Table of Contents |
---|
As described in previous pages, the services and data in the eHealth Infrastructure are protected by authentication and authorization based on tokens. Described here is how services in the eHealth Infrastructure rely on fields in the access token to perform access control. This access control comprises Role Based Access Control (RBAC) and Attribute Based Access Control (ABAC).
Role Based Access Control
The RBAC part of the access control is based on the user’s list of process privileges contained in the access token.
...
Access Token Field
...
Meaning
...
Example Value
...
realm_access
...
List of process privileges, that is, what is the user allowed to do.
...
"realm_access": {
"roles": [
"Patient.read",
"Patient.write"
]
}
What operations the user is allowed to invoke is stated in the "realm_access" attribute. In the example above the user is allowed to issue a "Patient.read" and a "Patient.write". This means that the user can get and edit patient records. This part of the security model is the RBAC-part, as the claims here are entirely based upon what role the user has.
Attribute Based Access Control
The ABAC part of the access control combines the access token user type with security token context(s) and, at times, also the access token user id. These are typically compared to attributes of the data from the services.
...
Access Token Field
...
Meaning
...
Example Value
...
context
...
List of items that are set in context. context in combination with items in realm_access governs the access to all resources in the ehealth infrastructure.
...
"context": {
"organization_id" : "https://fut.com/fhir/Organization/1",
"care_team_id": https://fut.com/fhir/CareTeam/4,
"episode_of_care_id": https://fut.com/fhir/EpisodeOfCare/10,
"patient_id": "https://fut.com/fhir/Patient/8"
}
...
user_id
...
Id of the user. Can be either a FHIR patient Id, FHIR practitioner Id or a KeyCloak Id
...
"user_id": " e03ccef7-b0b1-4f68-8e16-6fc2f865a922"
...
user_type
...
Can be either SYSTEM, PATIENT, PRACTITIONER or SSL
...
"user_type": "PATIENT"
Each resource type (see IG Profiles) has certain restrictions to what context is required in order to allow data retrieval or data manipulation.
Plandefinition/ActivityDefinition
These resources are not patient related. Read and Search operations do not require any security context apart from the privilege.
...
Plandefinition/ActivityDefinition
...
User Type
...
FHIR Operation
...
Organization Context
...
Property updated → role needed
...
Practitioner
...
create/update
...
required:
must match modifierRole.reference
...
PlanDefinition/ActivityDefinition creation or modifierRole changed → owner
All other updates → owner or co-author
...
System
...
-
...
-
...
-
...
Plandefinition$apply
...
User Type
...
EpisodeOfCare Context
...
CareTeam Context
...
Practitioner
...
required:
Must match EpisodeOfCare.id
...
required:
Must match EpisodeOfCare.team
...
System
...
-
...
-
DocumentReference
These resources are not patient related.
...
DocumentReference.read/search
...
User Type
...
Context
...
Practitioner / Patient
...
-
...
System
...
-
Read and Search operations do not require any security context apart from the privilege.
...
DocumentReference.create/update
...
User Type
...
Organization Context
...
Practitioner / Patient
...
required:
must match DocumentReference.custodian
...
System
...
-
EpisodeOfCare/Condition/Provenance/Consent
EpisodeOfCare cannot be created directly. They are created by calling the custom operation: create-episode-of-care
...
EpisodeOfCare.create-episode-of-care
...
User Type
...
EpisodeOfCare Context
...
Patient Context
...
CareTeam Context
...
Practitioner
...
must not be present
...
required:
must match EpisodeOfCare.Patient
...
required:
Must match EpisodeOfCare.team
...
Patient
...
must not be present
...
required:
must match EpisodeOfCare.Patient
...
-
...
System
...
-
...
-
...
-
...
EpisodeOfCare.read
...
User Type
...
EpisodeOfCare Context
...
Practitioner/Patient
...
required:
must match EpisodeOfCare
...
System
...
-
...
EpisodeOfCare.patch/updateCareteams
...
User Type
...
EpisodeOfCare Context
...
CareTeam Context
...
Practitioner
...
required:
must match EpisodeOfCare
...
required:
Must match EpisodeOfCare.team
...
Patient
...
required:
must match EpisodeOfCare
...
-
...
System
...
-
...
-
...
EpisodeOfCare.search
...
User Type
...
EpisodeOfCare Context
...
Patient Context
...
CareTeam Context
...
Practitioner
...
must not be present
...
optional but when present:
must match Patient search parameter
...
required:
Must match CareTeam search parameter
...
Patient
...
must not be present
...
Always present:
must match Patient search parameter
...
System
...
-
...
-
...
-
...
Condition
...
User Type
...
EpisodeOfCare Context
...
CareTeam Context
...
Practitioner
...
required:
must match Condition.context
...
-
...
Patient
...
required:
must match Condition.context
...
-
...
System
...
-
...
-
...
Provenance.read
...
User Type
...
EpisodeOfCare Context
...
CareTeam Context
...
Practitioner
...
required:
must match Provenance.target
-
...
Patient
...
required:
must match Provenance.target
...
-
...
System
...
-
...
-
...
Provenance.search
...
User Type
...
EpisodeOfCare Context
...
CareTeam Context
...
Practitioner
...
required:
must match EpisodeOfCare search parameter (provenance.target)
-
...
Patient
...
required:
must match EpisodeOfCare search parameter (provenance.target)
...
-
...
System
...
-
...
-
...
Consent.create/read/patch
...
User Type
...
EpisodeOfCare Context
...
CareTeam Context
...
Practitioner
...
Required
Must match data.reference
...
-
...
Patient
...
Required
Must match data.reference
...
-
...
System
...
-
...
-
...
Consent.search
...
User Type
...
EpisodeOfCare Context
...
CareTeam Context
...
Practitioner
...
required:
must match EpisodeOfCare search parameter (consent.data.reference)
...
-
...
Patient
...
required:
must match EpisodeOfCare search parameter (consent.data.reference)
...
-
...
System
...
-
...
-
CarePlan/ProcedureRequest
ProcedureRequests are considered a part of a CarePlan and do not have separate privileges.
CarePlans cannot be created directly. They are created and assigned to a patient by calling PlanDefinition$apply
...
CarePlan/ProcedureRequest Read/Suggest-care-teams
...
User Type
...
Excerpt |
---|
Access to eHealth services and eHealth data in the eHealth Infrastructure are controlled by authentication and authorization based on tokens. The Token based security is described in Token Based Security. This page described how services in the eHealth Infrastructure rely on fields in the JWT access token to perform the access control. This access control comprises Role Based Access Control (RBAC) and Attribute Based Access Control (ABAC). |
Content on this page
Table of Contents |
---|
Role-Based Access Control
The RBAC part of the access control is based on the user’s list of process privileges contained in the access token.
Access Token Field | Meaning | Example Value | |||||
---|---|---|---|---|---|---|---|
realm_access | List of process privileges, that is, what is the user allowed to do. |
|
What operations the user is allowed to invoke is stated in the "realm_access" attribute. In the example above the user is allowed to issue a "Patient.read" and a "Patient.write". This means that the user can get and edit patient records. This part of the security model is the RBAC part, as the claims here are entirely based on what role the user has.
Attribute-Based Access Control
The ABAC part of the access control combines the access token user type with security token context(s) and, at times, also the access token user id. These are typically compared to attributes of the data from the services.
Access Token Field | Meaning | Example Value | |||||
---|---|---|---|---|---|---|---|
context | List of items that are set in context. context in combination with items in realm_access governs the access to all resources in the eHealth infrastructure. |
| |||||
user_id | Id of the user. Can be either an FHIR patient Id, FHIR practitioner Id or a KeyCloak ID | "user_id": " e03ccef7-b0b1-4f68-8e16-6fc2f865a922" | |||||
user_type | Can be either SYSTEM, PATIENT, PRACTITIONER or SSL | "user_type": "PATIENT" |
Each resource type (see IG Profiles) has certain restrictions to what context is required to allow data retrieval or data manipulation.
PlanDefinition/ActivityDefinition
These resources are not patient-related. Read and Search operations do not require any security context apart from the privilege.
PlanDefinition/ActivityDefinition | |||
User Type | FHIR Operation | Organization Context | Property updated → role needed |
---|---|---|---|
Practitioner | create/update | required: must match modifierRole.reference | PlanDefinition/ActivityDefinition creation or modifierRole changed → owner All other updates → owner or co-author |
System | - | - | - |
PlanDefinition$apply | |||
User Type | EpisodeOfCare Context | CareTeam Context | |
---|---|---|---|
Practitioner | required: Must match EpisodeOfCare.id | required: Must match EpisodeOfCare.team | |
System | - | - |
DocumentReference
These resources are not patient-related.
DocumentReference.read/search | |
User Type | Context |
---|---|
Practitioner / Patient | - |
System | - |
Read and Search operations do not require any security context apart from the privilege.
DocumentReference.create/update | |
User Type | Organization Context |
---|---|
Practitioner / Patient | required: must match DocumentReference.custodian |
System | - |
EpisodeOfCare/Condition/Provenance/Consent
EpisodeOfCare cannot be created directly. They are created by calling the custom operation: create-episode-of-care
EpisodeOfCare.create-episode-of-care | |||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context |
---|---|---|---|
Practitioner | must not be present | required: must match EpisodeOfCare.Patient | required: Must match EpisodeOfCare.team |
The patient | must not be present | required: must match EpisodeOfCare.Patient | - |
System | - | - | - |
EpisodeOfCare.read | |
User Type | EpisodeOfCare Context |
---|---|
Practitioner/Patient | required: must match EpisodeOfCare |
System | - |
EpisodeOfCare.patch/updateCareteams | ||
User Type | EpisodeOfCare Context | CareTeam Context |
---|---|---|
Practitioner | required: must match EpisodeOfCare | required: Must match EpisodeOfCare.team |
Patient | required: must match EpisodeOfCare | - |
System | - | - |
EpisodeOfCare.search | |||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context |
---|---|---|---|
Practitioner | must not be present | optional but when present: must match the Patient search parameter | required: Must match CareTeam search parameter |
Patient | must not be present | Always present: must match the Patient search parameter |
|
System | - | - | - |
Condition | ||||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context | |
---|---|---|---|---|
Practitioner | required: must match Condition.episodeOfCare | required: must match Condition.subject | - | |
Patient | required: must match Condition.episodeOfCare | required: must match Condition.subject | - | |
System | - | - | - |
Provenance.read | |||
User Type | EpisodeOfCare Context | CareTeam Context | |
---|---|---|---|
Practitioner | required: must match Provenance.target | - | |
Patient | required: must match Provenance.target | - | |
System | - | - |
Provenance.search | |||
User Type | EpisodeOfCare Context | CareTeam Context | |
---|---|---|---|
Practitioner | required: must match the EpisodeOfCare search parameter (provenance.target) | - | |
Patient | required: must match the EpisodeOfCare search parameter (provenance.target) | - | |
System | - | - |
Consent.create/read/patch | |||
User Type | EpisodeOfCare Context | Patient context | CareTeam Context |
---|---|---|---|
Practitioner | Required Must match data.reference | Required Must match data.patient | - |
Patient | Required Must match data.reference | Required Must match data.patient | - |
System | - | - | - |
Consent.search | ||
User Type | EpisodeOfCare Context | CareTeam Context |
---|---|---|
Practitioner | required: must match the EpisodeOfCare search parameter (consent.data.reference) | - |
Patient | required: must match the EpisodeOfCare search parameter (consent.data.reference) | - |
System | - | - |
CarePlan/ServiceRequest
ServiceRequest is considered a part of a CarePlan and does not have separate privileges.
CarePlan cannot be created directly. It is created and assigned to a Patient by calling PlanDefinition$apply
CarePlan/ServiceRequest Read/Suggest-care-teams | |||
User Type | EpisodeOfCare Context | CareTeam Context | |
---|---|---|---|
Practitioner | required: must match CarePlan/ServiceRequest .episodeOfCare | required: Careplan: Context must match CarePlan.careTeam or Careplan.episodeOfCare.team ServiceRequest: Context must match CarePlan.careTeam or Careplan.episodeOfCare.team for the CarePlan that the ServiceRequest belongs to. | |
Patient | required: must match CarePlan/ServiceRequest.episodeOfCare |
| |
System | - | - |
CarePlan/ServiceRequest Update/Update-care-teams | ||||
User Type | EpisodeOfCare Context | CareTeam Context | Extra permission | |
---|---|---|---|---|
Practitioner | required: must match CarePlan/ServiceRequest.episodeOfCare | required: Careplan: Context must match CarePlan.careTeam or CarePlan.episodeOfCare.team ServiceRequest: Context must match CarePlan.careTeam or CarePlan.episodeOfCare.team for the CarePlan that the ServiceRequest belongs to. | ||
Patient | required: must match CarePlan/ServiceRequest.episodeOfCare | - | Only allowed if definition.topic is 'self-treatment' | |
System | - | - |
CarePlan: Update careteam special case | ||||
User Type | EpisodeOfCare Context | CareTeam Context | Extra permission | |
---|---|---|---|---|
Practitioner | required: must match CarePlan.episodeOfCare | required: Must match CarePlan.careTeam | Careplan$update.responsibility permission required in token to update careteam element | |
CarePlan Search | |||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context |
---|---|---|---|
Practitioner | optional but when present: must match searchparam episodeOfCare | optional but when present: must match searchparam theSubject Only checked if EpisodeOfCare Context is not set. | required: Must match search parameter CarePlan.careteam or CarePlan.episodeOfCare.team. (Only a single search parameter is allowed for this element) |
Patient | optional but when present: must match searchparam episodeOfCare | Always present and must match searchparam theSubject Only checked if EpisodeOfCare Context is not set. | - |
System | - | - | - |
Goal
Goal is considered as part of a CarePlan and does not have separate privileges.
Goal Create/Read/Update | ||||
User Type | Patient Context | EpisodeOfCare Context | CareTeam Context | |
---|---|---|---|---|
Practitioner | required: Must match Goal.subject | required: must match Goal.addresses.episodeOfCare | required: must match Goal.addresses.episodeOfCare.team or Careplan.careteam for the CarePlan that the Goal.addresses ServiceRequest belongs to. | |
Patient | required: Must match Goal.subject | - | - | |
System | - | - | - |
Goal Search | ||||
User Type | Patient Context | EpisodeOfCare Context | CareTeam Context | |
---|---|---|---|---|
Practitioner | - | required: must match search param: addresses.episodeOfCare | required: must match search param addresses.episodeOfCare.team or Careplan.careteam for the CarePlan that the addresses ServiceRequest belongs to. | |
Patient | required: Must match search param addresses.subject | - | - | |
System | - | - | - |
CommunicationRequest
CommunicationRequest Create/Read/Update/Delete | ||||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context | Details |
---|---|---|---|---|
Practitioner | required must match CommunicationRequest.episodeOfCare | required must match CommunicationRequest.subject | required must match CommunicationRequest.recipient if the recipient contains a careteam | |
Patient | optional but when present: must match CommunicationRequest.episodeOfCare | required must match CommunicationRequest.subject | - | Update: Only status |
System | - | - |
CommunicationRequest Search | ||||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context | |
---|---|---|---|---|
Practitioner | required if the searchparam recipient is a patient. optional otherwise. must match searchparam CommunicationRequest.episodeOfCare when present | optional but when present: must match searchparam CommunicationRequest.subject | required if searchparam recipient is a careteam | |
Patient | optional but when present must match CommunicationRequest.episodeOfCare | Always present and must match searchparam CommunicationRequest.recipient | - | |
System | - | - | - |
Draft of FUTURE change as a consequence of CCR154: CommunicationRequest Create/Read/Update/Delete | ||||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context | Details |
---|---|---|---|---|
Practitioner | CommunicationRequest.episodeOfCare and EpisodeOfCare security token context must match. If CommunicationRequest.episodeOfCare is null then the security token must not have an episodeOfCare context | required must match CommunicationRequest.subject | required must match CommunicationRequest.recipient if the recipient contains a careteam | |
Patient | optional but when present it must match CommunicationRequest.episodeOfCare If CommunicationRequest.episodeOfCare is null then the security token must not have an episodeOfCare context | required must match CommunicationRequest.subject | - | Update: Only status |
System | - | - |
Draft of FUTURE change as a consequence of CCR154: CommunicationRequest Search | ||||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context | |
---|---|---|---|---|
Practitioner | If EpisodeOfCare context is present, then searchparam and context must match If EpisodeOfCare context is not present, then the search parameter must include at least one of:
| optional but when present: must match searchparam patient | required if the search param recipient is a careteam. The search param and careteam context must match. | |
Patient | optional but when present must match searchparam: episodeOfCare | Always present and must match searchparam CommunicationRequest.recipient | - | |
System | - | - | - |
ClinicalImpression/Task
ClinicalImpression create/read/update | ||||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context | |
---|---|---|---|---|
Practitioner | required: must match ClinicalImpression.episodeOfCare | required: must match ClinicalImpression.subject | required: must be in ClinicalImpressions.ehealth-careplan.careTeam or ClinicalImpressions.episodeOfCare.team | |
Patient | optional but when present: must match ClinicalImpression.episodeOfCare | required when EOC context is not present: must match ClinicalImpression.subject | - | |
System | - | - | - |
ClinicalImpression.search | ||||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context | |
---|---|---|---|---|
Practitioner | optional
| optional must match searchparam: subject Only checked if EOC context is not present: | required: either searchparam: episodeOfCare or searchparam: careplan must be provided:
| |
Patient | optional but when present: must match searchparam: episodeOfCare | required when EpisodeOfCare Context is not present: must match searchparam: subject |
| |
System | - | - | - |
Task create/read/update | ||||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context / UserId | Extra Permission |
---|---|---|---|---|
Practitioner | optional but when present: must match Task.episodeOfCare | optional, but when present: must match Task.episodeOfCare.subject | CareTeam Context must match Task.responsible | User must have at least one corresponding restriction category privilege in Task.restriction-category. |
UserID must match Task.responsible, Task.owner or Task.requester | ||||
Patient | optional but when present: must match Task.episodeOfCare | required when EOC context is not present: must match Task.episodeOfCare.subject | UserID must match Task.responsible, Task.owner or Task.requester | |
System | - | - | - |
Task search | ||||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context / UserId | Extra Permission |
---|---|---|---|---|
Practitioner | optional but when present: must match searchparam episodeOfCare | optional must match searchparam EpisodeOfCare.subject Only checked if EOC context is not present: | CareTeam Context must match searchparam responsible | Users must have all restriction category privileges corresponding to the list in searchparam restriction-category. |
UserID must match searchparam: Responsible, Owner or Requester | ||||
Patient | optional but when present: must match searchparam episodeOfCare | required when EpisodeOfCare Context is not present: must match searchparam EpisodeOfCare.subject | UserID must match searchparam: Responsible, Owner or Requester | |
System | - | - | - |
Draft of FUTURE change as a consequence of CCR0219: Task create/read/update | ||||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context / UserId | Extra Permission |
---|---|---|---|---|
Practitioner | optional but when present: must match Task.episodeOfCare | optional, but when present: must match Task.episodeOfCare.subject | CareTeam Context must match Task.responsible | User must have at least one corresponding restriction category privilege in Task.restriction-category. |
CareTeam Context must match one of Task.episodeOfCare.team (list) | ||||
UserID must match Task.responsible, Task.owner or Task.requester | (not checked when UserID match searchparam: Responsible, Owner or Requester) | |||
Patient | optional but when present: must match Task.episodeOfCare | required when EOC context is not present: must match Task.episodeOfCare.subject | UserID must match Task.responsible, Task.owner or Task.requester | - |
System | - | - | - | - |
Draft of FUTURE change as a consequence of CCR0219: Task search | ||||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context / UserId | Extra Permission |
---|---|---|---|---|
Practitioner | optional, but when present must match searchparam episodeOfCare | (Not checked as EOC context when present) | CareTeam Context must match searchparam responsible | Users must have all restriction category privileges corresponding to the list in searchparam restriction-category. |
CareTeam Context must match one of Task.episodeOfCare.team (list) | ||||
UserID must match searchparam: Responsible, Owner or Requester | (not checked when UserID match searchparam: Responsible, Owner or Requester) | |||
(not present) | Checked when EOC context is not present: | CareTeam Context must match searchparam responsible | Users must have all restriction category privileges corresponding to the list in searchparam restriction-category. | |
CareTeam Context must match one of Task.episodeOfCare.team (list) | ||||
UserID must match searchparam: Responsible, Owner or Requester | (not checked if when UserID match searchparam: Responsible, Owner or Requester) | |||
Patient | optional but when present: must match searchparam episodeOfCare | required when EpisodeOfCare Context is not present: must match searchparam EpisodeOfCare.subject | UserID must match searchparam: Responsible, Owner or Requester | - |
System | - | - | - | - |
When searching for tasks based on careteam, it is possible, but not necessary to specify restriction categories. If they are not specified as search criteria, then they will be inferred from the privileges in the security token.
If a search is based on a specific userID instead of a CareTeam, then all tasks related to that user will be returned regardless of the restriction category.
It is recommended to search based on either a userID or a Careteam. It is technically possible to combine these two search parameters, but the results may be confusing.
Observation/QuestionnaireResponse/Media/Communication (ehealth-communication)
The Intrastructure creates Observation, Media, and QuestionnaireResponse (with status completed) by telemedicine solution calls $submit-measurement.
Draft QuestionnaireResponse (with status in progress) can be created and updated directly.
Communication read | ||||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context | |
---|---|---|---|---|
Practitioner | optional but when present: must match communication.episodeOfCare | required if EpisodeOfCare context is not present: must match communication.subject Only checked if EpisodeOfCare Context is not present. | A match must be found either through the Careteam or the UserID
| |
Patient | - | required: must match communication.recipient or communication.sender | - | |
System | - | - | - |
Communication create/patch | ||||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context | Extra permission |
---|---|---|---|---|
Practitioner | optional but when present: must match communication.episodeOfCare | required if EpisodeOfCare context is not present: must match communication.subject | A match must be found either through the Careteam or the UserID
| |
Patient | - | required: must match communication.subject | - | communication.sender must match AuthToken.userId |
System | - | - | - |
Communication search | |||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context |
---|---|---|---|
Practitioner | required: search param must match |
required:
Careplan: Context must match CarePlan.careTeam or Careplan.context.team
ProducereRequest: Context must match CarePlan.careTeam or Careplan.context.team for the CarePlan that the ProcedureRequest belongs to.
Patient
required:
must match CarePlan/ProcedureRequest.context
System
-
-
the context | - | A match must be found either through the Careteam or the UserID
| |
Patient | - | required: context must match the subject and either of sender or recipient search params | - |
System | - | - | - |
Observation read | |||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context |
---|
Practitioner | required: must match |
Patient
required:
must match CarePlan/ProcedureRequest.context
-
Only allowed if definition.topic is 'self-treatment'
System
-
-
CarePlan: Update careteam special case
User Type
EpisodeOfCare Context
CareTeam Context
Extra permission
Practitioner
required:
must match CarePlan.context
required:
Must match CarePlan.careTeam
Careplan$update.responsibility permission required in token to update careteam element
CarePlan Search
observation.episodeOfCare | -- | required: |
Careplan: Context must match CarePlan.careTeam or CarePlan.context.team
ProducereRequest: Context must match CarePlan.careTeam or CarePlan.context.team for the CarePlan that the ProcedureRequest belongs to.
If the CareTeam is assigned on the EpisodeOfCare:
If the Careteam is assigned to the CarePlan:
| |||
Patient | optional but when present: must match observation.episodeOfCare | required when EOC context is not present: must match observation.subject Only checked if EpisodeOfCare Context is not present. | -- |
System | -- | -- | -- |
Observation search | |||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context |
---|---|---|---|
Practitioner |
required: search param must match |
optional but when present:
must match searchparam theSubject
Only checked if EpisodeOfCare Context is not set.
required:
Must match search parameter CarePlan.careteam or CarePlan.context.team. (Only a single search parameter is allowed for this element)
Patient
optional but when present:
must match searchparam theContext
Always present and must match searchparam theSubject
Only checked if EpisodeOfCare Context is not set.
-
System
-
-
-
Goal
Goals are considered as part of a CarePlan and do not have separate privileges.
Goal Create/Read/Update
User Type
Patient Context
the context | -- | required: If the CareTeam is assigned on the EpisodeOfCare:
If the Careteam is assigned to the CarePlan:
| |
Patient | optional but when present: search param must match the context | required when EOC context is not present: search param must match the context | -- |
System | -- | -- | -- |
QuestionnaireResponse read | |||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context |
---|---|---|---|
Practitioner |
-
required: must match |
required:
must match Goal.addresses.context.team or Careplan.careteam for the CarePlan that the Goal.addresses ProcedureRequest belongs to.
Patient
required:
Must match Goal.subject
-
questionnaireResponse.episodeOfCare | -- | required: If the CareTeam is assigned on the EpisodeOfCare:
If the Careteam is assigned to the CarePlan:
| |
Patient | optional but when present: must match questionnaireResponse.episodeOfCare | required must match questionnaireResponse.subject | -- |
System | -- | -- | -- |
QuestionnaireResponse search | |||
User Type |
---|
EpisodeOfCare Context |
---|
Patient Context | CareTeam Context |
---|---|
Practitioner |
-
required:
must match search param: addresses.context
required:
must match search param addresses.context.team or Careplan.careteam for the CarePlan that the addresses ProcedureRequest belongs to.
Patient
required:
Must match search param addresses.subject
-
required: search param must match the context | -- | required: If the CareTeam is assigned on the EpisodeOfCare:
If the Careteam is assigned to the CarePlan:
| |
Patient | optional but when present: search param must match the context | required when EOC context is not present: search param must match the context | -- |
System | -- | -- | - |
...
- |
QuestionnaireResponse (status in progress) create/update | ||
User Type | EpisodeOfCare Context |
---|
Patient Context
CareTeam Context |
---|
Details
Practitioner | required: must |
match questionnaireResponse. |
episodeOfCare |
not checked
required |
must match CommunicationRequest.recipient if recipient contains a careteam
Patient
optional but when present:
must match CommunicationRequest.context
required
must match CommunicationRequest.recipient
-
Update: Only status
System
-
-
CommunicationRequest Search
User Type
EpisodeOfCare Context
Patient Context
CareTeam Context
Practitioner
required if searchparam recipient is a patient.
optional otherwise.
must match searchparam CommunicationRequest.context when present
optional but when present:
must match searchparam CommunicationRequest.subject
required if searchparam recipient is a careteam
Patient
optional but when present
must match CommunicationRequest.context
Always present and must match searchparam CommunicationRequest.recipient
-
System
-
-
-
ClinicalImpression/Task
: If the CareTeam is assigned on the EpisodeOfCare:
If the Careteam is assigned to the CarePlan:
| ||
Patient | required must match questionnaireResponse.episodeOfCare | -- |
System | -- | -- |
Media read | |||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context |
---|---|---|---|
Practitioner | required: must match |
media. |
episodeOfCare | -- | required: If the CareTeam is assigned on the EpisodeOfCare: |
If the Careteam is assigned to the CarePlan:
| |
Patient | optional |
but when present: must match |
media. |
episodeOfCare | required when EOC context is not present: must |
match media.subject | -- | ||
System | -- | -- | -- |
Media search | |||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context |
---|---|---|---|
Practitioner |
required: search param must match |
the context |
optional
must match searchparam: subject
Only checked if EOC context is not present:
required:
Must match search param value in context.team or carePlan.careTeam-- | required: If the CareTeam is assigned on the EpisodeOfCare:
If the Careteam is assigned to the CarePlan:
|
Patient | optional but when present: search param must match |
the context | required when |
EOC context is not present: |
must match searchparam: subject
search param must match the context | -- | ||
System | -- | -- | - |
- |
$submit-measurement | ||
User Type | EpisodeOfCare Context | Patient Context |
---|---|---|
Practitioner | required | required |
Patient | required | required |
System | -- | -- |
$search-measurements | |||
User Type | EpisodeOfCare Context | Patient Context | CareTeam |
---|
Context |
---|
Practitioner |
required: search param must match |
the context |
optional
must match Task.context.subject
Only checked if EOC context is not present:
CareTeam Context must match Task.responsible
User must have at least one corresponding restriction category privilege in Task.restriction-category.
-- | required: If the CareTeam is assigned on the EpisodeOfCare:
If the Careteam is assigned to the CarePlan:
|
Patient | optional but when present: search param must match |
the context | required when EOC context is not present: search param must |
match the context |
-- | |||
System | -- | -- | - |
- |
$search-measurements-bundle-limit | |||
User Type | EpisodeOfCare Context | Patient Context | CareTeam |
---|
Extra Permission
Context |
---|
Practitioner |
required: search param must match |
optional
must match searchparam Context.subject
Only checked if EOC context is not present:
CareTeam Context must match searchparam responsible
User must have all restriction category privileges corresponding to the list in searchparam restriction-category.
the context | -- | required: If the CareTeam is assigned on the EpisodeOfCare:
If the Careteam is assigned to the CarePlan:
|
Patient | optional but when present: search param must match |
the context | required when |
EOC context is not present: |
must match searchparam theContext.subject
search param must match the context | -- | |
System | -- | - |
-
When searching for tasks based on careteam, it is possible, but not necessary to specify restriction categories. If they are not specified as search criteria, then they will be inferred from the privileges in the security-token.
If a search is based on a specific userID instead of a CareTeam, then all tasks related to that user will be returned regardless of restriction-category.
It is recommended to search based on either a userID or a Careteam. It is technically possible to combine these two search parameters, but the results may be confusing.
Observation/QuestionnaireResponse/Media/Communication
Observation and Media cannot be created directly. They can be created by calling $submit-measurement. QuestionnaireResponse can be created directly as drafts or as a completed QuestionnaireResponse by calling $submit-measurement
Communication read
User Type
EpisodeOfCare Context
Patient Context
CareTeam Context
Practitioner
optional but when present:
must match communication.context
required if EpisodeOfCare context not present:
must match communication.subject
Only checked if EpisodeOfCare Context is not present.
A match must be found either through the Careteam or the UserID
Careteam: must match either communication.senderCareTeam or communication.recipientCareTeam
UserID: must match communication.sender or communication.recipient
Patient
-
required:
must match communication.recipient or communication.sender
-
System
-
-
-
Communication create/patch
User Type
EpisodeOfCare Context
Patient Context
CareTeam Context
Extra permission
Practitioner
optional but when present:
must match communication.context
required if EpisodeOfCare context not present:
must match communication.subject
Only checked if EpisodeOfCare Context is not present.
A match must be found either through the Careteam or the UserID
Careteam: must match either communication.senderCareTeam
UserID: must match communication.sender
Patient
-
required:
must match communication.subject
-
communication.sender must match AuthToken.userId
System
-
-
-
Communication search
User Type
EpisodeOfCare Context
Patient Context
CareTeam Context
Practitioner
required:
search param must match the context
-
A match must be found either through the Careteam or the UserID
Careteam: must match either communication.senderCareTeam or communication.recipientCareTeam
UserID: must match communication.sender or communication.recipient
Patient
-
required:
context must match subject and either of sender or recipient search params
-
System
-
-
-
Observation read
User Type
EpisodeOfCare Context
Patient Context
CareTeam Context
Practitioner
required:
must match observation.context
--
required:
If the CareTeam is assigned on the EpisodeOfCare:
The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context
If the Careteam is assigned on the CarePlan:
Observation.basedOn must be a ProcedureRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context
Patient
optional but when present:
must match observation.context
required when EOC context not present:
must match observation.subject
Only checked if EpisodeOfCare Context is not present.
--
System
--
--
--
Observation search
User Type
EpisodeOfCare Context
Patient Context
CareTeam Context
Practitioner
required:
search param must match the context
--
required:
If the CareTeam is assigned on the EpisodeOfCare:
basedOn search parameter is not mandatory
If the Careteam is assigned on the CarePlan:
basedOn search parameter is mandatory and must must match the context
Patient
optional but when present:
search param must match the context
required when EOC context not present:
search param must match the context
--
System
--
--
--
QuestionnaireResponse read
User Type
EpisodeOfCare Context
Patient Context
CareTeam Context
Practitioner
required:
must match questionnaireResponse.context
--
required:
If the CareTeam is assigned on the EpisodeOfCare:
The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context
If the Careteam is assigned on the CarePlan:
QuestionnaireResponse.basedOn must be a ProcedureRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context
Patient
optional but when present:
must match questionnaireResponse.context
required when EOC context not present:
must match questionnaireResponse.subject
--
System
--
--
--
QuestionnaireResponse search
User Type
EpisodeOfCare Context
Patient Context
CareTeam Context
Practitioner
required:
search param must match the context
--
required:
If the CareTeam is assigned on the EpisodeOfCare:
basedOn search parameter is not mandatory
If the Careteam is assigned on the CarePlan:
basedOn search parameter is mandatory and must must match the context
Patient
optional but when present:
search param must match the context
required when EOC context not present:
search param must match the context
--
System
--
--
--
QuestionnaireResponse create
User Type
EpisodeOfCare Context
CareTeam Context
Practitioner
required:
must match questionnaireResponse.context
required:
If the CareTeam is assigned on the EpisodeOfCare:
The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context
If the Careteam is assigned on the CarePlan:
QuestionnaireResponse.basedOn must be a ProcedureRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context
Patient
required
must match questionnaireResponse.context
--
System
--
--
QuestionnaireResponse update
User Type
EpisodeOfCare Context
Patient Context
CareTeam Context
Practitioner
required:
must match questionnaireResponse.context
--
required:
If the CareTeam is assigned on the EpisodeOfCare:
The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context
If the Careteam is assigned on the CarePlan:
QuestionnaireResponse.basedOn must be a ProcedureRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context
Patient
--
required
must match questionnaireResponse.subject
--
System
--
--
--
Media read
User Type
EpisodeOfCare Context
Patient Context
CareTeam Context
Practitioner
required:
must match media.context
--
required:
If the CareTeam is assigned on the EpisodeOfCare:
The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context
If the Careteam is assigned on the CarePlan:
Media.basedOn must be a ProcedureRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context
Patient
optional but when present:
must match media.context
required when EOC context not present:
must match media.subject
--
System
--
--
--
- | -- |
Organization/Practitioner/CareTeam
These resources only require privileges to access. There are no security context requirements for these resources.
Device/DeviceMetric/DeviceUseStatement
Privately owned devices do not have context checks. The tables below are valid for devices owned by organizations.
Device/DeviceMetric create/update/delete | ||
User Type | Organization Context | Patient Context |
---|---|---|
SSL supplier/Practitioner | required must match the Device.owner organization | Optional but when present: must match a DeviceUseStatement where:
|
Patient | - | must match a DeviceUseStatement where:
|
System | - |
Device read | ||
User Type | Patient Context | Organization Context |
---|---|---|
SSL supplier/Practitioner | Optional but when present: must match a DeviceUseStatement where:
| Required if patient context is not present. Must match the device.owner |
Patient | must match a DeviceUseStatement where:
| - |
System | - |
DeviceUseStatement create/update | ||
User Type | Patient Context | Organization Context |
---|---|---|
SSL supplier/Practitioner | required must match DeviceUseStatement.subject | required must match the Device.owner organization |
System | - | - |
DeviceUseStatement read | ||
User Type | Patient Context | Organization Context |
---|---|---|
SSL supplier/Practitioner | required must match DeviceUseStatement.subject | - |
Patient | must match a DeviceUseStatement.subject | - |
System | - | - |
Device/DeviceMetric/DeviceUseStatement - Work in Progress (will be in effect with next release)
Device/DeviceMetric create | ||
User Type | Organization Context | Patient Context |
---|---|---|
SSL supplier/Practitioner | required must match the Device.owner organization when the non-privately owned device | - |
Patient (Must be privately owned device) | - | must match a DeviceUseStatement where:
or have no related DeviceUseStatement. |
System | - | - |
Device/DeviceMetric update/delete | ||
User Type | Organization Context | Patient Context |
---|---|---|
SSL supplier/Practitioner | required must match the Device.owner organization when the non-privately owned device | Optional but when present: must match a DeviceUseStatement where:
or have no related DeviceUseStatement. |
Patient | - | must match a DeviceUseStatement where:
or has no related DeviceUseStatement. The device must be privately owned. |
System | - |
DeviceUseStatement create/update | ||
User Type | Organization Context | Patient Context |
---|---|---|
SSL supplier/Practitioner | required must match the Device.owner organization when the non-privately owned device | required must match DeviceUseStatement.subject |
Patient | - | required. The DeviceUseStatement must have:
The device must be privately owned. |
System | - |
DeviceUseStatement read | ||
User Type | Organization Context | Patient Context |
---|---|---|
SSL supplier/Practitioner | - | required must match DeviceUseStatement.subject |
Patient | - | required must match DeviceUseStatement.subject |
System | - | - |
DeviceUseStatement search | ||
User Type | Organization Context | Patient Context |
---|---|---|
SSL supplier/Practitioner | - | required patient search param must match the context |
Patient | - | required patient search param must match the context |
System | - | - |
Questionnaire
Questionnaire | ||||
User Type | FHIR Operation | Organization Context | Property updated | Role needed |
---|---|---|---|---|
Practitioner / Patient | create | required: must match Questionnaire.modifierRole.reference | - | owner |
update | required: must match Questionnaire.modifierRole.reference | Questionnaire.modifierRole | owner | |
Not Questionnaire.modifierRole | owner or co-author | |||
delete | required: must match Questionnaire.modifierRole.reference | - | owner | |
read/search | - | - | - | |
System | - | - | - | - |
Actionguidance
Actionguidance | ||||
User Type | FHIR Operation | Organization Context | Property updated | Role needed |
---|---|---|---|---|
Practitioner / Patient | create | required: must match Actionguidance.modifierRole.reference | - | owner |
update | required: must match Actionguidance.modifierRole.reference | Actionguidance.modifierRole | owner | |
Not Actionguidance.modifierRole | owner or co-author | |||
read/search | - Note: There are two ways to be able to search. First, if permission for both Actionguidance and view is present, it will give access. Secondly, to search, an actionguidance permission should be present, and the resource should be supplied as part of the profile search or as the search field code. All other cases will be rejected.
Values to supply for a profile search profile=http://ehealth.sundhed.dk/fhir/StructureDefinition/ehealth-actionguidance
Values to supply for a code search code=http://ehealth.sundhed.dk/cs/basic-resource-type|actionguidance | - | - | |
System | - | - | - | - |
View
View | ||||
User Type | FHIR Operation | Organization Context | Property updated | Role needed |
---|---|---|---|---|
Practitioner / Patient | create | required: must match View.modifierRole.reference | - | owner |
update | required: must match View.modifierRole.reference | View.modifierRole | owner | |
Not View.modifierRole | owner or co-author | |||
read/search | - Note: There are two ways to be able to search. First, if permission for both View and view is present, it will give access. Secondly, to search, a View permission should be present, and the resource should be supplied as part of the profile search or as the search field code. All other cases will be rejected.
Values to supply for a profile search profile=http://ehealth.sundhed.dk/fhir/StructureDefinition/ehealth-view
Values to supply for a code search code=http://ehealth.sundhed.dk/cs/basic-resource-type|view | - | - | |
System | - | - | - | - |
Transform
These operations are stateless and only require privileges to call. There are no security context requirements for these operations
Terminology: ConceptMap/CodeSystem/ValueSet/NamingSystem
These resources can be accessed by all users. Updates require write privileges. There are no security context requirements for these resources.
Questionnaire Terminology: ConceptMap/CodeSystem/ValueSet/NamingSystem
These resources can be accessed by all users. Updates require write privileges (named QuestionnaireConceptMap, QuestionnaireCodeSystem, QuestionnaireValueSet and QuestionnaireNamingSystem). There are no security context requirements for these resources.
Library
There are no context checks for CRUD and search operations for the Library resource.
Library evaluate | |||
User Type | EpisodeOfCare Context | Patient Context | CareTeam Context |
---|---|---|---|
Practitioner | required: |
must match |
...
System
...
-
...
Device read
...
User Type
...
Patient Context
...
Organization Context
...
SSL supplier/Practitioner
...
Optional but when present:
must match a DeviceUseStatement where:
DeviceUseStatement subject = patient context
DeviceUseStatement device references the device.
...
Required if patient context is not present.
Must match device.owner
...
Patient
...
must match a DeviceUseStatement where:
DeviceUseStatement subject = patient context
DeviceUseStatement device references the device.
...
-
...
System
...
-
...
DeviceUseStatement create/update
...
User Type
...
Patient Context
...
Organization Context
...
SSL supplier/Practitioner
...
required
must match DeviceUseStatement.subject
...
required
must match the Device.owner organization
...
System
...
-
...
-
...
DeviceUseStatement read
...
User Type
...
Patient Context
...
Organization Context
...
SSL supplier/Practitioner
...
required
must match DeviceUseStatement.subject
...
-
...
Patient
...
must match a DeviceUseStatement.subject
...
-
...
System
...
-
...
-
Questionnaire
...
Questionnaire
...
User Type
...
FHIR Operation
...
Organization Context
...
Property updated
...
Role needed
...
Practitioner / Patient
...
create
...
required:
must match Questionnaire.modifierRole.reference
...
-
...
owner
...
update
...
required:
must match Questionnaire.modifierRole.reference
...
Questionnaire.modifierRole
...
owner
...
Not Questionnaire.modifierRole
...
owner or co-author
...
delete
...
required:
must match Questionnaire.modifierRole.reference
...
-
...
owner
...
read/search
...
-
...
-
...
-
...
System
...
-
...
-
...
-
...
-
Transform
These operations are stateless and only require privileges to call. There are no security context requirements for these operations
Terminology: ConceptMap/CodeSystem/ValueSet/NamingSystem
These resources only require privileges to access. There are no security context requirements for these resources
Library
There are no context checks for CRUD and search operations for the Library resource.
Library evaluate
User Type
EpisodeOfCare Context
Patient Context
CareTeam Context
Practitioner
required:
must match either Observation.context
or QuestionnaireResponse.context
required:
must match either Observation.subject
or QuestionnaireResponse.subject
-
Patient
required:
must match either Observation.context
or QuestionnaireResponse.context
required:
must match either Observation.subject
or QuestionnaireResponse.subject
-
either Observation.episodeOfCare or QuestionnaireResponse.episodeOfCare | required: |
If the CareTeam is assigned on the EpisodeOfCare:
basedOn search parameter is not mandatory
If the Careteam is assigned on the CarePlan:
basedOn search parameter is mandatory and must must match the context
Patient
optional but when present:
search param must match the context
required when EOC context not present:
search param must match the context
--
System
--
--
--
$submit-measurement
User Type
EpisodeOfCare Context
Practitioner
required
Patient
required
System
--
$search-measurements
User Type
EpisodeOfCare Context
Patient Context
CareTeam Context
Practitioner
required:
search param must match the context
--
required:
If the CareTeam is assigned on the EpisodeOfCare:
basedOn search parameter is not mandatory
If the Careteam is assigned on the CarePlan:
basedOn search parameter is mandatory and must must match the context
Patient
optional but when present:
search param must match the context
required when EOC context not present:
search param must match the context
--
System
--
--
--
Organization/Practitioner/CareTeam
These resources only require privileges to access. There are no security context requirements for these resources.
Device/DeviceMetric/DeviceUseStatement
Privately owned devices do not have context checks. The tables below are valid for devices owned by organizations.
...
Device/DeviceMetric create/update/delete
...
User Type
...
Organization Context
...
Patient Context
...
SSL supplier/Practitioner
...
required
must match the Device.owner organization
Optional but when present:
must match a DeviceUseStatement where:
DeviceUseStatement subject = patient context
DeviceUseStatement device references the device.
...
Patient
...
-
...
must match a DeviceUseStatement where:
DeviceUseStatement subject = patient context
DeviceUseStatement device references the device.
must match either Observation.subject or QuestionnaireResponse.subject | - | ||
Patient | required: must match either Observation.episodeOfCare or QuestionnaireResponse.episodeOfCare | required: must match either Observation.subject or QuestionnaireResponse.subject | - |
System | - | - | - |
SSL Domain
SSL Catalogue service
Catalogue
SSL Catalogue create/update/read | |
User Type | Organization Context |
---|---|
SSL supplier | required: |
Practitioner | - |
System | - |
CatalogueItem
SSL CatalogueItem create/update/read | |
User Type | Organization Context |
---|---|
SSL supplier | required: |
Practitioner | - |
System | - |
SSL CatalogueItems read | |
User Type | Organization Context |
---|---|
SSL supplier | required: |
Practitioner | required: |
System | - |
Annotation
SSL Annotation create/update/read/delete | |
User Type | Organization Context |
---|---|
SSL supplier | required: |
Practitioner | - |
System | - |
Whitelist
SSL WhiteList create/read/delete | |
User Type | Organization Context |
---|---|
SSL supplier | - (no access) |
Practitioner | required: |
System | - |
BlackList
SSL BlackList create/read/delete | |
User Type | Patient Context |
---|---|
SSL supplier | - (no access) |
Practitioner | required: |
System | - |
Problem
SSL Problem create/patch/delete | |
User Type | Organization Context |
---|---|
SSL supplier | required: |
Practitioner | - (no access) |
System | - |
SSL Problem read | |
User Type | Organization Context |
---|---|
SSL supplier | required: |
Practitioner | required: |
System | - |
Package
SSL Package create/read/patch/delete | |
User Type | Organization Context |
---|---|
SSL supplier | - (no access) |
Practitioner | required: must resolve to and match the Package.buyer party |
System | - |
SSL Order Service
Order
SSL Order create | |||
User Type | Organization Context | EpisodeOfCare Context | CareTeam Context |
---|---|---|---|
SSL supplier | required: | required: | required: |
Practitioner | required: | required: | required: |
System | - | - | - |
SSL |
...
SSL Catalogue
Order read/update/ |
patch/delete/search | |
User Type |
---|
Organization Context
Organization Context | |
---|---|
SSL supplier | required: |
Practitioner | required: |
Order. |
buyer party |
Practitioner
System | - |
...
OrderLine
SSL |
OrderLine create/read/update/patch/delete/ |
search | |
User Type | Organization Context |
---|---|
SSL supplier | required: |
OrderLine. |
Order.seller party |
Practitioner |
required: | |
System | - |
Contract
SSL |
Contract create/patch/read | |
User Type | Organization Context |
---|---|
SSL supplier | required: |
Contract.seller party |
Practitioner |
required:
must resolve to and match WhiteList.buyer party, only returns CatalogueItems referred by WhiteLists
- | |
System | - |
SSL Annotation
custom/hasValidContract | |
User Type | Organization Context |
---|---|
SSL supplier | required: |
Contract. |
seller party | |
Practitioner | - |
System | - |
...
Party
SSL |
Party create/update/read |
User Type | Organization Context |
---|---|
SSL supplier | - |
Practitioner | - |
System | - |
custom/findOrCreateParty | |
User Type | Organization Context |
---|---|
SSL supplier |
required: | |
Practitioner | required: |
match the |
organization parameter | |
System | - |
SSL BlackList
...
Reports
Schedule/Fetch <Report_name> | ||||
User Type |
---|
Organization Context |
---|
SSL supplier
UserID | Extra permission | |
---|---|---|
Practitioner | required Must match input parameter: |
must match the BlackList.patient
System
-
SSL Problem
...
SSL Problem create/patch/delete
...
User Type
...
Organization Context
...
SSL supplier
...
required:
must resolve to and match the Problem.CatalogueItem.Catalogue seller party
...
Practitioner
...
- (no access)
...
System
...
-
...
SSL Problem read
...
User Type
...
Organization Context
...
SSL supplier
...
required:
must resolve to and match the Problem.CatalogueItem.Catalogue seller party
...
Practitioner
...
required:
must resolve to and match WhiteList.buyer party, only returns Problems with CatalogueItems referred by WhiteLists
...
System
...
-
SSL Package
...
SSL Package create/read/patch/delete
...
User Type
...
Organization Context
...
SSL supplier
...
- (no access)
...
Practitioner
...
required:
must resolve to and match the Package.buyer party
...
System
...
-
SSL Orders
...
SSL Order create
...
User Type
...
Organization Context
...
EpisodeOfCare Context
...
CareTeam Context
...
SSL supplier
...
required:
must resolve to and match the Order.seller party
...
required:
used for reading CarePlan, see CarePlan resource for context rules
...
required:
used for reading CarePlan, see CarePlan resource for context rules
...
Practitioner
...
required:
must resolve to and match the Order.buyer party
...
required:
used for reading CarePlan, see CarePlan resource for context rules
...
required:
used for reading CarePlan, see CarePlan resource for context rules
...
System
...
-
...
-
...
-
...
SSL Order read/update/patch/delete/search
...
User Type
...
Organization Context
...
SSL supplier
...
required:
must resolve to and match the Order.seller party
...
Practitioner
...
required:
must resolve to and match the Order.buyer party
...
System
...
-
...
SSL OrderLine create/read/update/patch/delete/search
...
User Type
...
Organization Context
...
SSL supplier
...
required:
must resolve to and match the OrderLine.Order.seller party
...
Practitioner
...
required:
must resolve to and match the OrderLine.Order.buyer party
...
System
...
-
SSL Contract
...
SSL Contract create/patch/read
...
User Type
...
Organization Context
...
SSL supplier
...
required:
must resolve to and match the Contract.seller party
...
Practitioner
...
-
...
System
...
-
...
custom/hasValidContract
...
User Type
...
Organization Context
...
SSL supplier
...
required:
must resolve to and match the Contract.seller party
...
Practitioner
...
-
...
System
...
-
SSL Party
...
SSL Party create/update/read
...
User Type
...
Organization Context
...
SSL supplier
...
-
...
Practitioner
...
-
...
System
...
-
...
custom/findOrCreateParty
...
User Type
...
Organization Context
...
SSL supplier
...
required:
must match the organization parameter
...
Practitioner
...
required:
must match the organization parameter
...
System
...
-
Reports
...
Schedule/Fetch <Report_name>
...
User Type
...
Organization Context
...
UserID
...
Extra permission
...
Practitioner
...
required
Must match input parameter: ManagingOrganization
...
Only the user that called schedule is allowed to read the resulting /fhir/Binary/id
...
The privilege Report.non-anonymized is required if input parameter: anonymization == false
...
System-user
...
System user can't have an organization context
...
Only the user that called schedule is allowed to read the resulting /fhir/Binary/id
...
The privilege Report.non-anonymized is required if input parameter: anonymization == false
Patient/Appointment/Communication(eHealthMessage)/Person
SYSTEM users can perform any action, regardless of context, as long as they have the appropriate realm_access.role (e.g. Appointment.read to read appointments).
R = Required
U = Used (may be required to access certain data)
ManagingOrganization | Only the user that called schedule is allowed to read the resulting /fhir/Binary/id | The privilege Report.non-anonymized is required if input parameter: anonymization == false | ||
System-user | System users can't have an organization context | Only the user that called schedule is allowed to read the resulting /fhir/Binary/id | The privilege Report.non-anonymized is required if input parameter: anonymization == false |
Patient/Appointment/Communication(eHealthMessage)/Person
SYSTEM users can perform any action, regardless of context, as long as they have the appropriate realm_access.role (e.g. Appointment.read to read appointments).
R = Required
U = Used (may be required to access certain data)
realm_access.role | Patient Context | Episode of Care Context | CareTeam Context | Organization Context | Extra Rules / Comments |
---|---|---|---|---|---|
Patient.read | R* | R* | REGULAR SEARCH: To perform a regular Patient Search, the user MUST have the Patient Context. LIMITED SEARCH (Dashboard Search): It is also possible to perform a patient search witha CareTeam Context instead of a Patient Context. In that case, the patients are then retrieved from EpisodesOfCare and CarePlan objects that the CareTeam is involved in. NOTE: The patient resources that are returned from this search are limited and as such only the following information is returned:
*R - THE CONTEXTS ARE MUTUALLY EXCLUSIVE, AS SUCH IF BOTH CONTEXTS ARE PROVIDED IN THE TOKEN, ONLY THE PATIENT CONTEXT IS USED. | ||
Patient.write | R | 1: FHIR operations "create" and "update" are not available on the Patient resource. 2: Only certain attributes are allowed to be patched using HTTP PATCH | |||
Patient$updatePatientWithSKRSData | |||||
Patient$createPatient | |||||
Appointment.read | U | U | For non-group appointments: 1: If an appointment involves a patient, then that patient must be in context 2: The appointment can be read if
3: Searching
| ||
Appointment.write | U | U | For non-group appointments: 1: If an appointment involves a patient, then that patient must be in context 2: The appointment can be written if
| ||
Appointment$exportAsiCal | U | U | The same rules apply to reading appointments Note: Only PRACTITIONER/SSL users can see the names of Practitioner participants in the exported iCal object | ||
RelatedPerson.read | R | Only related persons to the patient in context can be read | |||
RelatedPerson.write | R | Only related persons to the patient in context can be written | |||
Communication.read | U | If the message has a restriction category X, the corresponding RestrictionCategory.X role must be present in the realm_access list. 1: PATIENT users can read
2: PRACTITIONER and SSL users can read
3: Only SYSTEM users can read communication from DEVICE senders | |||
Communication.write | U | 1: Communication must have exactly one sender and one recipient 2: Communication with the category "note" can only be created/patched/deleted if user = sender and (recipient = sender or recipient = a CareTeam). 3: PATIENT users
4: PRACTITIONER and SSL users
| |||
Person$match | Only requires the role “Person$match” Used to lookup person data by CPR, including name and a patient reference, if one exists. This is only a read operation and will not create any resources. The operations are audit logged. |
Group Appointment
A “Group appointment” is an Appointment with one of the profiles http://ehealth.sundhed.dk/fhir/StructureDefinition/ehealth-group-appointment
, http://ehealth.sundhed.dk/fhir/StructureDefinition/ehealth-group-videoappointment
Appropriate appointment-related realm_access.role is required for all operations
SYSTEM users have access to all data and http operations regardless of context
Only SYSTEM users can use PUT, other users must use PATCH to change a group appointment
Create
All Practitioner/SSL users can create group appointments if the they have an Appointment.write role and a CareTeam in context
assigning-careteam extension on participants must match CareTeam in the context
Read/Search
ehealth-creator, ehealth-responsible and ehealth-performer can see all parts of the appointment, regardless of the CareTeam context
All Practitioner/SSL users can read/find all group appointments and view all parts of it, except Patient participants whose assigning-careteam differs from the CareTeam in context, and the RelatedPersons of those
Patient users can only read/find group appointments that they themselves are participants onin, and can view all parts, except other Patient participants and RelatedPersons of those
Patching
Patient users cannot patch
When adding/removing a participant, the relevant assigning-careteam must be in the context
Removing a Patient/RelatedPerson participant is also allowed if the relevant patient is in context
ehealth-creator and ehealth-responsible can patch all parts of the appointment
ehealth-performer can patch all parts of the appointment, except ehealth-responsible
All other Practitioner/SSL users can only add/remove Patient/RelatedPerson participants
Note on Patching a Partial View
Please note that due to the filtering of participants, in some scenarios a client holds only a partial view of the appointment (with some participants missing due to security filtering).
This has an impact when removing a participant in a PATCH using an index, e.g. [{ "op": "remove", "path": "/participant/0" }]. What is in index 0 of the partial view, might not be what is actually in index 0 in the full version of the resource.
The server is aware of this dilemma and “maps” indexes when receiving a http an HTTP patch request, based on the JWT user_id/context used for the request. The server assumes the patch request is performed by the same user_id/context as the patch content indexes was were constructed from.
This means that PATCH operations should be performed with the same JWT as was used when reading the group appointment resource that the patch content (indexes) is based on.
...