.org/fhir/ValueSet/participation-role-type

from the FHIR Standard

AuditEvent.agent.role

example

SecurityRoleType

http://hl7.org/fhir/ValueSet/security-role-type

from the FHIR Standard

AuditEvent.agent.media

extensible

MediaTypeCode

http://hl7.org/fhir/ValueSet/dicm-405-mediatype

from the FHIR Standard

AuditEvent.agent.network.type

required

AuditEventAgentNetworkType

http://hl7.org/fhir/ValueSet/network-type|4.0.1

from the FHIR Standard

AuditEvent.agent.purposeOfUse

extensible

PurposeOfUse

http://terminology.hl7.org/ValueSet/v3-PurposeOfUse

AuditEvent.agent:oClient.type

extensible

Pattern: 110150

http://hl7.org/fhir/ValueSet/participation-role-type

from the FHIR Standard

AuditEvent.agent:oClient.role

example

SecurityRoleType

http://hl7.org/fhir/ValueSet/security-role-type

from the FHIR Standard

AuditEvent.agent:oClient.who.type

extensible

ResourceType

http://hl7.org/fhir/ValueSet/resource-types

from the FHIR Standard

AuditEvent.agent:oClient.who.identifier.use

required

IdentifierUse

http://hl7.org/fhir/ValueSet/identifier-use|4.0.1

from the FHIR Standard

AuditEvent.agent:oClient.who.identifier.type

extensible

Identifier Type Codes

http://hl7.org/fhir/ValueSet/identifier-type

from the FHIR Standard

AuditEvent.agent:oClient.network.type

required

AuditEventAgentNetworkType

http://hl7.org/fhir/ValueSet/network-type|4.0.1

from the FHIR Standard

AuditEvent.agent:oClient.purposeOfUse

extensible

PurposeOfUse

http://terminology.hl7.org/ValueSet/v3-PurposeOfUse

AuditEvent.agent:oUser.type

extensible

Pattern: IRCP

http://hl7.org/fhir/ValueSet/participation-role-type

from the FHIR Standard

AuditEvent.agent:oUser.role

example

SecurityRoleType

http://hl7.org/fhir/ValueSet/security-role-type

from the FHIR Standard

AuditEvent.agent:oUser.who.type

extensible

ResourceType

http://hl7.org/fhir/ValueSet/resource-types

from the FHIR Standard

AuditEvent.agent:oUser.who.identifier.use

required

IdentifierUse

http://hl7.org/fhir/ValueSet/identifier-use|4.0.1

from the FHIR Standard

AuditEvent.agent:oUser.who.identifier.type

extensible

Identifier Type Codes

http://hl7.org/fhir/ValueSet/identifier-type

from the FHIR Standard

AuditEvent.agent:oUser.network.type

required

AuditEventAgentNetworkType

http://hl7.org/fhir/ValueSet/network-type|4.0.1

from the FHIR Standard

AuditEvent.agent:oUser.purposeOfUse

extensible

PurposeOfUse

http://terminology.hl7.org/ValueSet/v3-PurposeOfUse

AuditEvent.source.type

extensible

AuditEventSourceType

http://hl7.org/fhir/ValueSet/audit-source-type

from the FHIR Standard

AuditEvent.entity.type

extensible

AuditEventEntityType

http://hl7.org/fhir/ValueSet/audit-entity-type

from the FHIR Standard

AuditEvent.entity.role

extensible

AuditEventEntityRole

http://hl7.org/fhir/ValueSet/object-role

from the FHIR Standard

AuditEvent.entity.lifecycle

extensible

ObjectLifecycleEvents

http://hl7.org/fhir/ValueSet/object-lifecycle-events

AuditEvent.entity.securityLabel

extensible

All Security Labels

http://hl7.org/fhir/ValueSet/security-labels

from the FHIR Standard

This structure is derived from AuditEvent

Summary

Mandatory: 5 elements(4 nested mandatory elements)
Must-Support: 7 elements
Prohibited: 3 elements

Slices

This structure defines the following Slices:

The element 1 is sliced based on the value of AuditEvent.agent

Other representations of profile: CSV, Excel, Schematron