Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...

...

Excerpt

Access to eHealth services and eHealth data in the eHealth Infrastructure are

...

controlled by authentication and authorization based on tokens.

...

The Token based security is described in Token Based Security. This page described how services in the eHealth Infrastructure rely on fields in the JWT access token to perform the access control. This access control comprises Role Based Access Control (RBAC) and Attribute Based Access Control (ABAC).

Content on this page

Table of Contents

Role-Based Access Control

The RBAC part of the access control is based on the user’s list of process privileges contained in the access token.

Access Token Field

Meaning

Example Value

realm_access

List of process privileges, that is, what is the user allowed to do.

Code Block
languagejson
"realm_access": {

    "roles": [

       "Patient.read",

       "Patient.write"

    ]

  }

What operations the user is allowed to invoke is stated in the "realm_access" attribute. In the example above the user is allowed to issue a "Patient.read" and a "Patient.write". This means that the user can get and edit patient records. This part of the security model is the RBAC - part, as the claims here are entirely based upon on what role the user has.

Attribute-Based Access Control

The ABAC part of the access control combines the access token user type with security token context(s) and, at times, also the access token user id. These are typically compared to attributes of the data from the services.

Access Token Field

Meaning

Example Value

context

List of items that are set in context. context in combination with items in realm_access governs the access to all resources in the

ehealth

eHealth infrastructure.

Code Block
languagejson
"context": {

    "organization_id" : "https://fut.com/fhir/Organization/1",

    "care_team_id": https://fut.com/fhir/CareTeam/4,

    "episode_of_care_id": https://fut.com/fhir/EpisodeOfCare/10,

    "patient_id": "https://fut.com/fhir/Patient/8"

  }

user_id

Id of the user. Can be either

a

an FHIR patient Id, FHIR practitioner Id or a KeyCloak

Id

ID

"user_id": " e03ccef7-b0b1-4f68-8e16-6fc2f865a922"

user_type

Can be either SYSTEM, PATIENT, PRACTITIONER or SSL

"user_type": "PATIENT"

Each resource type (see IG Profiles) has certain restrictions to what context is required in order to allow data retrieval or data manipulation. 

...

These resources are not patient-related. Read and Search operations do not require any security context apart from the privilege. 

PlanDefinition/ActivityDefinition

User Type

FHIR Operation

Organization Context

Property updated → role needed

Practitioner

create/update

required:

must match modifierRole.reference

PlanDefinition/ActivityDefinition creation or modifierRole changed → owner

All other updates → owner or co-author

System

-

-

-


PlanDefinition$apply

User Type

EpisodeOfCare Context

CareTeam Context

Practitioner

required:

Must match EpisodeOfCare.id

required:

Must match EpisodeOfCare.team

System

-

-

DocumentReference

These resources are not patient-related.

DocumentReference.read/search

User Type

Context

Practitioner / Patient

-

System

-

Read and Search operations do not require any security context apart from the privilege. 

DocumentReference.create/update

User Type

Organization Context

Practitioner / Patient

required:

must match DocumentReference.custodian

System

-

EpisodeOfCare/Condition/Provenance/Consent

EpisodeOfCare cannot be created directly. They are created by calling the custom operation: create-episode-of-care

EpisodeOfCare.create-episode-of-care

User Type

EpisodeOfCare Context 

Patient Context

CareTeam Context

Practitioner

must not be present

required:

must match EpisodeOfCare.Patient

required:

Must match EpisodeOfCare.team

Patient

The patient

must not be present

required:

must match EpisodeOfCare.Patient

-

System

-

-

-


EpisodeOfCare.read

User Type

EpisodeOfCare Context 

Practitioner/Patient

required:

must match EpisodeOfCare

System

-


EpisodeOfCare.patch/updateCareteams

User Type

EpisodeOfCare Context 

CareTeam Context

Practitioner

required:

must match EpisodeOfCare

required:

Must match EpisodeOfCare.team

Patient

required:

must match EpisodeOfCare

-

System

-

-


EpisodeOfCare.search

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

must not be present

optional but when present:

must

match Patient

match the Patient search parameter

required:

Must match CareTeam search parameter

Patient

must not be present

Always present:

must

match Patient

match the Patient search parameter


-

System

-

-

-


Condition

User Type

EpisodeOfCare Context 

Patient Context

CareTeam Context


Practitioner

required:

must match Condition.episodeOfCare

required:

must match Condition.subject

-

Patient

required:

must match Condition.episodeOfCare

required:

must match Condition.subject

-

System

-

-

-


Provenance.read

User Type

EpisodeOfCare Context 

CareTeam Context

Practitioner

required:

must match Provenance.target

-

Patient

required:

must match Provenance.target

-

System

-

-



Provenance.search

User Type

EpisodeOfCare Context

CareTeam Context


Practitioner

required:

must match the EpisodeOfCare search parameter (provenance.target)

-


Patient

required:

must match the EpisodeOfCare search parameter (provenance.target)

-

System

-

-



Consent.create/read/patch

User Type

EpisodeOfCare Context

Patient context

CareTeam Context

Practitioner

Required

Must match data.reference

Required

Must match data.patient

-

Patient

Required

Must match data.reference

Required

Must match data.patient

-

System

-

-

-


Consent.search

User Type

EpisodeOfCare Context

CareTeam Context

Practitioner

required:

must match the EpisodeOfCare search parameter (consent.data.reference)

-

Patient

required:

must match the EpisodeOfCare search parameter (consent.data.reference)

-

System

-

-

CarePlan/ServiceRequest

ServiceRequest is considered a part of a CarePlan and does not have separate privileges.

CarePlan cannot be created directly. It is created and assigned to a Patient by calling PlanDefinition$apply 

CarePlan/ServiceRequest Read/Suggest-care-teams

User Type

EpisodeOfCare Context

CareTeam Context


Practitioner

required:

must match CarePlan/ServiceRequest .episodeOfCare

required:

Careplan: Context must match CarePlan.careTeam or Careplan.episodeOfCare.team

ServiceRequest: Context must match CarePlan.careTeam or Careplan.episodeOfCare.team for the CarePlan that the ServiceRequest belongs to.

Patient

required:

must match CarePlan/ServiceRequest.episodeOfCare


-

System

-

-


CarePlan/ServiceRequest Update/Update-care-teams

User Type

EpisodeOfCare Context

CareTeam Context

Extra permission


Practitioner

required:

must match CarePlan/ServiceRequest.episodeOfCare

required:

Careplan: Context must match CarePlan.careTeam or CarePlan.episodeOfCare.team

ServiceRequest: Context must match CarePlan.careTeam or CarePlan.episodeOfCare.team for the CarePlan that the ServiceRequest belongs to.

Patient

required:

must match CarePlan/ServiceRequest.episodeOfCare

-

Only allowed if definition.topic is 'self-treatment' 

System

-

-


CarePlan: Update careteam special case

User Type

EpisodeOfCare Context

CareTeam Context

Extra permission


Practitioner

required:

must match CarePlan.episodeOfCare

required:

Must match CarePlan.careTeam

Careplan$update.responsibility permission required in token to update careteam element


CarePlan Search

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

optional but when present:

must match searchparam episodeOfCare

optional but when present:

must match searchparam theSubject

Only checked if EpisodeOfCare Context is not set.

required:

Must match search parameter CarePlan.careteam or CarePlan.episodeOfCare.team. (Only a single search parameter is allowed for this element)

Patient

optional but when present:

must match searchparam episodeOfCare

Always present and must match searchparam theSubject

Only checked if EpisodeOfCare Context is not set.

-

System

-

-

-

Goal

Goal is considered as part of a CarePlan and does not have separate privileges.

Goal Create/Read/Update

User Type

Patient Context

EpisodeOfCare Context

CareTeam Context


Practitioner

required:

Must match Goal.subject

required:

must match Goal.addresses.episodeOfCare

required:

must match Goal.addresses.episodeOfCare.team or Careplan.careteam for the CarePlan that the Goal.addresses ServiceRequest belongs to.



Patient

required:

Must match Goal.subject

-

-



System

-

-

-


Goal Search

User Type

Patient Context

EpisodeOfCare Context

CareTeam Context


Practitioner

-

required:

must match search param: addresses.episodeOfCare

required:

must match search param addresses.episodeOfCare.team or Careplan.careteam for the CarePlan that the addresses ServiceRequest belongs to.

Patient

required:

Must match search param addresses.subject

-

-



System

-

-

-



CommunicationRequest

CommunicationRequest Create/Read/Update/Delete

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Details

Practitioner

required

must match CommunicationRequest.episodeOfCare

required

must match CommunicationRequest.

recipient

subject

required

must match CommunicationRequest.recipient if the recipient contains a careteam



Patient

optional but when present:

must match CommunicationRequest.episodeOfCare


required

must match CommunicationRequest.

recipient

subject

-

Update: Only status


System

-


-


CommunicationRequest Search

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context


Practitioner

required if the searchparam recipient is a patient. 

optional otherwise.

must match searchparam CommunicationRequest.episodeOfCare when present

optional but when present:

must match searchparam CommunicationRequest.subject

required if searchparam recipient is a careteam



Patient

optional but when present

must match CommunicationRequest.episodeOfCare

Always present and must match searchparam CommunicationRequest.recipient

-



System

-

-

-


Draft of FUTURE change as a consequence of CCR154: CommunicationRequest Create/Read/Update/Delete

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Details

Practitioner

required if

CommunicationRequest

has an episodeOfCare. CommunicationRequest

.episodeOfCare and EpisodeOfCare

Context

security token context must match

TODO: require no context if CR doesn’t have EoC?

required

must match CommunicationRequest

.

recipient

required

must match CommunicationRequest.recipient if

If CommunicationRequest.episodeOfCare is null then the security token must not have an episodeOfCare context

required

must match CommunicationRequest.subject

required

must match CommunicationRequest.recipient if the recipient contains a careteam

Patient

optional but when present

:

it must match CommunicationRequest.episodeOfCare

TODO: require no context if CR doesn’t have EoC?

If CommunicationRequest.episodeOfCare is null then the security token must not have an episodeOfCare context

required

must match CommunicationRequest.

recipient

subject

-

Update: Only status

System

-

-

Draft of FUTURE change as a consequence of CCR154: CommunicationRequest Search

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

Required if searchparam episodeOfCare is specified. In this case

If EpisodeOfCare context is present, then searchparam and context must match

If EpisodeOfCare context is not present, then

searchparam “episodeOfCare:missing=true” must be used.

the search parameter must include at least one of:

  1. episodeOfCare:missing=true

  2. recipient=<careteam> matching CareTeam context

optional but when present:

must

match searchparam CommunicationRequest.subject

match searchparam patient

required

if searchparam

if the search param recipient is a careteam. The search param and careteam context must match.

Patient

optional but when present

must

match CommunicationRequest.

match searchparam: episodeOfCare

Always present and must match searchparam CommunicationRequest.recipient

-

System

-

-

-

ClinicalImpression/Task

ClinicalImpression create/read/update

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context


Practitioner

required:

must match ClinicalImpression.episodeOfCare

required:

must match ClinicalImpression.subject

required:

must be in ClinicalImpressions.ehealth-careplan.careTeam or ClinicalImpressions.episodeOfCare.team



Patient

optional but when present:

must match ClinicalImpression.episodeOfCare

required when EOC context is not present:

must match ClinicalImpression.subject

-



System

-

-

-



ClinicalImpression.search

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context


Practitioner

optional

but when



when present:

must

Patient

optional but when present:

must match searchparam: episodeOfCare

required when EpisodeOfCare Context not present:

must match searchparam: subject

  • do not need to match searchparam: episodeOfCare

optional

must match searchparam: subject

Only checked if EOC context is not present:

required:

Must match search param value in context.team or carePlan.careTeam

either searchparam: episodeOfCare or searchparam: careplan must be provided:

  • if searchparam: episodeOfCare is provided: CareTeam context must be in EpisodeOfCare.team for all referenced EpisodeOfCare ids

  • if searchparam: careplan is provided: CareTeam context must be in CarePlan.careTeam for all referenced CarePlan.


Patient

optional but when present:

must match searchparam: episodeOfCare

required when EpisodeOfCare Context is not present:

must match searchparam: subject


-



System

-

-

-



Task create/read/update

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context  / UserId

Extra Permission

Practitioner

optional but when present:

must match Task.episodeOfCare

optional, but when present:

must match Task.episodeOfCare.subject

CareTeam Context must match Task.responsible

User must have at least one corresponding restriction category privilege in Task.restriction-category.

UserID must match Task.responsible, Task.owner or Task.requester


Patient

optional but when present:

must match Task.episodeOfCare

required when EOC context is not present:

must match Task.episodeOfCare.subject

UserID must match Task.responsible, Task.owner or Task.requester



System

-

-

-



Task search

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context  / UserId

Extra Permission

Practitioner

optional but when present:

must match searchparam episodeOfCare

optional

must match searchparam

Context

EpisodeOfCare.subject

Only checked if EOC context is not present:

CareTeam Context must match searchparam responsible

User

Users must have all restriction category privileges corresponding to the list in searchparam restriction-category.

UserID must match searchparam: Responsible, Owner or Requester

Patient

optional but when present:

must match searchparam episodeOfCare

required when EpisodeOfCare Context is not present:

must match searchparam

theContext

EpisodeOfCare.subject

UserID must match searchparam: Responsible, Owner or Requester

System

-

-

-

...

Draft of FUTURE change as a consequence of CCR0219: Task create/read/update

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context  / UserId

Extra Permission

Practitioner

optional but when present:

must match Task.episodeOfCare

optional, but when present:

must match Task.episodeOfCare.subject

CareTeam Context must match Task.responsible

User must have at least one corresponding restriction category privilege in Task.restriction-category.

CareTeam Context must match one of Task.episodeOfCare.team (list)

UserID must match Task.responsible, Task.owner or Task.requester

(not checked when UserID match searchparam: Responsible, Owner or Requester)

Patient

optional but when present:

must match Task.episodeOfCare

required when EOC context is not present:

must match Task.episodeOfCare.subject

UserID must match Task.responsible, Task.owner or Task.requester

-

System

-

-

-

-

Draft of FUTURE change as a consequence of CCR0219: Task search

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context  / UserId

Extra Permission

Practitioner

optional, but when present must match searchparam episodeOfCare

(Not checked as EOC context when present)

CareTeam Context must match searchparam responsible

Users must have all restriction category privileges corresponding to the list in searchparam restriction-category.

CareTeam Context must match one of Task.episodeOfCare.team (list)

UserID must match searchparam: Responsible, Owner or Requester

(not checked when UserID match searchparam: Responsible, Owner or Requester)

(not present)

Checked when EOC context is not present:
must match searchparam EpisodeOfCare.subject

CareTeam Context must match searchparam responsible

Users must have all restriction category privileges corresponding to the list in searchparam restriction-category.

CareTeam Context must match one of Task.episodeOfCare.team (list)

UserID must match searchparam: Responsible, Owner or Requester

(not checked if when UserID match searchparam: Responsible, Owner or Requester)

Patient

optional but when present:

must match searchparam episodeOfCare

required when EpisodeOfCare Context is not present:

must match searchparam EpisodeOfCare.subject

UserID must match searchparam: Responsible, Owner or Requester

-

System

-

-

-

-

When searching for tasks based on careteam, it is possible, but not necessary to specify restriction categories. If they are not specified as search criteria, then they will be inferred from the privileges in the security - token.

If a search is based on a specific userID instead of a CareTeam, then all tasks related to that user will be returned regardless of the restriction - category.

It is recommended to search based on either a userID or a Careteam. It is technically possible to combine these two search parameters, but the results may be confusing.

...

Observation/QuestionnaireResponse/Media/Communication (ehealth-communication)

The Intrastructure creates Observation, Media, and QuestionnaireResponse (with status completed) is created by calling telemedicine solution calls $submit-measurement. A draft

Draft QuestionnaireResponse (with status in - progress) can be created and updated directly.

Communication read

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context


Practitioner

optional but when present:

must match communication.episodeOfCare

required if EpisodeOfCare context is not present:

must match communication.subject

Only checked if EpisodeOfCare Context is not present.

A match must be found either through the Careteam or the UserID

  • Careteam: must match either communication.senderCareTeam or communication.recipientCareTeam

  • UserID: must match communication.sender or communication.recipient


Patient

-

required:

must match communication.recipient or communication.sender

-


System

-

-

-



Communication create/patch

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Extra permission

Practitioner

optional but when present:

must match communication.episodeOfCare

required if EpisodeOfCare context is not present:

must match communication.subject

A match must be found either through the Careteam or the UserID

  • Careteam: must match either communication.senderCareTeam

  • UserID: must match communication.sender


Patient

-

required:

must match communication.subject

-

communication.sender must match AuthToken.userId

System

-

-

-



Communication search

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

required:

search param must match

communication.subject

the context

-

A match must be found either through the Careteam or the UserID

  • Careteam: must match either communication.senderCareTeam or communication.recipientCareTeam

  • UserID: must match communication.sender or communication.recipient

Patient

-

required:

context must match

communication.subject

-

communication.sender must match AuthToken.userId

System

-

-

-

Communication search

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

required:

search param must match the context

-

A match must be found either through the Careteam or the UserID

  • Careteam: must match either communication.senderCareTeam or communication.recipientCareTeam

  • UserID: must match communication.sender or communication.recipient

Patient

-

required:

context must match subject and either of sender or recipient search params

-

System

-

-

-

Observation read

the subject and either of sender or recipient search params

-

System

-

-

-


Observation read

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

required:

must match observation.episodeOfCare

--

required:

If the CareTeam is assigned on the EpisodeOfCare:

  • The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context

If the Careteam is assigned to the CarePlan:

  • Observation.basedOn must be a ServiceRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context

Patient

optional but when present:

must match observation.episodeOfCare

required when EOC context is not present:

must match observation.subject

Only checked if EpisodeOfCare Context is not present.

--

System

--

--

--


Observation search

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

required:

search param must match

observation.episodeOfCare

the context

--

required:

If the CareTeam is assigned on the EpisodeOfCare:

The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context
  • basedOn search parameter is not mandatory

If the Careteam is

assigned on the CarePlan:Observation.basedOn must be a ServiceRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context

assigned to the CarePlan:

  • basedOn search parameter is mandatory and must match the context

Patient

optional

but when

but when present:

search param must match

observation.episodeOfCare

the context

required when EOC context is not present:

search param must match

observation.subjectOnly checked if EpisodeOfCare Context is not present.

the context

--

System

--

--

--

Observation search


QuestionnaireResponse read

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

required:

search param

must match

the context

questionnaireResponse.episodeOfCare

--

required:

If the CareTeam is assigned on the EpisodeOfCare:

basedOn search parameter is not mandatory
  • The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context

If the Careteam is assigned

on

to the CarePlan:

basedOn search parameter is mandatory and must  must match the context
  • QuestionnaireResponse.basedOn must be a ServiceRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context

Patient

optional

but when

but when present:

search param

must match

the context

questionnaireResponse.episodeOfCare

required

when EOC context not present:

search param

must match

the context

questionnaireResponse.subject

--

System

--

--

--


QuestionnaireResponse

read

search

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

required:

search param must match

questionnaireResponse.episodeOfCare

the context

--

required

:

If the CareTeam is assigned on the EpisodeOfCare:

The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context

:

If the CareTeam is assigned on the EpisodeOfCare:

  • basedOn search parameter is not mandatory

If the Careteam is assigned

on

to the CarePlan:

QuestionnaireResponse.
  • basedOn

must be a ServiceRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context
  • search parameter is mandatory and must match the context

Patient

optional

but when

but when present:

search param must match

questionnaireResponse.episodeOfCare

the context

required when EOC context is not present:

search param must match

questionnaireResponse.subject

the context

--

System

--

--

--

QuestionnaireResponse

search

(status in progress) create/update

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

required:

search param

must match

the context--

questionnaireResponse.episodeOfCare

required:

If the CareTeam is assigned on the EpisodeOfCare:

basedOn search parameter is not mandatory
  • The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context

If the Careteam is assigned

on

to the CarePlan:

  • basedOn search parameter is mandatory and must  must match the context

Patient

optional but when present:

search param must match the context

required when EOC context not present:

search param must match the context
  • QuestionnaireResponse.basedOn must be a ServiceRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context

Patient

required

must match questionnaireResponse.episodeOfCare

--

System

--

--

--

QuestionnaireResponse (status in-progress) create/update

Media read

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

required:

must match

questionnaireResponse

media.episodeOfCare

--

required:

If the CareTeam is assigned on the EpisodeOfCare:

  • The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context

If the Careteam is assigned

on

to the CarePlan:

QuestionnaireResponse
  • Media.basedOn must be a ServiceRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context

Patient

optional but when present:

must match media.episodeOfCare

required when EOC context is not present:

must match

questionnaireResponse

media.

episodeOfCare

subject

--

System

--

--

--


Media

read

search

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

required:

search param must match

media.episodeOfCare

the context

--

required:

If the CareTeam is assigned on

the EpisodeOfCare:The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context

the EpisodeOfCare:

  • basedOn search parameter is not mandatory

If the Careteam is assigned

on

to the CarePlan:

  • Media.basedOn must be a ServiceRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context

Patient

optional but when present:

must match media.episodeOfCare

required when EOC context not present:

must match media.subject

--
  • basedOn search parameter is mandatory and must match the context

Patient

optional but when present:

search param must match the context

required when EOC context is not present:

search param must match the context

--

System

--

--

--


$submit-measurement

User Type

EpisodeOfCare Context

Patient Context

Practitioner

required

required

Patient

required

required

System

--

--


$search-

-Media search

measurements

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

required:

search param must match the context

--

required:

If the CareTeam is assigned on the EpisodeOfCare:

  • basedOn search parameter is not mandatory

If the Careteam is assigned

on

to the CarePlan:

  • basedOn search parameter is mandatory and

must 
  • must match the context

Patient

optional but when

present:

search param must match the context

required when EOC context not

present:

search param must match the context

--

System

--

--

--

$submit-measurement

User Type

EpisodeOfCare Context

Patient Context

Practitioner

required

required

Patient

required

required

System

search param must match the context

required when EOC context is not present:

search param must match the context

--

System

--

--

--

$search-measurements-bundle-limit

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

required:

search param must match the context

--

required:

If the CareTeam is assigned on the EpisodeOfCare:

  • basedOn search parameter is not mandatory

If the Careteam is assigned

on

to the CarePlan:

  • basedOn search parameter is mandatory and

must 
  • must match the context

Patient

optional but when present:

search param must match the context

required when EOC context is not present:

search param must match the context

--

System

--

--

--

Organization/Practitioner/CareTeam

...

Privately owned devices do not have context checks. The tables below are valid for devices owned by organizations.

Device/DeviceMetric create/update/delete

User Type

Organization Context

Patient Context

SSL supplier/Practitioner

required

must match the Device.owner organization

Optional but when present:

must match a DeviceUseStatement where:

  • DeviceUseStatement subject = patient context

  • DeviceUseStatement device references the device.


Patient

-

must match a DeviceUseStatement where:

  • DeviceUseStatement subject = patient context

  • DeviceUseStatement device references the device.

System

-


Device read

User Type

Patient Context

Organization Context

SSL supplier/Practitioner

Optional but when present:

must match a DeviceUseStatement where:

  • DeviceUseStatement subject = patient context

  • DeviceUseStatement device references the device.

Required if patient context is not present.

Must match the device.owner 

Patient

must match a DeviceUseStatement where:

  • DeviceUseStatement subject = patient context

  • DeviceUseStatement device references the device.

-

System


-

DeviceUseStatement create/update

User Type

Patient Context

Organization Context

SSL supplier/Practitioner

required

must match DeviceUseStatement.subject

required

must match the Device.owner organization

System

-

-

DeviceUseStatement read

User Type

Patient Context

Organization Context

SSL supplier/Practitioner

required

must match DeviceUseStatement.subject

-

Patient

must match a DeviceUseStatement.subject

-

System

-

-


Device/DeviceMetric/DeviceUseStatement - Work in Progress (will be in effect with next release)

Device/DeviceMetric create

User Type

Organization Context

Patient Context

SSL supplier/Practitioner

required

must match the Device.owner organization when the non-privately owned device

-

Patient (Must be privately owned device)

-

must match a DeviceUseStatement where:

  • DeviceUseStatement subject = patient context

  • DeviceUseStatement device references the device

or have no related DeviceUseStatement.

System

-

-

Device/DeviceMetric update/delete

User Type

Organization Context

Patient Context

SSL supplier/Practitioner

required

must match the Device.owner organization when the non-privately owned device

Optional but when present:

must match a DeviceUseStatement where:

  • DeviceUseStatement subject = patient context

DeviceUseStatement
  • DeviceUseStatematch device references the device.

or have no related DeviceUseStatement.

Patient

-

must match a DeviceUseStatement where:

  • DeviceUseStatement subject = patient context

  • DeviceUseStatement device references the device

or

have

has no related DeviceUseStatement.

Device

The device must be privately owned.

System

-

DeviceUseStatement create/update

User Type

Organization Context

Patient Context

SSL supplier/Practitioner

required

must match the Device.owner organization when the non-privately owned device

required

must match DeviceUseStatement.subject

Patient

-

required. The DeviceUseStatement must have:

  • DeviceUseStatement subject = patient context

  • DeviceUseStatement device references the device

Device

The device must be privately owned.

System

-

DeviceUseStatement read

User Type

Organization Context

Patient Context

SSL supplier/Practitioner

-

required

must match DeviceUseStatement.subject

Patient

-

required

must match DeviceUseStatement.subject

System

-

-

DeviceUseStatement search

User Type

Organization Context

Patient Context

SSL supplier/Practitioner

-

required

patient search param must

mach

match the context

Patient

-

required

patient search param must

mach

match the context

System

-

-

Questionnaire

Questionnaire

User Type

FHIR Operation

Organization Context

Property updated

Role needed

Practitioner / Patient

create

required:

must match Questionnaire.modifierRole.reference

-

owner

update

required:

must match Questionnaire.modifierRole.reference

Questionnaire.modifierRole

owner

Not Questionnaire.modifierRole

owner or co-author

delete

required:

must match Questionnaire.modifierRole.reference

-

owner

read/search

-

-

-

System

-

-

-

-

Actionguidance

Actionguidance

User Type

FHIR Operation

Organization Context

Property updated

Role needed

Practitioner / Patient

create

required:

must match Actionguidance.modifierRole.reference

-

owner

update

required:

must match Actionguidance.modifierRole.reference

Actionguidance.modifierRole

owner

Not Actionguidance.modifierRole

owner or co-author

read/search

-

Note:

There are two ways to be able to

make a

search. First, if

a

permission for both Actionguidance and view is present, it will give access.

Secondly, to

make a

search, an actionguidance permission should be present, and the resource should be supplied as part of the profile search or as the search field code. All other cases will be rejected.

 

Values to supply for a profile search

profile=http://ehealth.sundhed.dk/fhir/StructureDefinition/ehealth-actionguidance

 

Values to supply for a code search

code=http://ehealth.sundhed.dk/cs/basic-resource-type|actionguidance

-

-

System

-

-

-

-

View

View

User Type

FHIR Operation

Organization Context

Property updated

Role needed

Practitioner / Patient

create

required:

must match View.modifierRole.reference

-

owner

update

required:

must match View.modifierRole.reference

View.modifierRole

owner

Not View.modifierRole

owner or co-author

read/search

-

Note:

There are two ways to be able to

make a

search. First, if

a

permission for both View and view is present, it will give access.

Secondly, to

make a

search,

an

a View permission should be present, and the resource should be supplied as part of the profile search or as the search field code. All other cases will be rejected.

 

Values to supply for a profile search

profile=http://ehealth.sundhed.dk/fhir/StructureDefinition/ehealth-view

 

Values to supply for a code search

code=http://ehealth.sundhed.dk/cs/basic-resource-type|view

-

-

System

-

-

-

-

-

Transform

...

Transform

These operations are stateless and only require privileges to call. There are no security context requirements for these operations

Terminology: ConceptMap/CodeSystem/ValueSet/NamingSystem 

These resources can be accessed by all users. Updates require write privileges. There are no security context requirements for these operationsresources.

Questionnaire Terminology: ConceptMap/CodeSystem/ValueSet/NamingSystem 

These resources can be accessed by all users. Updates require write privileges (named QuestionnaireConceptMap, QuestionnaireCodeSystem, QuestionnaireValueSet and QuestionnaireNamingSystem). There are no security context requirements for these resources.

...

There are no context checks for CRUD and search operations for the Library resource.

Library evaluate

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

required:

must match either Observation.episodeOfCare

or QuestionnaireResponse.episodeOfCare

required:

must match either Observation.subject

or QuestionnaireResponse.subject

-

Patient

required:

must match either Observation.episodeOfCare

or QuestionnaireResponse.episodeOfCare

required:

must match either Observation.subject

or QuestionnaireResponse.subject

-

System

-

-

-

SSL Domain

SSL Catalogue service

Catalogue

SSL Catalogue create/update/read

User Type

Organization Context

SSL supplier

required:
must resolve to and match the Catalogue.seller party

Practitioner

-

System

-

CatalogueItem

SSL CatalogueItem create/update/read

User Type

Organization Context

SSL supplier

required:
must resolve to and match the CatalogueItem.Catalogue.seller party

Practitioner

-

System

-

SSL CatalogueItems read

User Type

Organization Context

SSL supplier

required:
must resolve to and match the CatalogueItem.Catalogue.seller party

Practitioner

required:
must resolve to and match WhiteList.buyer party, only returns CatalogueItems referred by WhiteLists

System

-

Annotation

SSL Annotation create/update/read/delete

User Type

Organization Context

SSL supplier

required:
must resolve to and match the Annotation.CatalogueItem.Catalogue seller party

Practitioner

-

System

-

...

Whitelist

SSL WhiteList create/read/delete

User Type

Organization Context

SSL supplier

- (no access)

Practitioner

required:
must resolve to and match the WhiteList.buyer party

System

-

BlackList

SSL BlackList create/read/delete

User Type

Patient Context

SSL supplier

- (no access)

Practitioner

required:
must match the BlackList.patient

System

-

Problem

SSL Problem create/patch/delete

User Type

Organization Context

SSL supplier

required:
must resolve

to

and match the Problem.CatalogueItem.Catalogue seller party

Practitioner

- (no access)

System

-

SSL Problem read

User Type

Organization Context

SSL supplier

required:
must resolve

to

and match the Problem.CatalogueItem.Catalogue seller party

Practitioner

required:
must resolve to and match WhiteList.buyer party, only returns Problems with CatalogueItems referred by WhiteLists

System

-

Package

SSL Package create/read/patch/delete

User Type

Organization Context

SSL supplier

- (no access)

Practitioner

required:

must resolve to and match the Package.buyer party

System

-

SSL Order Service

Order

SSL Order create

User Type

Organization Context

EpisodeOfCare Context

CareTeam Context

SSL supplier

required:
must resolve to and match the Order.seller party

required:
used for reading CarePlan, see CarePlan resource for context rules

required:
used for reading CarePlan, see CarePlan resource for context rules

Practitioner

required:
must resolve to and match the Order.buyer party

required:
used for reading CarePlan, see CarePlan resource for context rules

required:
used for reading CarePlan, see CarePlan resource for context rules

System

-

-

-

SSL Order read/update/patch/delete/search

User Type

Organization Context

SSL supplier

required:
must resolve to and match the Order.seller party

Practitioner

required:
must resolve to and match the Order.buyer party

System

-

OrderLine

SSL OrderLine create/read/update/patch/delete/search

User Type

Organization Context

SSL supplier

required:
must resolve to and match the OrderLine.Order.seller party

Practitioner

required:
must resolve to and match the OrderLine.Order.buyer party

System

-

Contract

SSL Contract create/patch/read

User Type

Organization Context

SSL supplier

required:
must resolve to and match the Contract.seller party

Practitioner

-

System

-

custom/hasValidContract

User Type

Organization Context

SSL supplier

required:
must resolve to and match the Contract.seller party

Practitioner

-

System

-

Party

SSL Party create/update/read

User Type

Organization Context

SSL supplier

-

Practitioner

-

System

-

custom/findOrCreateParty

User Type

Organization Context

SSL supplier

required:
must match the organization parameter

Practitioner

required:
must match the organization parameter

System

-


Reports

Schedule/Fetch <Report_name>

User Type

Organization Context

UserID

Extra permission


Practitioner

required

Must match input parameter: ManagingOrganization

Only the user that called schedule is allowed to read the resulting /fhir/Binary/id

The privilege Report.non-anonymized is required if input parameter: anonymization == false


System-user

System

user

users can't have an organization context

Only the user that called schedule is allowed to read the resulting /fhir/Binary/id

The privilege Report.non-anonymized is required if input parameter: anonymization == false



Patient/Appointment/Communication(eHealthMessage)/Person

...

R = Required
U = Used (may be required to access certain data)

realm_access.role

Patient Context

Episode of Care Context

CareTeam Context

Organization Context

Extra Rules / Comments

Patient.read

R*


R*


REGULAR SEARCH:

In order to

To perform a regular Patient Search, the user MUST have the Patient Context.


LIMITED SEARCH (Dashboard Search):

It is also possible to perform a patient search witha CareTeam Context instead of a Patient Context. In that case, the patients are then retrieved from EpisodesOfCare and CarePlan objects that the CareTeam is involved in.

NOTE: The patient resources that are returned from this search are limited and as such only the following information is returned:

  • Identifier

  • Date of Birth

  • Gender

  • Cpr

  • Deceased status

  • Home address

  • Official name


*R - THE CONTEXTS ARE MUTUALLY EXCLUSIVE, AS SUCH IF BOTH CONTEXTS ARE PROVIDED IN THE TOKEN, ONLY THE PATIENT CONTEXT IS USED.

Patient.write

R




1: FHIR operations "create" and "update" are not available on the Patient resource. 
(use $createPatient and "patch")

2: Only certain attributes are allowed to be patched using HTTP PATCH

Patient$updatePatientWithSKRSData






Patient$createPatient






Appointment.read

U


U


For non-group appointments:

1: If an appointment involves a patient, then that patient must be in context

2: The appointment can be read if

  • the user has a Care Team in context that is participating in the appointment

  • the user is participating in the appointment (as a Practitioner or Patient)

3: Searching

  • PATIENT users can search all Appointments that

involves
  • involve the user itself

  • PRACTITIONER/SSL users can search all Appointments that

involves
  • involve the user itself, or the Organization/CareTeam/Patient in context

Appointment.write

U


U

For non-group appointments:

1: If an appointment involves a patient, then that patient must be in context

2: The appointment can be written if

  • the user has a Care Team in context that is participating in the appointment

  • the user is participating in the appointment (as a Practitioner or Patient)

Appointment$exportAsiCal

U

U

Same

The same rules apply

as for

to reading appointments

Note: Only PRACTITIONER/SSL users can see the names of Practitioner participants in the exported iCal object

RelatedPerson.read

R




Only related persons to the patient in context can be read

RelatedPerson.write

R




Only related persons to the patient in context can be written

Communication.read



U


If the message has a restriction category X, the

corrosponding

corresponding RestrictionCategory.X role must be present in the realm_access list.

1: PATIENT users can read

  • communication where they

themselves
  • are either the sender or recipient

2: PRACTITIONER and SSL users can read 

  • communication where they

themselves
  • are either the sender or recipient

  • communication where the CareTeam in context is the sender or recipient

3: Only SYSTEM users can read communication from DEVICE senders

Communication.write



U


1: Communication must have exactly one sender and one recipient

2: Communication with the category "note" can only be created/patched/deleted if user = sender and (recipient = sender or recipient = a CareTeam). 
(notes can be shared with any CareTeam)

3: PATIENT users 

  • can only create/delete "

message
  • mesHTTP" communication where they are the sender, and the recipient is of type CareTeam

  • can only patch "message" communication where they are sender or recipient (the recipient can patch "received" property)

4: PRACTITIONER and SSL users 

  • can only create/delete "message" communication where the sender is the CareTeam in context and the recipient is of type PATIENT or type CareTeam

  • can only patch "message" communication where the CareTeam in context is the sender or recipient

Person$match





Only requires the role “Person$match”

Used to lookup person data by CPR, including name and a patient reference, if one exists.

This is only a read operation and will not create any resources.

The operations

is

are audit logged.


Group Appointment

A “Group appointment” is an Appointment with one of the profiles http://ehealth.sundhed.dk/fhir/StructureDefinition/ehealth-group-appointment, http://ehealth.sundhed.dk/fhir/StructureDefinition/ehealth-group-videoappointment

  • Appropriate appointment-related realm_access.role is required for all operations

  • SYSTEM users have access to all data and http operations regardless of context

    • Only SYSTEM users can use PUT, other users must use PATCH to change a group appointment

  • Create

    • All Practitioner/SSL users can create group appointments if the they have an Appointment.write role and a CareTeam in context

      • assigning-careteam extension on participants must match CareTeam in the context

  • Read/Search

    • ehealth-creator, ehealth-responsible and ehealth-performer can see all parts of the appointment, regardless of the CareTeam context

    • All Practitioner/SSL users can read/find all group appointments and view all parts of it, except Patient participants whose assigning-careteam differs from the CareTeam in context, and the RelatedPersons of those

    • Patient users can only read/find group appointments that they themselves are participants onin, and can view all parts, except other Patient participants and RelatedPersons of those

  • Patching

    • Patient users cannot patch

    • When adding/removing a participant, the relevant assigning-careteam must be in the context

      • Removing a Patient/RelatedPerson participant is also allowed if the relevant patient is in context

    • ehealth-creator and ehealth-responsible can patch all parts of the appointment

    • ehealth-performer can patch all parts of the appointment, except ehealth-responsible

    • All other Practitioner/SSL users can only add/remove Patient/RelatedPerson participants

...

Please note that due to the filtering of participants, in some scenarios a client holds only a partial view of the appointment (with some participants missing due to security filtering).
This has an impact when removing a participant in a PATCH using an index, e.g. [{ "op": "remove", "path": "/participant/0" }]. What is in index 0 of the partial view, might not be what is actually in index 0 in the full version of the resource.
The server is aware of this dilemma and “maps” indexes when receiving a http an HTTP patch request, based on the JWT user_id/context used for the request. The server assumes the patch request is performed by the same user_id/context as the patch content indexes was were constructed from.

This means that PATCH operations should be performed with the same JWT as was used when reading the group appointment resource that the patch content (indexes) is based on.

...