Table of Contents

As described in previous pages, the services and data in the eHealth Infrastructure are protected by authentication and authorization based on tokens. Described here is how services in the eHealth Infrastructure rely on fields in the access token to perform access control. This access control comprises Role Based Access Control (RBAC) and Attribute Based Access Control (ABAC).

Role Based Access Control

The RBAC part of the access control is based on the user’s list of process privileges contained in the access token.

...

Access Token Field

...

Meaning

...

Example Value

...

realm_access

...

List of process privileges, that is, what is the user allowed to do.

...

"realm_access": {

"roles": [

"Patient.read",

"Patient.write"

]

}

What operations the user is allowed to invoke is stated in the "realm_access" attribute. In the example above the user is allowed to issue a "Patient.read" and a "Patient.write". This means that the user can get and edit patient records. This part of the security model is the RBAC-part, as the claims here are entirely based upon what role the user has.

Attribute Based Access Control

The ABAC part of the access control combines the access token user type with security token context(s) and, at times, also the access token user id. These are typically compared to attributes of the data from the services.

...

Access Token Field

...

Meaning

...

Example Value

...

context

...

List of items that are set in context. context in combination with items in realm_access governs the access to all resources in the ehealth infrastructure.

...

"context": {

"organization_id" : "https://fut.com/fhir/Organization/1",

"care_team_id": https://fut.com/fhir/CareTeam/4,

"episode_of_care_id": https://fut.com/fhir/EpisodeOfCare/10,

"patient_id": "https://fut.com/fhir/Patient/8"

}

...

user_id

...

Id of the user. Can be either a FHIR patient Id, FHIR practitioner Id or a KeyCloak Id

...

"user_id": " e03ccef7-b0b1-4f68-8e16-6fc2f865a922"

...

user_type

...

Can be either SYSTEM, PATIENT, PRACTITIONER or SSL

...

"user_type": "PATIENT"

Each resource type (see IG Profiles) has certain restrictions to what context is required in order to allow data retrieval or data manipulation.

PlanDefinition/ActivityDefinition

These resources are not patient related. Read and Search operations do not require any security context apart from the privilege.

...

PlanDefinition/ActivityDefinition

...

User Type

...

FHIR Operation

...

Organization Context

...

Property updated → role needed

...

Practitioner

...

create/update

...

required:

must match modifierRole.reference

...

PlanDefinition/ActivityDefinition creation or modifierRole changed → owner

All other updates → owner or co-author

...

System

...

-

...

-

...

-

...

PlanDefinition$apply

...

User Type

...

EpisodeOfCare Context

...

CareTeam Context

...

Practitioner

...

required:

Must match EpisodeOfCare.id

...

required:

Must match EpisodeOfCare.team

...

System

...

-

...

-

DocumentReference

These resources are not patient related.

...

DocumentReference.read/search

...

User Type

...

Context

...

Practitioner / Patient

...

-

...

System

...

-

Read and Search operations do not require any security context apart from the privilege.

...

DocumentReference.create/update

...

User Type

...

Organization Context

...

Practitioner / Patient

...

required:

must match DocumentReference.custodian

...

System

...

-

EpisodeOfCare cannot be created directly. They are created by calling the custom operation: create-episode-of-care

...

EpisodeOfCare.create-episode-of-care

...

User Type

...

EpisodeOfCare Context

...

Patient Context

...

CareTeam Context

...

Practitioner

...

must not be present

...

required:

must match EpisodeOfCare.Patient

...

required:

Must match EpisodeOfCare.team

...

Patient

...

must not be present

...

required:

must match EpisodeOfCare.Patient

...

-

...

System

...

-

...

-

...

-

...

EpisodeOfCare.read

...

User Type

...

EpisodeOfCare Context

...

Practitioner/Patient

...

required:

must match EpisodeOfCare

...

System

...

-

...

EpisodeOfCare.patch/updateCareteams

...

User Type

...

Excerpt

Access to eHealth services and eHealth data in the eHealth Infrastructure are controlled by authentication and authorization based on tokens. The Token based security is described in Token Based Security. This page described how services in the eHealth Infrastructure rely on fields in the JWT access token to perform the access control. This access control comprises Role Based Access Control (RBAC) and Attribute Based Access Control (ABAC).

Content on this page

Table of Contents

Role-Based Access Control

The RBAC part of the access control is based on the user’s list of process privileges contained in the access token.

Access Token Field

Meaning

Example Value

realm_access

List of process privileges, that is, what is the user allowed to do.

Code Block

language	json

"realm_access": {
    "roles": [
       "Patient.read",
       "Patient.write"
    ]
  }

What operations the user is allowed to invoke is stated in the "realm_access" attribute. In the example above the user is allowed to issue a "Patient.read" and a "Patient.write". This means that the user can get and edit patient records. This part of the security model is the RBAC part, as the claims here are entirely based on what role the user has.

Attribute-Based Access Control

The ABAC part of the access control combines the access token user type with security token context(s) and, at times, also the access token user id. These are typically compared to attributes of the data from the services.

Access Token Field

Meaning

Example Value

context

List of items that are set in context. context in combination with items in realm_access governs the access to all resources in the eHealth infrastructure.

Code Block

language	json

"context": {
    "organization_id" : "https://fut.com/fhir/Organization/1",
    "care_team_id": https://fut.com/fhir/CareTeam/4,
    "episode_of_care_id": https://fut.com/fhir/EpisodeOfCare/10,
    "patient_id": "https://fut.com/fhir/Patient/8"
  }

user_id

Id of the user. Can be either an FHIR patient Id, FHIR practitioner Id or a KeyCloak ID

"user_id": " e03ccef7-b0b1-4f68-8e16-6fc2f865a922"

user_type

Can be either SYSTEM, PATIENT, PRACTITIONER or SSL

"user_type": "PATIENT"

Each resource type (see IG Profiles) has certain restrictions to what context is required to allow data retrieval or data manipulation.

PlanDefinition/ActivityDefinition

These resources are not patient-related. Read and Search operations do not require any security context apart from the privilege.

PlanDefinition/ActivityDefinition

User Type

FHIR Operation

Organization Context

Property updated → role needed

Practitioner

create/update

required:

must match modifierRole.reference

PlanDefinition/ActivityDefinition creation or modifierRole changed → owner

All other updates → owner or co-author

System

-

PlanDefinition$apply

User Type

EpisodeOfCare Context

CareTeam Context

Practitioner

required:

Must match EpisodeOfCare.id

required:

Must match EpisodeOfCare.team

System

-

DocumentReference

These resources are not patient-related.

User Type	Context
DocumentReference.read/search
Practitioner / Patient	-
System	-

Read and Search operations do not require any security context apart from the privilege.

DocumentReference.create/update

User Type

Organization Context

Practitioner / Patient

required:

must match DocumentReference.custodian

System

-

EpisodeOfCare cannot be created directly. They are created by calling the custom operation: create-episode-of-care

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
EpisodeOfCare.create-episode-of-care
Practitioner	must not be present	required: must match EpisodeOfCare.Patient	required: Must match EpisodeOfCare.team
The patient	must not be present	required: must match EpisodeOfCare.Patient	-
System	-	-	-

EpisodeOfCare.read

User Type

EpisodeOfCare Context

Practitioner/Patient

required:

must match EpisodeOfCare

System

-

User Type	EpisodeOfCare Context	CareTeam Context
EpisodeOfCare.patch/updateCareteams
Practitioner	required: must match EpisodeOfCare	required: Must match EpisodeOfCare.team
Patient	required: must match EpisodeOfCare	-
System	-	-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
EpisodeOfCare.search
Practitioner	must not be present	optional but when present: must match the Patient search parameter	required: Must match CareTeam search parameter
Patient	must not be present	Always present: must match the Patient search parameter	-
System	-	-	-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
Condition
Practitioner	required: must match Condition.episodeOfCare	required: must match Condition.subject	-
Practitioner	required: must match Condition.episodeOfCare	required: must match Condition.subject	-
Patient	required: must match Condition.episodeOfCare	required: must match Condition.subject	-
Patient	required: must match Condition.episodeOfCare	required: must match Condition.subject	-
System	-	-	-

User Type	EpisodeOfCare Context	CareTeam Context
Provenance.read
Practitioner	required: must match Provenance.target	-
Practitioner	required: must match Provenance.target	-
Patient	required: must match Provenance.target	-
Patient	required: must match Provenance.target	-
System	-	-

User Type	EpisodeOfCare Context	CareTeam Context
Provenance.search
Practitioner	required: must match the EpisodeOfCare search parameter (provenance.target)	-
Patient	required: must match the EpisodeOfCare search parameter (provenance.target)	-
System	-	-

User Type	EpisodeOfCare Context	Patient context	CareTeam Context
Consent.create/read/patch
Practitioner	Required Must match data.reference	Required Must match data.patient	-
Patient	Required Must match data.reference	Required Must match data.patient	-
System	-	-	-

User Type	EpisodeOfCare Context	CareTeam Context
Consent.search
Practitioner	required: must match the EpisodeOfCare search parameter (consent.data.reference)	-
Patient	required: must match the EpisodeOfCare search parameter (consent.data.reference)	-
System	-	-

CarePlan/ServiceRequest

ServiceRequest is considered a part of a CarePlan and does not have separate privileges.

CarePlan cannot be created directly. It is created and assigned to a Patient by calling PlanDefinition$apply

User Type	EpisodeOfCare Context	CareTeam Context
CarePlan/ServiceRequest Read/Suggest-care-teams
Practitioner	required: must match CarePlan/ServiceRequest .episodeOfCare	required: Careplan: Context must match CarePlan.careTeam or Careplan.episodeOfCare.team ServiceRequest: Context must match CarePlan.careTeam or Careplan.episodeOfCare.team for the CarePlan that the ServiceRequest belongs to.
Practitioner	required: must match CarePlan/ServiceRequest .episodeOfCare
Patient	required: must match CarePlan/ServiceRequest.episodeOfCare	-
Patient	required: must match CarePlan/ServiceRequest.episodeOfCare	-
System	-	-

User Type	EpisodeOfCare Context	CareTeam Context	Extra permission
CarePlan/ServiceRequest Update/Update-care-teams
Practitioner	required: must match CarePlan/ServiceRequest.episodeOfCare	required: Careplan: Context must match CarePlan.careTeam or CarePlan.episodeOfCare.team ServiceRequest: Context must match CarePlan.careTeam or CarePlan.episodeOfCare.team for the CarePlan that the ServiceRequest belongs to.
Practitioner	required: must match CarePlan/ServiceRequest.episodeOfCare
Patient	required: must match CarePlan/ServiceRequest.episodeOfCare	-	Only allowed if definition.topic is 'self-treatment'
Patient	required: must match CarePlan/ServiceRequest.episodeOfCare	-	Only allowed if definition.topic is 'self-treatment'
System	-	-

CarePlan: Update careteam special case

User Type

EpisodeOfCare Context

CareTeam Context

Extra permission

Practitioner

required:

must match CarePlan.episodeOfCare

required:

Must match CarePlan.careTeam

Careplan$update.responsibility permission required in token to update careteam element

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
CarePlan Search
Practitioner	optional but when present: must match searchparam episodeOfCare	optional but when present: must match searchparam theSubject Only checked if EpisodeOfCare Context is not set.	required: Must match search parameter CarePlan.careteam or CarePlan.episodeOfCare.team. (Only a single search parameter is allowed for this element)
Patient	optional but when present: must match searchparam episodeOfCare	Always present and must match searchparam theSubject Only checked if EpisodeOfCare Context is not set.	-
System	-	-	-

Goal

Goal is considered as part of a CarePlan and does not have separate privileges.

User Type	Patient Context	EpisodeOfCare Context	CareTeam Context
Goal Create/Read/Update
Practitioner	required: Must match Goal.subject	required: must match Goal.addresses.episodeOfCare	required: must match Goal.addresses.episodeOfCare.team or Careplan.careteam for the CarePlan that the Goal.addresses ServiceRequest belongs to.
Patient	required: Must match Goal.subject	-	-
Patient	required: Must match Goal.subject	-	-
System	-	-	-

User Type	Patient Context	EpisodeOfCare Context	CareTeam Context
Goal Search
Practitioner	-	required: must match search param: addresses.episodeOfCare	required: must match search param addresses.episodeOfCare.team or Careplan.careteam for the CarePlan that the addresses ServiceRequest belongs to.
Patient	required: Must match search param addresses.subject	-	-
Patient	required: Must match search param addresses.subject	-	-
System	-	-	-

CommunicationRequest

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context	Details
CommunicationRequest Create/Read/Update/Delete
Practitioner	required must match CommunicationRequest.episodeOfCare	required must match CommunicationRequest.subject	required must match CommunicationRequest.recipient if the recipient contains a careteam
Practitioner	required must match CommunicationRequest.episodeOfCare	required must match CommunicationRequest.subject
Patient	optional but when present: must match CommunicationRequest.episodeOfCare	required must match CommunicationRequest.subject	-	Update: Only status
Patient		required must match CommunicationRequest.subject	-
System	-		-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
CommunicationRequest Search
Practitioner	required if the searchparam recipient is a patient. optional otherwise. must match searchparam CommunicationRequest.episodeOfCare when present	optional but when present: must match searchparam CommunicationRequest.subject	required if searchparam recipient is a careteam
Patient	optional but when present must match CommunicationRequest.episodeOfCare	Always present and must match searchparam CommunicationRequest.recipient	-
Patient			-
System	-	-	-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context	Details
Draft of FUTURE change as a consequence of CCR154: CommunicationRequest Create/Read/Update/Delete
Practitioner	CommunicationRequest.episodeOfCare and EpisodeOfCare security token context must match. If CommunicationRequest.episodeOfCare is null then the security token must not have an episodeOfCare context	required must match CommunicationRequest.subject	required must match CommunicationRequest.recipient if the recipient contains a careteam
Practitioner		required must match CommunicationRequest.subject
Patient	optional but when present it must match CommunicationRequest.episodeOfCare If CommunicationRequest.episodeOfCare is null then the security token must not have an episodeOfCare context	required must match CommunicationRequest.subject	-	Update: Only status
Patient		required must match CommunicationRequest.subject	-
System	-		-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
Draft of FUTURE change as a consequence of CCR154: CommunicationRequest Search
Practitioner	If EpisodeOfCare context is present, then searchparam and context must match If EpisodeOfCare context is not present, then the search parameter must include at least one of: episodeOfCare:missing=true recipient=<careteam> matching CareTeam context	optional but when present: must match searchparam patient	required if the search param recipient is a careteam. The search param and careteam context must match.
Patient	optional but when present must match searchparam: episodeOfCare	Always present and must match searchparam CommunicationRequest.recipient	-
Patient			-
System	-	-	-

ClinicalImpression/Task

ClinicalImpression create/read/update

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

required:

must match

EpisodeOfCare

ClinicalImpression.episodeOfCare

required:

must match ClinicalImpression.subject

required:

Must match EpisodeOfCare

must be in ClinicalImpressions.ehealth-careplan.careTeam or ClinicalImpressions.episodeOfCare.team

Patient

optional but when present:

must match ClinicalImpression.episodeOfCare

required when EOC context is not present:

must

match EpisodeOfCare

match ClinicalImpression.subject	-
match ClinicalImpression.subject	-
System	-	-

EpisodeOfCare

-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
ClinicalImpression.search

Patient Context

CareTeam Context

Practitioner

must not be present

optional but when present:

must match Patient search parameter

required:

Must match CareTeam search parameter

Patient

must not be present

Always present:

must match Patient search parameter

Practitioner	optional when present: do not need to match searchparam: episodeOfCare	optional must match searchparam: subject Only checked if EOC context is not present:	required: either searchparam: episodeOfCare or searchparam: careplan must be provided: if searchparam: episodeOfCare is provided: CareTeam context must be in EpisodeOfCare.team for all referenced EpisodeOfCare ids if searchparam: careplan is provided: CareTeam context must be in CarePlan.careTeam for all referenced CarePlan.
Patient	optional but when present: must match searchparam: episodeOfCare	required when EpisodeOfCare Context is not present: must match searchparam: subject	-
Patient			-
System	-	-	-

Condition

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context / UserId
Task create/read/update

CareTeam Context

Extra Permission
Practitioner

required

optional but when present:

must match

Condition

Task.episodeOfCare

-

Patient

required

optional, but when present:

must

match Condition

match Task.episodeOfCare

-

System

-

Provenance.read

User Type

EpisodeOfCare Context

CareTeam Context

Practitioner

required:

must match Provenance.target

-

Patient

required:

must match Provenance.target

-

System

-

Provenance.search

User Type

EpisodeOfCare Context

CareTeam Context

Practitioner

required:

must match EpisodeOfCare search parameter (provenance.target)

-

Patient

required:

must match EpisodeOfCare search parameter (provenance.target)

-

System

-

Consent.create/read/patch

User Type

EpisodeOfCare Context

CareTeam Context

Practitioner

Required

Must match data.reference

-

Patient

Required

Must match data.reference

-

System

-

Consent.search

User Type

EpisodeOfCare Context

CareTeam Context

Practitioner

required:

must match EpisodeOfCare search parameter (consent.data.reference)

-

Patient

required:

must match EpisodeOfCare search parameter (consent.data.reference)

-

.subject	CareTeam Context must match Task.responsible	User must have at least one corresponding restriction category privilege in Task.restriction-category.
	UserID must match Task.responsible, Task.owner or Task.requester
Patient	optional but when present: must match Task.episodeOfCare	required when EOC context is not present: must match Task.episodeOfCare.subject	UserID must match Task.responsible, Task.owner or Task.requester

System	-	-	-

CarePlan/ServiceRequest Read/Suggest-care-teams

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context / UserId	Extra Permission
Task search
Practitioner	optional but when present: must match searchparam episodeOfCare	optional must match searchparam EpisodeOfCare.subject Only checked if EOC context is not present:	CareTeam Context must match searchparam responsible	Users must have all restriction category privileges corresponding to the list in searchparam restriction-category.
Practitioner			UserID must match searchparam: Responsible, Owner or Requester
Patient	optional but when present: must match searchparam episodeOfCare	required when EpisodeOfCare Context is not present: must match searchparam EpisodeOfCare.subject	UserID must match searchparam: Responsible, Owner or Requester
Patient
System	-	-

CarePlan/ServiceRequest

ServiceRequest is considered a part of a CarePlan and does not have separate privileges.

CarePlan cannot be created directly. It is created and assigned to a Patient by calling PlanDefinition$apply

-

Draft of FUTURE change as a consequence of CCR0219: Task create/read/update
User Type	EpisodeOfCare Context	Patient Context	CareTeam

Context

Context / UserId	Extra Permission
Practitioner

required:

must match CarePlan/ServiceRequest .episodeOfCare

required:

Careplan: Context must match CarePlan.careTeam or Careplan.episodeOfCare.team

ProducereRequest: Context must match CarePlan.careTeam or Careplan.episodeOfCare.team for the CarePlan that the ServiceRequest belongs to.

Patient

required:

must match CarePlan/ServiceRequest.episodeOfCare

	optional but when present: must match Task.episodeOfCare	optional, but when present: must match Task.episodeOfCare.subject	CareTeam Context must match Task.responsible	User must have at least one corresponding restriction category privilege in Task.restriction-category.
			CareTeam Context must match one of Task.episodeOfCare.team (list)
			UserID must match Task.responsible, Task.owner or Task.requester	(not checked when UserID match searchparam: Responsible, Owner or Requester)
Patient	optional but when present: must match Task.episodeOfCare	required when EOC context is not present: must match Task.episodeOfCare.subject	UserID must match Task.responsible, Task.owner or Task.requester	-
System	-	-

CarePlan/ServiceRequest Update/Update-care-teams

-

Draft of FUTURE change as a consequence of CCR0219: Task search
User Type	EpisodeOfCare

Context

Patient Context

CareTeam Context / UserId

Extra Permission

Practitioner

optional, but when present must match searchparam episodeOfCare

(Not checked as EOC context when present)

CareTeam Context

Extra permission

Practitioner

required:

must match CarePlan/ServiceRequest.episodeOfCare

required:

Careplan: Context must match CarePlan.careTeam or CarePlan.episodeOfCare.team

ProducereRequest: Context must match CarePlan.careTeam or CarePlan.episodeOfCare.team for the CarePlan that the ServiceRequest belongs to.

Patient

required:

must match CarePlan/ServiceRequest.episodeOfCare

-

Only allowed if definition.topic is 'self-treatment'

System

-

CarePlan: Update careteam special case

User Type

EpisodeOfCare Context

CareTeam Context

Extra permission

Practitioner

required:

must match CarePlan.episodeOfCare

required:

Must match CarePlan.careTeam

Careplan$update.responsibility permission required in token to update careteam element

CarePlan Search

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

optional but when present:

must match searchparam episodeOfCare

optional but when present:

must match searchparam theSubject

Only checked if EpisodeOfCare Context is not set.

required:

Must match search parameter CarePlan.careteam or CarePlan.episodeOfCare.team. (Only a single search parameter is allowed for this element)

Patient

optional but when present:

must match searchparam episodeOfCare

Always present and must match searchparam theSubject

Only checked if EpisodeOfCare Context is not set.

-

System

-

Goal

Goal is considered as part of a CarePlan and does not have separate privileges.

...

Goal Create/Read/Update

...

User Type

...

Patient Context

...

EpisodeOfCare Context

...

CareTeam Context

...

Practitioner

...

-

...

required:

must match Goal.addresses.episodeOfCare

...

required:

must match Goal.addresses.episodeOfCare.team or Careplan.careteam for the CarePlan that the Goal.addresses ServiceRequest belongs to.

...

Patient

...

required:

Must match Goal.subject

...

-

...

-

...

System

...

-

...

-

...

-

...

Goal Search

...

User Type

...

Patient Context

...

EpisodeOfCare Context

...

CareTeam Context

...

Practitioner

...

-

...

required:

must match search param: addresses.episodeOfCare

...

required:

must match search param addresses.episodeOfCare.team or Careplan.careteam for the CarePlan that the addresses ServiceRequest belongs to.

...

Patient

...

required:

Must match search param addresses.subject

...

-

...

-

...

System

...

-

...

-

...

-

...

CommunicationRequest Create/Read/Update/Delete

must match searchparam responsible	Users must have all restriction category privileges corresponding to the list in searchparam restriction-category.
CareTeam Context must match one of Task.episodeOfCare.team (list)
UserID must match searchparam: Responsible, Owner or Requester	(not checked when UserID match searchparam: Responsible, Owner or Requester)
(not present)	Checked when EOC context is not present: must match searchparam EpisodeOfCare.subject	CareTeam Context must match searchparam responsible	Users must have all restriction category privileges corresponding to the list in searchparam restriction-category.
		CareTeam Context must match one of Task.episodeOfCare.team (list)
		UserID must match searchparam: Responsible, Owner or Requester	(not checked if when UserID match searchparam: Responsible, Owner or Requester)
Patient	optional but when present: must match searchparam episodeOfCare	required when EpisodeOfCare Context is not present: must match searchparam EpisodeOfCare.subject	UserID must match searchparam: Responsible, Owner or Requester	-
System	-	-	-	-

When searching for tasks based on careteam, it is possible, but not necessary to specify restriction categories. If they are not specified as search criteria, then they will be inferred from the privileges in the security token.

If a search is based on a specific userID instead of a CareTeam, then all tasks related to that user will be returned regardless of the restriction category.

It is recommended to search based on either a userID or a Careteam. It is technically possible to combine these two search parameters, but the results may be confusing.

Observation/QuestionnaireResponse/Media/Communication (ehealth-communication)

The Intrastructure creates Observation, Media, and QuestionnaireResponse (with status completed) by telemedicine solution calls $submit-measurement.

Draft QuestionnaireResponse (with status in progress) can be created and updated directly.

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
Communication read
Practitioner	optional but when present: must match communication.episodeOfCare	required if EpisodeOfCare context is not present: must match communication.subject Only checked if EpisodeOfCare Context is not present.	A match must be found either through the Careteam or the UserID Careteam: must match either communication.senderCareTeam or communication.recipientCareTeam UserID: must match communication.sender or communication.recipient
Patient	-	required: must match communication.recipient or communication.sender	-
System	-	-	-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
Communication create/patch

Details

Extra permission
Practitioner

required

optional but when present:

must

match CommunicationRequest

match communication.episodeOfCare

not checked

required if EpisodeOfCare context is not present:

must match

CommunicationRequest.recipient if recipient contains a careteam

Patient

optional but when present:

must match CommunicationRequest.episodeOfCare

required

must match CommunicationRequest.recipient

-

Update: Only status

communication.subject

A match must be found either through the Careteam or the UserID

Careteam: must match either communication.senderCareTeam
UserID: must match communication.sender

Patient

-

required:

must match communication.subject

-

communication.sender must match AuthToken.userId

System

-

CommunicationRequest Search

-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
Communication search
Practitioner	required

if searchparam recipient is a patient.

optional otherwise.

must match searchparam CommunicationRequest.episodeOfCare when present

optional but when present:

must match searchparam CommunicationRequest.subject

required if searchparam recipient is a careteam

Patient

optional but when present

must match CommunicationRequest.episodeOfCare

Always present and must match searchparam CommunicationRequest.recipient

:

search param must match the context

-

A match must be found either through the Careteam or the UserID

Careteam: must match either communication.senderCareTeam or communication.recipientCareTeam
UserID: must match communication.sender or communication.recipient

Patient

-

required:

context must match the subject and either of sender or recipient search params

-

System

-

ClinicalImpression/Task

ClinicalImpression create/read/update

Observation read

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

required:

must match

ClinicalImpression

observation.episodeOfCare

--

required:

If the CareTeam is assigned on the EpisodeOfCare:

The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context

If the Careteam is assigned to the CarePlan:

Observation.basedOn must be

in ClinicalImpressions.ehealth-careplan.careTeam or ClinicalImpressions.episodeOfCare.team

a ServiceRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context
Patient	optional

but when

but when present:

must match

ClinicalImpression

observation.episodeOfCare

required when EOC context is not present:

must

match ClinicalImpression

match observation.subject

Only checked if EpisodeOfCare Context is not present.

--

System

--

ClinicalImpression.

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
Observation search
Practitioner

optional but when present

required:

search param must match

searchparam: episodeOfCare

optional

must match searchparam: subject

Only checked if EOC context is not present:

required:

Must match search param value in context.team or carePlan.careTeam

the context

--

required:

If the CareTeam is assigned on the EpisodeOfCare:

basedOn search parameter is not mandatory

If the Careteam is assigned to the CarePlan:

basedOn search parameter is mandatory and must match the context

Patient

optional but when present:

search param must match

searchparam: episodeOfCare

the context

required when

EpisodeOfCare Context

EOC context is not present:

must match searchparam: subject

search param must match the context	--
System	--	--	--

Task create/

QuestionnaireResponse read

/update

User Type	EpisodeOfCare Context	Patient Context	CareTeam

Context / UserId

Extra Permission

Context
Practitioner

optional but when present

required:

must match

Task

questionnaireResponse.episodeOfCare

optional

must match Task.episodeOfCare.subject

Only checked if EOC context is not present:

CareTeam Context must match Task.responsible

User must have at least one corresponding restriction category privilege in Task.restriction-category.

UserID must match Task.responsible, Task.owner or Task.requester

Patient

optional but when present:

must match Task.episodeOfCare

required when EOC context not present:

must match Task.episodeOfCare.subject

UserID must match Task.responsible, Task.owner or Task.requester

System

-

Task

--

required:

If the CareTeam is assigned on the EpisodeOfCare:

The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context

If the Careteam is assigned to the CarePlan:

QuestionnaireResponse.basedOn must be a ServiceRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context

Patient

optional but when present:

must match questionnaireResponse.episodeOfCare

required

must match questionnaireResponse.subject

--

System

--

QuestionnaireResponse search

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

required:

search param must match the context

CareTeam Context / UserId

Extra Permission

Practitioner

--

required:

If the CareTeam is assigned on the EpisodeOfCare:

basedOn search parameter is not mandatory

If the Careteam is assigned to the CarePlan:

basedOn search parameter is mandatory and must match the context

Patient

optional but when present:

search param must match

searchparam episodeOfCare

optional

must match searchparam Context.subject

Only checked if

the context

required when EOC context is not present:

CareTeam Context must match searchparam responsible

User must have all restriction category privileges corresponding to the list in searchparam restriction-category.

UserID must match searchparam: Responsible, Owner or Requester

Patient

optional but when present:

must match searchparam episodeOfCare

required when EpisodeOfCare Context not present:

must match searchparam theContext.subject

UserID must match searchparam: Responsible, Owner or Requester

System

-

When searching for tasks based on careteam, it is possible, but not necessary to specify restriction categories. If they are not specified as search criteria, then they will be inferred from the privileges in the security-token.

If a search is based on a specific userID instead of a CareTeam, then all tasks related to that user will be returned regardless of restriction-category.

It is recommended to search based on either a userID or a Careteam. It is technically possible to combine these two search parameters, but the results may be confusing.

Observation/QuestionnaireResponse/Media/Communication (ehealth-communication)

Observation, Media, and QuestionnaireResponse (with status completed) is created by calling $submit-measurement. A draft QuestionnaireResponse (with status in-progress) can be created and updated directly.

Communication

search param must match the context	--
System	--	--	--

User Type	EpisodeOfCare Context	CareTeam Context
QuestionnaireResponse (status in progress) create/update
Practitioner	required: must match questionnaireResponse.episodeOfCare	required: If the CareTeam is assigned on the EpisodeOfCare: The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context If the Careteam is assigned to the CarePlan: QuestionnaireResponse.basedOn must be a ServiceRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context
Patient	required must match questionnaireResponse.episodeOfCare	--
System	--	--

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
Media read
Practitioner

optional but when present

required:

must match

communication

media.episodeOfCare

--

required

if EpisodeOfCare context not present:

must match communication.subject

Only checked if EpisodeOfCare Context is not present.

A match must be found either through the Careteam or the UserID

Careteam: must match either communication.senderCareTeam or communication.recipientCareTeam
UserID: must match communication.sender or communication.recipient

Patient

-

required:

must match communication.recipient or communication.sender

-

System

-

Communication create/patch

:

If the CareTeam is assigned on the EpisodeOfCare:

The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context

If the Careteam is assigned to the CarePlan:

Media.basedOn must be a ServiceRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context

Patient

optional but when present:

must match media.episodeOfCare

required when EOC context is not present:

must match media.subject

--

System

--

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
Media search

Extra permission


Practitioner

optional but when present

required:

search param must match

communication.episodeOfCare

the context

--

required

if EpisodeOfCare context not present:

must match communication.subject

Only checked if EpisodeOfCare Context is not present.

A match must be found either through the Careteam or the UserID

Careteam: must match either communication.senderCareTeam
UserID: must match communication.sender

Patient

-

required:

must match communication.subject

-

communication.sender must match AuthToken.userId

System

-

Communication search

:

If the CareTeam is assigned on the EpisodeOfCare:

basedOn search parameter is not mandatory

If the Careteam is assigned to the CarePlan:

basedOn search parameter is mandatory and must match the context

Patient

optional but when present:

search param must match the context

required when EOC context is not present:

search param must match the context

--

System

--

User Type	EpisodeOfCare Context	Patient Context
$submit-measurement

CareTeam Context

Practitioner

required

:

search param must match the context

-

A match must be found either through the Careteam or the UserID

Careteam: must match either communication.senderCareTeam or communication.recipientCareTeam

UserID: must match communication.sender or communication.recipient

	required
Patient

-

required

:context must match subject and either of sender or recipient search params


System	--

System

-

$search-

Observation read

measurements

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

required:

search param must match

observation.episodeOfCare

the context

--

required:

If the CareTeam is assigned on the EpisodeOfCare:

The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context

basedOn search parameter is not mandatory

If the Careteam is assigned

on

to the CarePlan:

Observation.

basedOn

must be a ServiceRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context

search parameter is mandatory and must match the context
Patient	optional

but when

but when present:

search param must match

observation.episodeOfCare

the context

required when EOC context

not present:

must match observation.subject

Only checked if EpisodeOfCare Context

is not present

.

:

search param must match the context

--

System

--

Observation search

$search-measurements-bundle-limit

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

required:

search param must match the context

--

required:

If the CareTeam is assigned on the EpisodeOfCare:

basedOn search parameter is not mandatory

If the Careteam is assigned

on

to the CarePlan:

basedOn search parameter is mandatory and

must

must match the context

Patient

optional but when present:

search param must match the context

required when EOC context is not present:

search param must match the context

--

System

--

QuestionnaireResponse read

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

required:

must match questionnaireResponse.episodeOfCare

--

required:

If the CareTeam is assigned on the EpisodeOfCare:

The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context

If the Careteam is assigned on the CarePlan:

QuestionnaireResponse.basedOn must be a ServiceRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context

Patient

optional but when present:

must match questionnaireResponse.episodeOfCare

required when EOC context not present:

must match questionnaireResponse.subject

--

System

--

QuestionnaireResponse search

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

required:

search param must match the context

--

required:

If the CareTeam is assigned on the EpisodeOfCare:

basedOn search parameter is not mandatory

If the Careteam is assigned on the CarePlan:

basedOn search parameter is mandatory and must must match the context

Patient

optional but when present:

search param must match the context

required when EOC context not present:

search param must match the context

--

System

--

QuestionnaireResponse (status in-progress)

Organization/Practitioner/CareTeam

These resources only require privileges to access. There are no security context requirements for these resources.

Device/DeviceMetric/DeviceUseStatement

Privately owned devices do not have context checks. The tables below are valid for devices owned by organizations.

User Type	Organization Context	Patient Context
Device/DeviceMetric create/update/delete
SSL supplier/Practitioner	required must match the Device.owner organization	Optional but when present: must match a DeviceUseStatement where: DeviceUseStatement subject = patient context DeviceUseStatement device references the device.
Patient	-	must match a DeviceUseStatement where: DeviceUseStatement subject = patient context DeviceUseStatement device references the device.
System	-

User Type	Patient Context	Organization Context
Device read
SSL supplier/Practitioner	Optional but when present: must match a DeviceUseStatement where: DeviceUseStatement subject = patient context DeviceUseStatement device references the device.	Required if patient context is not present. Must match the device.owner
Patient	must match a DeviceUseStatement where: DeviceUseStatement subject = patient context DeviceUseStatement device references the device.	-
System		-

User Type
DeviceUseStatement create/update

EpisodeOfCare

Patient Context

CareTeam

Organization Context
SSL supplier/Practitioner	required

:

must

match questionnaireResponse

match DeviceUseStatement.

episodeOfCare

subject

required

:

...

System

...

-

...

Device read

...

User Type

...

Patient Context

...

Organization Context

...

SSL supplier/Practitioner

...

Optional but when present:

must match a DeviceUseStatement where:

DeviceUseStatement subject = patient context
DeviceUseStatement device references the device.

...

Required if patient context is not present.

Must match device.owner

...

Patient

...

must match a DeviceUseStatement where:

DeviceUseStatement subject = patient context
DeviceUseStatement device references the device.

...

-

...

System

...

-

...

DeviceUseStatement create/update

...

User Type

...

Patient Context

...

Organization Context

...

SSL supplier/Practitioner

...

required

must match DeviceUseStatement.subject

...

required

must match the Device.owner organization

...

System

...

-

...

-

...

DeviceUseStatement read

...

User Type

...

Patient Context

...

Organization Context

...

SSL supplier/Practitioner

...

required

must match DeviceUseStatement.subject

...

-

...

Patient

...

must match a DeviceUseStatement.subject

...

-

...

System

...

-

...

-

Questionnaire

...

Questionnaire

...

User Type

...

FHIR Operation

...

Organization Context

...

Property updated

...

Role needed

...

Practitioner / Patient

...

create

...

required:

must match Questionnaire.modifierRole.reference

...

-

...

owner

...

update

...

required:

must match Questionnaire.modifierRole.reference

...

Questionnaire.modifierRole

...

owner

...

Not Questionnaire.modifierRole

...

owner or co-author

...

delete

...

required:

must match Questionnaire.modifierRole.reference

...

-

...

owner

...

read/search

...

-

...

-

...

-

...

System

...

-

...

-

...

-

...

-

Actionguidance

...

Actionguidance

...

User Type

...

FHIR Operation

...

Organization Context

...

Property updated

...

Role needed

...

Practitioner / Patient

...

create

...

required:

must match Actionguidance.modifierRole.reference

...

-

...

owner

...

update

...

required:

must match Actionguidance.modifierRole.reference

...

Actionguidance.modifierRole

...

owner

...

Not Actionguidance.modifierRole

...

owner or co-author

...

read/search

...

-

Note:

There are two ways to be able to make a search. First, if a permission for both Actionguidance and view is present, it will give access.

Secondly, to make a search, an actionguidance permission should be present, and the resource should be supplied as part of the profile search or as the search field code. All other cases will be rejected.

Values to supply for a profile search

profile=http://ehealth.sundhed.dk/fhir/StructureDefinition/ehealth-actionguidance

Values to supply for a code search

code=http://ehealth.sundhed.dk/cs/basic-resource-type|actionguidance

...

-

...

-

...

System

...

-

...

-

...

-

...

-

View

...

View

...

User Type

...

FHIR Operation

...

Organization Context

...

Property updated

...

Role needed

...

Practitioner / Patient

...

create

...

required:

must match View.modifierRole.reference

...

-

...

owner

...

update

...

required:

must match View.modifierRole.reference

...

View.modifierRole

...

owner

...

Not View.modifierRole

...

owner or co-author

...

read/search

...

-

Note:

There are two ways to be able to make a search. First, if a permission for both View and view is present, it will give access.

Secondly, to make a search, an View permission should be present, and the resource should be supplied as part of the profile search or as the search field code. All other cases will be rejected.

Values to supply for a profile search

profile=http://ehealth.sundhed.dk/fhir/StructureDefinition/ehealth-view

Values to supply for a code search

code=http://ehealth.sundhed.dk/cs/basic-resource-type|view

...

-

...

-

...

System

...

-

...

-

...

-

...

-

Transform

These operations are stateless and only require privileges to call. There are no security context requirements for these operations

Terminology: ConceptMap/CodeSystem/ValueSet/NamingSystem

These resources only require privileges to access. There are no security context requirements for these resources

Library

There are no context checks for CRUD and search operations for the Library resource.

...

Library evaluate

...

User Type

...

EpisodeOfCare Context

...

Patient Context

...

CareTeam Context

...

Practitioner

...

required:

must match either Observation.episodeOfCare

or QuestionnaireResponse.episodeOfCare

...

required:

must match either Observation.subject

or QuestionnaireResponse.subject

...

-

...

Patient

...

required:

must match either Observation.episodeOfCare

or QuestionnaireResponse.episodeOfCare

...

required:

must match either Observation.subject

or QuestionnaireResponse.subject

...

-

...

System

...

-

...

-

...

-

SSL

SSL Catalogue

SSL Catalogue create/update/read

User Type

Organization Context

If the CareTeam is assigned on the EpisodeOfCare:

The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context

If the Careteam is assigned on the CarePlan:

QuestionnaireResponse.basedOn must be a ServiceRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context

Patient

required

must match questionnaireResponse.episodeOfCare

--

System

--

Media read

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

required:

must match media.episodeOfCare

--

required:

If the CareTeam is assigned on the EpisodeOfCare:

The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context

If the Careteam is assigned on the CarePlan:

Media.basedOn must be a ServiceRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context

Patient

optional but when present:

must match media.episodeOfCare

required when EOC context not present:

must match media.subject

--

System

--

Media search

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

required:

search param must match the context

--

required:

If the CareTeam is assigned on the EpisodeOfCare:

basedOn search parameter is not mandatory

If the Careteam is assigned on the CarePlan:

basedOn search parameter is mandatory and must must match the context

Patient

optional but when present:

search param must match the context

required when EOC context not present:

search param must match the context

--

System

--

$submit-measurement

User Type

EpisodeOfCare Context

Practitioner

required

Patient

required

System

--

$search-measurements

User Type

EpisodeOfCare Context

Patient Context

CareTeam Context

Practitioner

required:

search param must match the context

--

required:

If the CareTeam is assigned on the EpisodeOfCare:

basedOn search parameter is not mandatory

If the Careteam is assigned on the CarePlan:

basedOn search parameter is mandatory and must must match the context

Patient

optional but when present:

search param must match the context

required when EOC context not present:

search param must match the context

--

System

--

Organization/Practitioner/CareTeam

These resources only require privileges to access. There are no security context requirements for these resources.

Device/DeviceMetric/DeviceUseStatement

Privately owned devices do not have context checks. The tables below are valid for devices owned by organizations.

...

Device/DeviceMetric create/update/delete

...

User Type

...

Organization Context

...

Patient Context

...

SSL supplier/Practitioner

...

required

must match the Device.owner organization

Optional but when present:

must match a DeviceUseStatement where:

DeviceUseStatement subject = patient context
DeviceUseStatement device references the device.

...

Patient

...

-

...

must match a DeviceUseStatement where:

DeviceUseStatement subject = patient context
DeviceUseStatement device references the device.

must match the Device.owner organization
System	-	-

User Type	Patient Context	Organization Context
DeviceUseStatement read
SSL supplier/Practitioner	required must match DeviceUseStatement.subject	-
Patient	must match a DeviceUseStatement.subject	-
System	-	-

Device/DeviceMetric/DeviceUseStatement - Work in Progress (will be in effect with next release)

User Type	Organization Context	Patient Context
Device/DeviceMetric create
SSL supplier/Practitioner	required must match the Device.owner organization when the non-privately owned device	-
Patient (Must be privately owned device)	-	must match a DeviceUseStatement where: DeviceUseStatement subject = patient context DeviceUseStatement device references the device or have no related DeviceUseStatement.
System	-	-

User Type	Organization Context	Patient Context
Device/DeviceMetric update/delete
SSL supplier/Practitioner	required must match the Device.owner organization when the non-privately owned device	Optional but when present: must match a DeviceUseStatement where: DeviceUseStatement subject = patient context DeviceUseStatematch device references the device. or have no related DeviceUseStatement.
Patient	-	must match a DeviceUseStatement where: DeviceUseStatement subject = patient context DeviceUseStatement device references the device or has no related DeviceUseStatement. The device must be privately owned.
System	-

User Type	Organization Context	Patient Context
DeviceUseStatement create/update
SSL supplier/Practitioner	required must match the Device.owner organization when the non-privately owned device	required must match DeviceUseStatement.subject
Patient	-	required. The DeviceUseStatement must have: DeviceUseStatement subject = patient context DeviceUseStatement device references the device The device must be privately owned.
System	-

User Type	Organization Context	Patient Context
DeviceUseStatement read
SSL supplier/Practitioner	-	required must match DeviceUseStatement.subject
Patient	-	required must match DeviceUseStatement.subject
System	-	-

User Type	Organization Context	Patient Context
DeviceUseStatement search
SSL supplier/Practitioner	-	required patient search param must match the context
Patient	-	required patient search param must match the context
System	-	-

Questionnaire

User Type	FHIR Operation	Organization Context	Property updated	Role needed
Questionnaire
Practitioner / Patient	create	required: must match Questionnaire.modifierRole.reference	-	owner
	update	required: must match Questionnaire.modifierRole.reference	Questionnaire.modifierRole	owner
	update	required: must match Questionnaire.modifierRole.reference	Not Questionnaire.modifierRole	owner or co-author
	delete	required: must match Questionnaire.modifierRole.reference	-	owner
	read/search	-	-	-
System	-	-	-	-

Actionguidance

User Type	FHIR Operation	Organization Context	Property updated	Role needed
Actionguidance
Practitioner / Patient	create	required: must match Actionguidance.modifierRole.reference	-	owner
	update	required: must match Actionguidance.modifierRole.reference	Actionguidance.modifierRole	owner
	update	required: must match Actionguidance.modifierRole.reference	Not Actionguidance.modifierRole	owner or co-author
	read/search	- Note: There are two ways to be able to search. First, if permission for both Actionguidance and view is present, it will give access. Secondly, to search, an actionguidance permission should be present, and the resource should be supplied as part of the profile search or as the search field code. All other cases will be rejected. Values to supply for a profile search profile=http://ehealth.sundhed.dk/fhir/StructureDefinition/ehealth-actionguidance Values to supply for a code search code=http://ehealth.sundhed.dk/cs/basic-resource-type\|actionguidance	-	-
System	-	-	-	-

View

User Type	FHIR Operation	Organization Context	Property updated	Role needed
View
Practitioner / Patient	create	required: must match View.modifierRole.reference	-	owner
	update	required: must match View.modifierRole.reference	View.modifierRole	owner
	update	required: must match View.modifierRole.reference	Not View.modifierRole	owner or co-author
	read/search	- Note: There are two ways to be able to search. First, if permission for both View and view is present, it will give access. Secondly, to search, a View permission should be present, and the resource should be supplied as part of the profile search or as the search field code. All other cases will be rejected. Values to supply for a profile search profile=http://ehealth.sundhed.dk/fhir/StructureDefinition/ehealth-view Values to supply for a code search code=http://ehealth.sundhed.dk/cs/basic-resource-type\|view	-	-
System	-	-	-	-

Transform

These operations are stateless and only require privileges to call. There are no security context requirements for these operations

Terminology: ConceptMap/CodeSystem/ValueSet/NamingSystem

These resources can be accessed by all users. Updates require write privileges. There are no security context requirements for these resources.

Questionnaire Terminology: ConceptMap/CodeSystem/ValueSet/NamingSystem

These resources can be accessed by all users. Updates require write privileges (named QuestionnaireConceptMap, QuestionnaireCodeSystem, QuestionnaireValueSet and QuestionnaireNamingSystem). There are no security context requirements for these resources.

Library

There are no context checks for CRUD and search operations for the Library resource.

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
Library evaluate
Practitioner	required: must match either Observation.episodeOfCare or QuestionnaireResponse.episodeOfCare	required: must match either Observation.subject or QuestionnaireResponse.subject	-
Patient	required: must match either Observation.episodeOfCare or QuestionnaireResponse.episodeOfCare	required: must match either Observation.subject or QuestionnaireResponse.subject	-
System	-	-	-

SSL Domain

SSL Catalogue service

Catalogue

User Type	Organization Context
SSL Catalogue create/update/read
SSL supplier	required: must resolve to and match the Catalogue.seller party
Practitioner	-
System	-

CatalogueItem

User Type	Organization Context
SSL CatalogueItem create/update/read
SSL supplier	required: must resolve to and match the CatalogueItem.Catalogue.seller party
Practitioner	-
System	-

User Type	Organization Context
SSL CatalogueItems read
SSL supplier	required: must resolve to and match the CatalogueItem.Catalogue.seller party
Practitioner	required: must resolve to and match WhiteList.buyer party, only returns CatalogueItems referred by WhiteLists
System	-

Annotation

User Type	Organization Context
SSL Annotation create/update/read/delete
SSL supplier	required: must resolve to and match the Annotation.CatalogueItem.Catalogue seller party
Practitioner	-
System	-

Whitelist

User Type	Organization Context
SSL WhiteList create/read/delete
SSL supplier	- (no access)
Practitioner	required: must resolve to and match the WhiteList.buyer party
System	-

BlackList

User Type	Patient Context
SSL BlackList create/read/delete
SSL supplier	- (no access)
Practitioner	required: must match the BlackList.patient
System	-

Problem

User Type	Organization Context
SSL Problem create/patch/delete
SSL supplier	required: must resolve and match the Problem.CatalogueItem.Catalogue seller party
Practitioner	- (no access)
System	-

User Type	Organization Context
SSL Problem read
SSL supplier	required: must resolve and match the Problem.CatalogueItem.Catalogue seller party
Practitioner	required: must resolve to and match WhiteList.buyer party, only returns Problems with CatalogueItems referred by WhiteLists
System	-

Package

User Type	Organization Context
SSL Package create/read/patch/delete
SSL supplier	- (no access)
Practitioner	required: must resolve to and match the Package.buyer party
System	-

SSL Order Service

Order

User Type	Organization Context	EpisodeOfCare Context	CareTeam Context
SSL Order create
SSL supplier	required: must resolve to and match the

Catalogue

Order.seller party

Practitioner

-

System

-

SSL CatalogueItem

SSL CatalogueItem create/update/read

User Type

Organization Context

SSL supplier

required: used for reading CarePlan, see CarePlan resource for context rules	required: used for reading CarePlan, see CarePlan resource for context rules
Practitioner	required: must resolve to and match the

CatalogueItem.Catalogue.seller party

Practitioner

-

System

Order.buyer party	required: used for reading CarePlan, see CarePlan resource for context rules	required: used for reading CarePlan, see CarePlan resource for context rules
System	-	-	-

SSL

CatalogueItems read

User Type	Organization Context
Order read/update/patch/delete/search
SSL supplier	required: must resolve to and match the

CatalogueItem

Order.

Catalogue.

seller party
Practitioner	required: must resolve to and match

WhiteList

the Order.buyer party

, only returns CatalogueItems referred by WhiteLists


System	-

...

OrderLine

SSL

Annotation

OrderLine create/read/update/

read

User Type	Organization Context
patch/delete/search
SSL supplier	required: must resolve to and match the

Annotation

OrderLine.

CatalogueItem

Order.

Catalogue

seller party

Practitioner

-

	required: must resolve to and match the OrderLine.Order.buyer party
System	-

...

Contract

SSL

WhiteList

Contract create/patch/read

/delete

User Type	Organization Context

SSL

supplier

- (no access)

Practitioner

supplier

required:
must resolve to and match the

WhiteList

Contract.

buyer

seller party
Practitioner	-
System	-

SSL BlackList

SSL BlackList create/read/delete

User Type
custom/hasValidContract

Patient

Practitioner

Organization Context
SSL supplier

- (no access)

required:
must resolve to and match the

BlackList.patient

Contract.seller party
Practitioner	-
System	-

...

Party

SSL

Problem

Party create/

patch

update/

delete

User Type	Organization Context
read
SSL supplier

required:
must resolve to and match the Problem.CatalogueItem.Catalogue seller party

-
Practitioner	-

(no access)


System	-

SSL Problem read

User Type	Organization Context
custom/findOrCreateParty
SSL supplier	required: must

resolve to and

match the

Problem.CatalogueItem.Catalogue seller party

organization parameter
Practitioner	required: must

resolve to and match WhiteList.buyer party, only returns Problems with CatalogueItems referred by WhiteLists

match the organization parameter
System	-

SSL Package

...

Reports

User Type	Organization Context
Schedule/Fetch <Report_name>

SSL supplier

- (no access)

UserID

Extra permission

Practitioner

required

Must match input parameter:

must resolve to and match the Package.buyer party

System

-

SSL Orders

...

SSL Order create

...

User Type

...

Organization Context

...

EpisodeOfCare Context

...

CareTeam Context

...

SSL supplier

...

required:
must resolve to and match the Order.seller party

...

required:
used for reading CarePlan, see CarePlan resource for context rules

...

required:
used for reading CarePlan, see CarePlan resource for context rules

...

Practitioner

...

required:
must resolve to and match the Order.buyer party

...

required:
used for reading CarePlan, see CarePlan resource for context rules

...

required:
used for reading CarePlan, see CarePlan resource for context rules

...

System

...

-

...

-

...

-

...

SSL Order read/update/patch/delete/search

...

User Type

...

Organization Context

...

SSL supplier

...

required:
must resolve to and match the Order.seller party

...

Practitioner

...

required:
must resolve to and match the Order.buyer party

...

System

...

-

...

SSL OrderLine create/read/update/patch/delete/search

...

User Type

...

Organization Context

...

SSL supplier

...

required:
must resolve to and match the OrderLine.Order.seller party

...

Practitioner

...

required:
must resolve to and match the OrderLine.Order.buyer party

...

System

...

-

SSL Contract

...

SSL Contract create/patch/read

...

User Type

...

Organization Context

...

SSL supplier

...

required:
must resolve to and match the Contract.seller party

...

Practitioner

...

-

...

System

...

-

...

custom/hasValidContract

...

User Type

...

Organization Context

...

SSL supplier

...

required:
must resolve to and match the Contract.seller party

...

Practitioner

...

-

...

System

...

-

SSL Party

...

SSL Party create/update/read

...

User Type

...

Organization Context

...

SSL supplier

...

-

...

Practitioner

...

-

...

System

...

-

...

custom/findOrCreateParty

...

User Type

...

Organization Context

...

SSL supplier

...

required:
must match the organization parameter

...

Practitioner

...

required:
must match the organization parameter

...

System

...

-

Reports

...

Schedule/Fetch <Report_name>

...

User Type

...

Organization Context

...

UserID

...

Extra permission

...

Practitioner

...

required

Must match input parameter: ManagingOrganization

...

Only the user that called schedule is allowed to read the resulting /fhir/Binary/id

...

The privilege Report.non-anonymized is required if input parameter: anonymization == false

...

System-user

...

System user can't have an organization context

...

Only the user that called schedule is allowed to read the resulting /fhir/Binary/id

...

The privilege Report.non-anonymized is required if input parameter: anonymization == false

Patient/Appointment/Communication(eHealthMessage)/Person

SYSTEM users can perform any action, regardless of context, as long as they have the appropriate realm_access.role (e.g. Appointment.read to read appointments).

...

ManagingOrganization	Only the user that called schedule is allowed to read the resulting /fhir/Binary/id	The privilege Report.non-anonymized is required if input parameter: anonymization == false
System-user	System users can't have an organization context	Only the user that called schedule is allowed to read the resulting /fhir/Binary/id	The privilege Report.non-anonymized is required if input parameter: anonymization == false

Patient/Appointment/Communication(eHealthMessage)/Person

SYSTEM users can perform any action, regardless of context, as long as they have the appropriate realm_access.role (e.g. Appointment.read to read appointments).

R = Required
U = Used (may be required to access certain data)

realm_access.role	Patient Context	CareTeam Context	Extra Rules / Comments
Patient.read	R*	R*	REGULAR SEARCH: To perform a regular Patient Search, the user MUST have the Patient Context. LIMITED SEARCH (Dashboard Search): It is also possible to perform a patient search witha CareTeam Context instead of a Patient Context. In that case, the patients are then retrieved from EpisodesOfCare and CarePlan objects that the CareTeam is involved in. NOTE: The patient resources that are returned from this search are limited and as such only the following information is returned: Identifier Date of Birth Gender Cpr Deceased status Home address Official name *R - THE CONTEXTS ARE MUTUALLY EXCLUSIVE, AS SUCH IF BOTH CONTEXTS ARE PROVIDED IN THE TOKEN, ONLY THE PATIENT CONTEXT IS USED.****
Patient.write	R		1: FHIR operations "create" and "update" are not available on the Patient resource. (use $createPatient and "patch") 2: Only certain attributes are allowed to be patched using HTTP PATCH
Patient$updatePatientWithSKRSData
Patient$createPatient
Appointment.read	U	U	For non-group appointments: 1: If an appointment involves a patient, then that patient must be in context 2: The appointment can be read if the user has a Care Team in context that is participating in the appointment the user is participating in the appointment (as a Practitioner or Patient) 3: Searching PATIENT users can search all Appointments that involve the user itself PRACTITIONER/SSL users can search all Appointments that involve the user itself, or the Organization/CareTeam/Patient in context
Appointment.write	U	U	For non-group appointments: 1: If an appointment involves a patient, then that patient must be in context 2: The appointment can be written if the user has a Care Team in context that is participating in the appointment the user is participating in the appointment (as a Practitioner or Patient)
Appointment$exportAsiCal	U	U	The same rules apply to reading appointments Note: Only PRACTITIONER/SSL users can see the names of Practitioner participants in the exported iCal object
RelatedPerson.read	R		Only related persons to the patient in context can be read
RelatedPerson.write	R		Only related persons to the patient in context can be written
Communication.read		U	If the message has a restriction category X, the corresponding RestrictionCategory.X role must be present in the realm_access list. 1: PATIENT users can read communication where they are either the sender or recipient 2: PRACTITIONER and SSL users can read communication where they are either the sender or recipient communication where the CareTeam in context is the sender or recipient 3: Only SYSTEM users can read communication from DEVICE senders
Communication.write		U	1: Communication must have exactly one sender and one recipient 2: Communication with the category "note" can only be created/patched/deleted if user = sender and (recipient = sender or recipient = a CareTeam). (notes can be shared with any CareTeam) 3: PATIENT users can only create/delete "mesHTTP" communication where they are the sender, and the recipient is of type CareTeam can only patch "message" communication where they are sender or recipient (the recipient can patch "received" property) 4: PRACTITIONER and SSL users can only create/delete "message" communication where the sender is the CareTeam in context and the recipient is of type PATIENT or type CareTeam can only patch "message" communication where the CareTeam in context is the sender or recipient
Person$match			Only requires the role “Person$match” Used to lookup person data by CPR, including name and a patient reference, if one exists. This is only a read operation and will not create any resources. The operations are audit logged.

Group Appointment

A “Group appointment” is an Appointment with one of the profiles http://ehealth.sundhed.dk/fhir/StructureDefinition/ehealth-group-appointment, http://ehealth.sundhed.dk/fhir/StructureDefinition/ehealth-group-videoappointment

Appropriate appointment-related realm_access.role is required for all operations
SYSTEM users have access to all data and http operations regardless of context
- Only SYSTEM users can use PUT, other users must use PATCH to change a group appointment
Create
- All Practitioner/SSL users can create group appointments if the they have an Appointment.write role and a CareTeam in context
  - assigning-careteam extension on participants must match CareTeam in the context
Read/Search
- ehealth-creator, ehealth-responsible and ehealth-performer can see all parts of the appointment, regardless of the CareTeam context
- All Practitioner/SSL users can read/find all group appointments and view all parts of it, except Patient participants whose assigning-careteam differs from the CareTeam in context, and the RelatedPersons of those
- Patient users can only read/find group appointments that they themselves are participants onin, and can view all parts, except other Patient participants and RelatedPersons of those
Patching
- Patient users cannot patch
- When adding/removing a participant, the relevant assigning-careteam must be in the context
  - Removing a Patient/RelatedPerson participant is also allowed if the relevant patient is in context
- ehealth-creator and ehealth-responsible can patch all parts of the appointment
- ehealth-performer can patch all parts of the appointment, except ehealth-responsible
- All other Practitioner/SSL users can only add/remove Patient/RelatedPerson participants

Note on Patching a Partial View

Please note that due to the filtering of participants, in some scenarios a client holds only a partial view of the appointment (with some participants missing due to security filtering).
This has an impact when removing a participant in a PATCH using an index, e.g. [{ "op": "remove", "path": "/participant/0" }]. What is in index 0 of the partial view, might not be what is actually in index 0 in the full version of the resource.
The server is aware of this dilemma and “maps” indexes when receiving a http an HTTP patch request, based on the JWT user_id/context used for the request. The server assumes the patch request is performed by the same user_id/context as the patch content indexes was were constructed from.

This means that PATCH operations should be performed with the same JWT as was used when reading the group appointment resource that the patch content (indexes) is based on.

...

Page Comparison

Versions Compared

Old Version 9

New Version Current

Key

Role Based Access Control

Attribute Based Access Control

PlanDefinition/ActivityDefinition

DocumentReference

EpisodeOfCare/Condition/Provenance/Consent

Content on this page

Role-Based Access Control

Attribute-Based Access Control

PlanDefinition/ActivityDefinition

PlanDefinition/ActivityDefinition

PlanDefinition$apply

DocumentReference

DocumentReference.read/search

DocumentReference.create/update

EpisodeOfCare/Condition/Provenance/Consent

EpisodeOfCare.create-episode-of-care

EpisodeOfCare.read

EpisodeOfCare.patch/updateCareteams

EpisodeOfCare.search

Condition

Provenance.read

Provenance.search

Consent.create/read/patch

Consent.search

CarePlan/ServiceRequest

CarePlan/ServiceRequest Read/Suggest-care-teams

CarePlan/ServiceRequest Update/Update-care-teams

CarePlan: Update careteam special case

CarePlan Search

Goal

Goal Create/Read/Update

Goal Search

CommunicationRequest

CommunicationRequest Create/Read/Update/Delete

CommunicationRequest Search

Draft of FUTURE change as a consequence of CCR154: CommunicationRequest Search

ClinicalImpression/Task

ClinicalImpression create/read/update

ClinicalImpression.search

Task create/read/update

Task search

CarePlan/ServiceRequest

Draft of FUTURE change as a consequence of CCR0219: Task create/read/update

Draft of FUTURE change as a consequence of CCR0219: Task search

Goal

Observation/QuestionnaireResponse/Media/Communication (ehealth-communication)

Communication read

Communication create/patch

Communication search

ClinicalImpression/Task

Observation read

Observation search

QuestionnaireResponse read

QuestionnaireResponse search

Observation/QuestionnaireResponse/Media/Communication (ehealth-communication)

QuestionnaireResponse (status in progress) create/update

Media read

Media search

$submit-measurement

$search-

measurements

$search-measurements-bundle-limit

Organization/Practitioner/CareTeam

Device/DeviceMetric/DeviceUseStatement

Device/DeviceMetric create/update/delete

Device read

DeviceUseStatement create/update

Questionnaire

Actionguidance

View

Transform

Terminology: ConceptMap/CodeSystem/ValueSet/NamingSystem

Library

SSL

SSL Catalogue