1 Role-Based Access Control
2 Attribute-Based Access Control
- 2.1 PlanDefinition/ActivityDefinition
- 2.2 DocumentReference
- 2.3 EpisodeOfCare/Condition/Provenance/Consent
- 2.4 CarePlan/ServiceRequest
  - 2.4.1 CarePlan/ServiceRequest Read/Suggest-care-teams
- 2.5 Goal
- 2.6 CommunicationRequest
- 2.7 ClinicalImpression/Task
  - 2.7.1 ClinicalImpression create/read/update
  - 2.7.2 ClinicalImpression.search
  - 2.7.3 Task create/read/update
  - 2.7.4 Task search
- 2.8 Observation/QuestionnaireResponse/Media/Communication (ehealth-communication)
- 2.9 Organization/Practitioner/CareTeam
- 2.10 Device/DeviceMetric/DeviceUseStatement
- 2.11 Device/DeviceMetric/DeviceUseStatement - Work in Progress (will be in effect with next release)
- 2.12 Questionnaire
- 2.13 Actionguidance
- 2.14 View
- 2.15 Transform
- 2.16 Terminology: ConceptMap/CodeSystem/ValueSet/NamingSystem
- 2.17 Questionnaire Terminology: ConceptMap/CodeSystem/ValueSet/NamingSystem
- 2.18 Library
- 2.19 SSL Domain
  - 2.19.1 SSL Catalogue service
    - 2.19.1.1 Catalogue
    - 2.19.1.2 CatalogueItem
    - 2.19.1.3 Annotation
    - 2.19.1.4 Whitelist
    - 2.19.1.5 BlackList
    - 2.19.1.6 Problem
    - 2.19.1.7 Package
  - 2.19.2 SSL Order Service
    - 2.19.2.1 Order
    - 2.19.2.2 OrderLine
    - 2.19.2.3 Contract
    - 2.19.2.4 Party
- 2.20 Reports
- 2.21 Patient/Appointment/Communication(eHealthMessage)/Person
- 2.22 Group Appointment
  - 2.22.1 Note on Patching a Partial View

As described in previous pages, the services and data in the eHealth Infrastructure are protected by authentication and authorization based on tokens. Described here is how services in the eHealth Infrastructure rely on fields in the access token to perform access control. This access control comprises Role role-based access Control (RBAC) and Attribute Based Access Control (ABAC).

Role-Based Access Control

The RBAC part of the access control is based on the user’s list of process privileges contained in the access token.

Access Token Field	Meaning	Example Value

Access Token Field

Meaning

Example Value

realm_access

List of process privileges, that is, what is the user allowed to do.

"realm_access": {

"roles": [

"Patient.read",

"Patient.write"

]

}

What operations the user is allowed to invoke is stated in the "realm_access" attribute. In the example above the user is allowed to issue a "Patient.read" and a "Patient.write". This means that the user can get and edit patient records. This part of the security model is the RBAC part, as the claims here are entirely based on what role the user has.

Attribute-Based Access Control

The ABAC part of the access control combines the access token user type with security token context(s) and, at times, also the access token user id. These are typically compared to attributes of the data from the services.

Access Token Field	Meaning	Example Value

Access Token Field

Meaning

Example Value

context

List of items that are set in context. context in combination with items in realm_access governs the access to all resources in the eHealth infrastructure.

"context": {

"organization_id" : "https://fut.com/fhir/Organization/1",

"care_team_id": https://fut.com/fhir/CareTeam/4,

"episode_of_care_id": https://fut.com/fhir/EpisodeOfCare/10,

"patient_id": "https://fut.com/fhir/Patient/8"

}

user_id

Id of the user. Can be either an FHIR patient Id, FHIR practitioner Id or a KeyCloak ID

"user_id": " e03ccef7-b0b1-4f68-8e16-6fc2f865a922"

user_type

Can be either SYSTEM, PATIENT, PRACTITIONER or SSL

"user_type": "PATIENT"

Each resource type (see IG Profiles) has certain restrictions to what context is required to allow data retrieval or data manipulation.

PlanDefinition/ActivityDefinition

These resources are not patient-related. Read and Search operations do not require any security context apart from the privilege.

PlanDefinition/ActivityDefinition

User Type

FHIR Operation

Organization Context

Property updated → role needed

Practitioner

create/update

required:

must match modifierRole.reference

PlanDefinition/ActivityDefinition creation or modifierRole changed → owner

All other updates → owner or co-author

System

-

PlanDefinition$apply

User Type

EpisodeOfCare Context

CareTeam Context

Practitioner

required:

Must match EpisodeOfCare.id

required:

Must match EpisodeOfCare.team

System

-

DocumentReference

These resources are not patient-related.

User Type	Context
DocumentReference.read/search
Practitioner / Patient	-
System	-

Read and Search operations do not require any security context apart from the privilege.

DocumentReference.create/update

User Type

Organization Context

Practitioner / Patient

required:

must match DocumentReference.custodian

System

-

EpisodeOfCare cannot be created directly. They are created by calling the custom operation: create-episode-of-care

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
EpisodeOfCare.create-episode-of-care
Practitioner	must not be present	required: must match EpisodeOfCare.Patient	required: Must match EpisodeOfCare.team
The patient	must not be present	required: must match EpisodeOfCare.Patient	-
System	-	-	-

EpisodeOfCare.read

User Type

EpisodeOfCare Context

Practitioner/Patient

required:

must match EpisodeOfCare

System

-

User Type	EpisodeOfCare Context	CareTeam Context
EpisodeOfCare.patch/updateCareteams
Practitioner	required: must match EpisodeOfCare	required: Must match EpisodeOfCare.team
Patient	required: must match EpisodeOfCare	-
System	-	-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
EpisodeOfCare.search
Practitioner	must not be present	optional but when present: must match the Patient search parameter	required: Must match CareTeam search parameter
Patient	must not be present	Always present: must match the Patient search parameter	-
System	-	-	-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
Condition
Practitioner	required: must match Condition.episodeOfCare	required: must match Condition.subject	-
Practitioner	required: must match Condition.episodeOfCare	required: must match Condition.subject	-
Patient	required: must match Condition.episodeOfCare	required: must match Condition.subject	-
Patient	required: must match Condition.episodeOfCare	required: must match Condition.subject	-
System	-	-	-

User Type	EpisodeOfCare Context	CareTeam Context
Provenance.read
Practitioner	required: must match Provenance.target	-
Practitioner	required: must match Provenance.target	-
Patient	required: must match Provenance.target	-
Patient	required: must match Provenance.target	-
System	-	-

User Type	EpisodeOfCare Context	CareTeam Context
Provenance.search
Practitioner	required: must match the EpisodeOfCare search parameter (provenance.target)	-
Patient	required: must match the EpisodeOfCare search parameter (provenance.target)	-
System	-	-

User Type	EpisodeOfCare Context	Patient context	CareTeam Context
Consent.create/read/patch
Practitioner	Required Must match data.reference	Required Must match data.patient	-
Patient	Required Must match data.reference	Required Must match data.patient	-
System	-	-	-

User Type	EpisodeOfCare Context	CareTeam Context
Consent.search
Practitioner	required: must match the EpisodeOfCare search parameter (consent.data.reference)	-
Patient	required: must match the EpisodeOfCare search parameter (consent.data.reference)	-
System	-	-

CarePlan/ServiceRequest

ServiceRequest is considered a part of a CarePlan and does not have separate privileges.

CarePlan cannot be created directly. It is created and assigned to a Patient by calling PlanDefinition$apply

User Type	EpisodeOfCare Context	CareTeam Context
CarePlan/ServiceRequest Read/Suggest-care-teams
Practitioner	required: must match CarePlan/ServiceRequest .episodeOfCare	required: Careplan: Context must match CarePlan.careTeam or Careplan.episodeOfCare.team ServiceRequest: Context must match CarePlan.careTeam or Careplan.episodeOfCare.team for the CarePlan that the ServiceRequest belongs to.
Practitioner	required: must match CarePlan/ServiceRequest .episodeOfCare
Patient	required: must match CarePlan/ServiceRequest.episodeOfCare	-
Patient	required: must match CarePlan/ServiceRequest.episodeOfCare	-
System	-	-

User Type	EpisodeOfCare Context	CareTeam Context	Extra permission
CarePlan/ServiceRequest Update/Update-care-teams
Practitioner	required: must match CarePlan/ServiceRequest.episodeOfCare	required: Careplan: Context must match CarePlan.careTeam or CarePlan.episodeOfCare.team ServiceRequest: Context must match CarePlan.careTeam or CarePlan.episodeOfCare.team for the CarePlan that the ServiceRequest belongs to.
Practitioner	required: must match CarePlan/ServiceRequest.episodeOfCare
Patient	required: must match CarePlan/ServiceRequest.episodeOfCare	-	Only allowed if definition.topic is 'self-treatment'
Patient	required: must match CarePlan/ServiceRequest.episodeOfCare	-	Only allowed if definition.topic is 'self-treatment'
System	-	-

CarePlan: Update careteam special case

User Type

EpisodeOfCare Context

CareTeam Context

Extra permission

Practitioner

required:

must match CarePlan.episodeOfCare

required:

Must match CarePlan.careTeam

Careplan$update.responsibility permission required in token to update careteam element

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
CarePlan Search
Practitioner	optional but when present: must match searchparam episodeOfCare	optional but when present: must match searchparam theSubject Only checked if EpisodeOfCare Context is not set.	required: Must match search parameter CarePlan.careteam or CarePlan.episodeOfCare.team. (Only a single search parameter is allowed for this element)
Patient	optional but when present: must match searchparam episodeOfCare	Always present and must match searchparam theSubject Only checked if EpisodeOfCare Context is not set.	-
System	-	-	-

Goal

Goal is considered as part of a CarePlan and does not have separate privileges.

User Type	Patient Context	EpisodeOfCare Context	CareTeam Context
Goal Create/Read/Update
Practitioner	required: Must match Goal.subject	required: must match Goal.addresses.episodeOfCare	required: must match Goal.addresses.episodeOfCare.team or Careplan.careteam for the CarePlan that the Goal.addresses ServiceRequest belongs to.
Patient	required: Must match Goal.subject	-	-
Patient	required: Must match Goal.subject	-	-
System	-	-	-

User Type	Patient Context	EpisodeOfCare Context	CareTeam Context
Goal Search
Practitioner	-	required: must match search param: addresses.episodeOfCare	required: must match search param addresses.episodeOfCare.team or Careplan.careteam for the CarePlan that the addresses ServiceRequest belongs to.
Patient	required: Must match search param addresses.subject	-	-
Patient	required: Must match search param addresses.subject	-	-
System	-	-	-

CommunicationRequest

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context	Details
CommunicationRequest Create/Read/Update/Delete
Practitioner	required must match CommunicationRequest.episodeOfCare	required must match CommunicationRequest.subject	required must match CommunicationRequest.recipient if the recipient contains a careteam
Practitioner	required must match CommunicationRequest.episodeOfCare	required must match CommunicationRequest.subject
Patient	optional but when present: must match CommunicationRequest.episodeOfCare	required must match CommunicationRequest.subject	-	Update: Only status
Patient		required must match CommunicationRequest.subject	-
System	-		-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
CommunicationRequest Search
Practitioner	required if the searchparam recipient is a patient. optional otherwise. must match searchparam CommunicationRequest.episodeOfCare when present	optional but when present: must match searchparam CommunicationRequest.subject	required if searchparam recipient is a careteam
Patient	optional but when present must match CommunicationRequest.episodeOfCare	Always present and must match searchparam CommunicationRequest.recipient	-
Patient			-
System	-	-	-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context	Details
Draft of FUTURE change as a consequence of CCR154: CommunicationRequest Create/Read/Update/Delete
Practitioner	CommunicationRequest.episodeOfCare and EpisodeOfCare security token context must match. If CommunicationRequest.episodeOfCare is null then the security token must not have an episodeOfCare context	required must match CommunicationRequest.subject	required must match CommunicationRequest.recipient if the recipient contains a careteam
Practitioner		required must match CommunicationRequest.subject
Patient	optional but when present it must match CommunicationRequest.episodeOfCare If CommunicationRequest.episodeOfCare is null then the security token must not have an episodeOfCare context	required must match CommunicationRequest.subject	-	Update: Only status
Patient		required must match CommunicationRequest.subject	-
System	-		-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
Draft of FUTURE change as a consequence of CCR154: CommunicationRequest Search
Practitioner	If EpisodeOfCare context is present, then searchparam and context must match If EpisodeOfCare context is not present, then the search parameter must include at least one of: episodeOfCare:missing=true recipient=<careteam> matching CareTeam context	optional but when present: must match searchparam patient	required if the search param recipient is a careteam. The search param and careteam context must match.
Patient	optional but when present must match searchparam: episodeOfCare	Always present and must match searchparam CommunicationRequest.recipient	-
Patient			-
System	-	-	-

ClinicalImpression/Task

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
ClinicalImpression create/read/update
Practitioner	required: must match ClinicalImpression.episodeOfCare	required: must match ClinicalImpression.subject	required: must be in ClinicalImpressions.ehealth-careplan.careTeam or ClinicalImpressions.episodeOfCare.team
Practitioner	required: must match ClinicalImpression.episodeOfCare	required: must match ClinicalImpression.subject
Patient	optional but when present: must match ClinicalImpression.episodeOfCare	required when EOC context is not present: must match ClinicalImpression.subject	-
Patient			-
System	-	-	-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
ClinicalImpression.search
Practitioner	optional but when present: must match searchparam: episodeOfCare	optional must match searchparam: subject Only checked if EOC context is not present:	required: Must match search param value in context.team or carePlan.careTeam
Patient	optional but when present: must match searchparam: episodeOfCare	required when EpisodeOfCare Context is not present: must match searchparam: subject	-
Patient			-
System	-	-	-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context / UserId	Extra Permission
Task create/read/update
Practitioner	optional but when present: must match Task.episodeOfCare	optional, but when present: must match Task.episis odeOfCare.subject	CareTeam Context must match Task.responsible	User must have at least one corresponding restriction category privilege in Task.restriction-category.
Practitioner	optional but when present: must match Task.episodeOfCare		UserID must match Task.responsible, Task.owner or Task.requester
Patient	optional but when present: must match Task.episodeOfCare	required when EOC context is not present: must match Task.episodeOfCare.subject	UserID must match Task.responsible, Task.owner or Task.requester
Patient	optional but when present: must match Task.episodeOfCare
System	-	-	-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context / UserId	Extra Permission
Task search
Practitioner	optional but when present: must match searchparam episodeOfCare	optional must match searchparam Context.subject Only checked if EOC context is not present:	CareTeam Context must match searchparam responsible	Users must have all restriction category privileges corresponding to the list in searchparam restriction-category.
Practitioner			UserID must match searchparam: Responsible, Owner or Requester
Patient	optional but when present: must match searchparam episodeOfCare	required when EpisodeOfCare Context is not present: must match searchparam theContext.subject	UserID must match searchparam: Responsible, Owner or Requester
Patient
System	-	-	-

When searching for tasks based on careteam, it is possible, but not necessary to specify restriction categories. If they are not specified as search criteria, then they will be inferred from the privileges in the security token.

If a search is based on a specific userID instead of a CareTeam, then all tasks related to that user will be returned regardless of the restriction category.

It is recommended to search based on either a userID or a Careteam. It is technically possible to combine these two search parameters, but the results may be confusing.

Observation/QuestionnaireResponse/Media/Communication (ehealth-communication)

Observation, Media, and QuestionnaireResponse (with status completed) is created by calling $submit-measurement. A draft QuestionnaireResponse (with status in progress) can be created and updated directly.

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
Communication read
Practitioner	optional but when present: must match communication.episodeOfCare	required if EpisodeOfCare context is not present: must match communication.subject Only checked if EpisodeOfCare Context is not present.	A match must be found either through the Careteam or the UserID Careteam: must match either communication.senderCareTeam or communication.recipientCareTeam UserID: must match communication.sender or communication.recipient
Patient	-	required: must match communication.recipient or communication.sender	-
System	-	-	-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context	Extra permission
Communication create/patch
Practitioner	optional but when present: must match communication.episodeOfCare	required if EpisodeOfCare context is not present: must match communication.subject	A match must be found either through the Careteam or the UserID Careteam: must match either communication.senderCareTeam UserID: must match communication.sender
Patient	-	required: must match communication.subject	-	communication.sender must match AuthToken.userId
System	-	-	-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
Communication search
Practitioner	required: search param must match the context	-	A match must be found either through the Careteam or the UserID Careteam: must match either communication.senderCareTeam or communication.recipientCareTeam UserID: must match communication.sender or communication.recipient
Patient	-	required: context must match the subject and either of sender or recipient search params	-
System	-	-	-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
Observation read
Practitioner	required: must match observation.episodeOfCare	--	required: If the CareTeam is assigned on the EpisodeOfCare: The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context If the Careteam is assigned to the CarePlan: Observation.basedOn must be a ServiceRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context
Patient	optional but when present: must match observation.episodeOfCare	required when EOC context is not present: must match observation.subject Only checked if EpisodeOfCare Context is not present.	--
System	--	--	--

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
Observation search
Practitioner	required: search param must match the context	--	required: If the CareTeam is assigned on the EpisodeOfCare: basedOn search parameter is not mandatory If the Careteam is assigned to the CarePlan: basedOn search parameter is mandatory and must match the context
Patient	optional but when present: search param must match the context	required when EOC context is not present: search param must match the context	--
System	--	--	--

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
QuestionnaireResponse read
Practitioner	required: must match questionnaireResponse.episodeOfCare	--	required: If the CareTeam is assigned on the EpisodeOfCare: The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context If the Careteam is assigned to the CarePlan: QuestionnaireResponse.basedOn must be a ServiceRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context
Patient	optional but when present: must match questionnaireResponse.episodeOfCare	required must match questionnaireResponse.subject	--
System	--	--	--

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
QuestionnaireResponse search
Practitioner	required: search param must match the context	--	required: If the CareTeam is assigned on the EpisodeOfCare: basedOn search parameter is not mandatory If the Careteam is assigned to the CarePlan: basedOn search parameter is mandatory and must match the context
Patient	optional but when present: search param must match the context	required when EOC context is not present: search param must match the context	--
System	--	--	--

User Type	EpisodeOfCare Context	CareTeam Context
QuestionnaireResponse (status in progress) create/update
Practitioner	required: must match questionnaireResponse.episodeOfCare	required: If the CareTeam is assigned on the EpisodeOfCare: The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context If the Careteam is assigned to the CarePlan: QuestionnaireResponse.basedOn must be a ServiceRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context
Patient	required must match questionnaireResponse.episodeOfCare	--
System	--	--

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
Media read
Practitioner	required: must match media.episodeOfCare	--	required: If the CareTeam is assigned on the EpisodeOfCare: The user is granted access with no further checks when the EpisodeOfCare.team of the EpisodeOfCare Context contains the CareTeam in the CareTeam Context If the Careteam is assigned to the CarePlan: Media.basedOn must be a ServiceRequest which is referenced in CarePlan.activity.reference where the CarePlan.careTeam contains the CareTeam in the CareTeam Context
Patient	optional but when present: must match media.episodeOfCare	required when EOC context is not present: must match media.subject	--
System	--	--	--

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
Media search
Practitioner	required: search param must match the context	--	required: If the CareTeam is assigned on the EpisodeOfCare: basedOn search parameter is not mandatory If the Careteam is assigned to the CarePlan: basedOn search parameter is mandatory and must match the context
Patient	optional but when present: search param must match the context	required when EOC context is not present: search param must match the context	--
System	--	--	--

User Type	EpisodeOfCare Context	Patient Context
$submit-measurement
Practitioner	required	required
Patient	required	required
System	--	--

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
$search-measurements
Practitioner	required: search param must match the context	--	required: If the CareTeam is assigned on the EpisodeOfCare: basedOn search parameter is not mandatory If the Careteam is assigned to the CarePlan: basedOn search parameter is mandatory and must match the context
Patient	optional but when present: search param must match the context	required when EOC context is not present: search param must match the context	--
System	--	--	--

Organization/Practitioner/CareTeam

These resources only require privileges to access. There are no security context requirements for these resources.

Device/DeviceMetric/DeviceUseStatement

Privately owned devices do not have context checks. The tables below are valid for devices owned by organizations.

User Type	Organization Context	Patient Context
Device/DeviceMetric create/update/delete
SSL supplier/Practitioner	required must match the Device.owner organization	Optional but when present: must match a DeviceUseStatement where: DeviceUseStatement subject = patient context DeviceUseStatement device references the device.
Patient	-	must match a DeviceUseStatement where: DeviceUseStatement subject = patient context DeviceUseStatement device references the device.
System	-

User Type	Patient Context	Organization Context
Device read
SSL supplier/Practitioner	Optional but when present: must match a DeviceUseStatement where: DeviceUseStatement subject = patient context DeviceUseStatement device references the device.	Required if patient context is not present. Must match the device.owner
Patient	must match a DeviceUseStatement where: DeviceUseStatement subject = patient context DeviceUseStatement device references the device.	-
System		-

DeviceUseStatement create/update

User Type

Patient Context

Organization Context

SSL supplier/Practitioner

required

must match DeviceUseStatement.subject

required

must match the Device.owner organization

System

-

User Type	Patient Context	Organization Context
DeviceUseStatement read
SSL supplier/Practitioner	required must match DeviceUseStatement.subject	-
Patient	must match a DeviceUseStatement.subject	-
System	-	-

Device/DeviceMetric/DeviceUseStatement - Work in Progress (will be in effect with next release)

User Type	Organization Context	Patient Context
Device/DeviceMetric create
SSL supplier/Practitioner	required must match the Device.owner organization when the non-privately owned device	-
Patient (Must be privately owned device)	-	must match a DeviceUseStatement where: DeviceUseStatement subject = patient context DeviceUseStatement device references the device or have no related DeviceUseStatement.
System	-	-

User Type	Organization Context	Patient Context
Device/DeviceMetric update/delete
SSL supplier/Practitioner	required must match the Device.owner organization when the non-privately owned device	Optional but when present: must match a DeviceUseStatement where: DeviceUseStatement subject = patient context DeviceUseStatematch device references the device. or have no related DeviceUseStatement.
Patient	-	must match a DeviceUseStatement where: DeviceUseStatement subject = patient context DeviceUseStatement device references the device or has no related DeviceUseStatement. The device must be privately owned.
System	-

User Type	Organization Context	Patient Context
DeviceUseStatement create/update
SSL supplier/Practitioner	required must match the Device.owner organization when the non-privately owned device	required must match DeviceUseStatement.subject
Patient	-	required. The DeviceUseStatement must have: DeviceUseStatement subject = patient context DeviceUseStatement device references the device The device must be privately owned.
System	-

User Type	Organization Context	Patient Context
DeviceUseStatement read
SSL supplier/Practitioner	-	required must match DeviceUseStatement.subject
Patient	-	required must match DeviceUseStatement.subject
System	-	-

User Type	Organization Context	Patient Context
DeviceUseStatement search
SSL supplier/Practitioner	-	required patient search param must match the context
Patient	-	required patient search param must match the context
System	-	-

Questionnaire

User Type	FHIR Operation	Organization Context	Property updated	Role needed
Questionnaire
Practitioner / Patient	create	required: must match Questionnaire.modifierRole.reference	-	owner
	update	required: must match Questionnaire.modifierRole.reference	Questionnaire.modifierRole	owner
	update	required: must match Questionnaire.modifierRole.reference	Not Questionnaire.modifierRole	owner or co-author
	delete	required: must match Questionnaire.modifierRole.reference	-	owner
	read/search	-	-	-
System	-	-	-	-

Actionguidance

User Type	FHIR Operation	Organization Context	Property updated	Role needed
Actionguidance
Practitioner / Patient	create	required: must match Actionguidance.modifierRole.reference	-	owner
	update	required: must match Actionguidance.modifierRole.reference	Actionguidance.modifierRole	owner
	update	required: must match Actionguidance.modifierRole.reference	Not Actionguidance.modifierRole	owner or co-author
	read/search	- Note: There are two ways to be able to search. First, if permission for both Actionguidance and view is present, it will give access. Secondly, to search, an actionguidance permission should be present, and the resource should be supplied as part of the profile search or as the search field code. All other cases will be rejected. Values to supply for a profile search profile=http://ehealth.sundhed.dk/fhir/StructureDefinition/ehealth-actionguidance Values to supply for a code search code=http://ehealth.sundhed.dk/cs/basic-resource-type\|actionguidance	-	-
System	-	-	-	-

View

User Type	FHIR Operation	Organization Context	Property updated	Role needed
View
Practitioner / Patient	create	required: must match View.modifierRole.reference	-	owner
	update	required: must match View.modifierRole.reference	View.modifierRole	owner
	update	required: must match View.modifierRole.reference	Not View.modifierRole	owner or co-author
	read/search	- Note: There are two ways to be able to search. First, if permission for both View and view is present, it will give access. Secondly, to search, a View permission should be present, and the resource should be supplied as part of the profile search or as the search field code. All other cases will be rejected. Values to supply for a profile search profile=http://ehealth.sundhed.dk/fhir/StructureDefinition/ehealth-view Values to supply for a code search code=http://ehealth.sundhed.dk/cs/basic-resource-type\|view	-	-
System	-	-	-	-

Transform

These operations are stateless and only require privileges to call. There are no security context requirements for these operations

Terminology: ConceptMap/CodeSystem/ValueSet/NamingSystem

These resources can be accessed by all users. Updates require write privileges. There are no security context requirements for these resources.

Questionnaire Terminology: ConceptMap/CodeSystem/ValueSet/NamingSystem

These resources can be accessed by all users. Updates require write privileges (named QuestionnaireConceptMap, QuestionnaireCodeSystem, QuestionnaireValueSet and QuestionnaireNamingSystem). There are no security context requirements for these resources.

Library

There are no context checks for CRUD and search operations for the Library resource.

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
Library evaluate
Practitioner	required: must match either Observation.episodeOfCare or QuestionnaireResponse.episodeOfCare	required: must match either Observation.subject or QuestionnaireResponse.subject	-
Patient	required: must match either Observation.episodeOfCare or QuestionnaireResponse.episodeOfCare	required: must match either Observation.subject or QuestionnaireResponse.subject	-
System	-	-	-

SSL Domain

SSL Catalogue service

Catalogue

User Type	Organization Context
SSL Catalogue create/update/read
SSL supplier	required: must resolve to and match the Catalogue.seller party
Practitioner	-
System	-

CatalogueItem

User Type	Organization Context
SSL CatalogueItem create/update/read
SSL supplier	required: must resolve to and match the CatalogueItem.Catalogue.seller party
Practitioner	-
System	-

User Type	Organization Context
SSL CatalogueItems read
SSL supplier	required: must resolve to and match the CatalogueItem.Catalogue.seller party
Practitioner	required: must resolve to and match WhiteList.buyer party, only returns CatalogueItems referred by WhiteLists
System	-

Annotation

User Type	Organization Context
SSL Annotation create/update/read/delete
SSL supplier	required: must resolve to and match the Annotation.CatalogueItem.Catalogue seller party
Practitioner	-
System	-

Whitelist

User Type	Organization Context
SSL WhiteList create/read/delete
SSL supplier	- (no access)
Practitioner	required: must resolve to and match the WhiteList.buyer party
System	-

BlackList

User Type	Patient Context
SSL BlackList create/read/delete
SSL supplier	- (no access)
Practitioner	required: must match the BlackList.patient
System	-

Problem

User Type	Organization Context
SSL Problem create/patch/delete
SSL supplier	required: must resolve and match the Problem.CatalogueItem.Catalogue seller party
Practitioner	- (no access)
System	-

User Type	Organization Context
SSL Problem read
SSL supplier	required: must resolve and match the Problem.CatalogueItem.Catalogue seller party
Practitioner	required: must resolve to and match WhiteList.buyer party, only returns Problems with CatalogueItems referred by WhiteLists
System	-

Package

User Type	Organization Context
SSL Package create/read/patch/delete
SSL supplier	- (no access)
Practitioner	required: must resolve to and match the Package.buyer party
System	-

SSL Order Service

Order

User Type	Organization Context	EpisodeOfCare Context	CareTeam Context
SSL Order create
SSL supplier	required: must resolve to and match the Order.seller party	required: used for reading CarePlan, see CarePlan resource for context rules	required: used for reading CarePlan, see CarePlan resource for context rules
Practitioner	required: must resolve to and match the Order.buyer party	required: used for reading CarePlan, see CarePlan resource for context rules	required: used for reading CarePlan, see CarePlan resource for context rules
System	-	-	-

User Type	Organization Context
SSL Order read/update/patch/delete/search
SSL supplier	required: must resolve to and match the Order.seller party
Practitioner	required: must resolve to and match the Order.buyer party
System	-

OrderLine

User Type	Organization Context
SSL OrderLine create/read/update/patch/delete/search
SSL supplier	required: must resolve to and match the OrderLine.Order.seller party
Practitioner	required: must resolve to and match the OrderLine.Order.buyer party
System	-

Contract

User Type	Organization Context
SSL Contract create/patch/read
SSL supplier	required: must resolve to and match the Contract.seller party
Practitioner	-
System	-

User Type	Organization Context
custom/hasValidContract
SSL supplier	required: must resolve to and match the Contract.seller party
Practitioner	-
System	-

Party

User Type	Organization Context
SSL Party create/update/read
SSL supplier	-
Practitioner	-
System	-

User Type	Organization Context
custom/findOrCreateParty
SSL supplier	required: must match the organization parameter
Practitioner	required: must match the organization parameter
System	-

Reports

Schedule/Fetch <Report_name>

User Type

Organization Context

UserID

Extra permission

Practitioner

required

Must match input parameter: ManagingOrganization

Only the user that called schedule is allowed to read the resulting /fhir/Binary/id

The privilege Report.non-anonymized is required if input parameter: anonymization == false

System-user

System users can't have an organization context

Only the user that called schedule is allowed to read the resulting /fhir/Binary/id

The privilege Report.non-anonymized is required if input parameter: anonymization == false

Patient/Appointment/Communication(eHealthMessage)/Person

SYSTEM users can perform any action, regardless of context, as long as they have the appropriate realm_access.role (e.g. Appointment.read to read appointments).

R = Required
U = Used (may be required to access certain data)

realm_access.role	Patient Context	Episode of Care Context	CareTeam Context	Organization Context	Extra Rules / Comments

realm_access.role	Patient Context	CareTeam Context	Extra Rules / Comments
Patient.read	R*	R*	REGULAR SEARCH: To perform a regular Patient Search, the user MUST have the Patient Context. LIMITED SEARCH (Dashboard Search): It is also possible to perform a patient search with a CareTeam Context instead of a Patient Context. In that case, the patients are then retrieved from EpisodesOfCare and CarePlan objects that the CareTeam is involved in. NOTE: The patient resources that are returned from this search are limited and as such only the following information is returned: Identifier Date of Birth Gender Cpr Deceased status Home address Official name R - THE CONTEXTS ARE* MUTUALLY EXCLUSIVE, AS SUCH IF BOTH CONTEXTS ARE PROVIDED IN THE TOKEN, ONLY THE PATIENT CONTEXT IS USED.
Patient.write	R		1: FHIR operations "create" and "update" are not available on the Patient resource. (use $createPatient and "patch") 2: Only certain attributes are allowed to be patched using HTTP PATCH
Patient$updatePatientWithSKRSData
Patient$createPatient
Appointment.read	U	U	For non-group appointments: 1: If an appointment involves a patient, then that patient must be in context 2: The appointment can be read if the user has a Care Team in context that is participating in the appointment the user is participating in the appointment (as a Practitioner or Patient) 3: Searching PATIENT users can search all Appointments that involve the user itself PRACTITIONER/SSL users can search all Appointments that involve the user itself, or the Organization/CareTeam/Patient in context
Appointment.write	U	U	For non-group appointments: 1: If an appointment involves a patient, then that patient must be in context 2: The appointment can be written if the user has a Care Team in context that is participating in the appointment the user is participating in the appointment (as a Practitioner or Patient)
Appointment$exportAsiCal	U	U	The same rules apply to reading appointments Note: Only PRACTITIONER/SSL users can see the names of Practitioner participants in the exported iCal object
RelatedPerson.read	R		Only related persons to the patient in context can be read
RelatedPerson.write	R		Only related persons to the patient in context can be written
Communication.read		U	If the message has a restriction category X, the corresponding RestrictionCategory.X role must be present in the realm_access list. 1: PATIENT users can read communication where they are either the sender or recipient 2: PRACTITIONER and SSL users can read communication where they are either the sender or recipient communication where the CareTeam in context is the sender or recipient 3: Only SYSTEM users can read communication from DEVICE senders
Communication.write		U	1: Communication must have exactly one sender and one recipient 2: Communication with the category "note" can only be created/patched/deleted if user = sender and (recipient = sender or recipient = a CareTeam). (notes can be shared with any CareTeam) 3: PATIENT users can only create/delete "mesHTTP" communication where they are the sender, and the recipient is of type CareTeam can only patch "message" communication where they are sender or recipient (the recipient can patch "received" property) 4: PRACTITIONER and SSL users can only create/delete "message" communication where the sender is the CareTeam in context and the recipient is of type PATIENT or type CareTeam can only patch "message" communication where the CareTeam in context is the sender or recipient
Person$match			Only requires the role “Person$match” Used to lookup person data by CPR, including name and a patient reference, if one exists. This is only a read operation and will not create any resources. The operations are audit logged.

Group Appointment

A “Group appointment” is an Appointment with one of the profiles http://ehealth.sundhed.dk/fhir/StructureDefinition/ehealth-group-appointment, http://ehealth.sundhed.dk/fhir/StructureDefinition/ehealth-group-videoappointment

Appropriate appointment-related realm_access.role is required for all operations
SYSTEM users have access to all data and http operations regardless of context
- Only SYSTEM users can use PUT, other users must use PATCH to change a group appointment
Create
- All Practitioner/SSL users can create group appointments if they have an Appointment.write role and a CareTeam in context
  - assigning-careteam extension on participants must match CareTeam in the context
Read/Search
- ehealth-creator, ehealth-responsible and ehealth-performer can see all parts of the appointment, regardless of the CareTeam context
- All Practitioner/SSL users can read/find all group appointments and view all parts of it, except Patient participants whose assigning-careteam differs from the CareTeam in context, and the RelatedPersons of those
- Patient users can only read/find group appointments that they are participants in, and can view all parts, except other Patient participants and RelatedPersons of those
Patching
- Patient users cannot patch
- When adding/removing a participant, the relevant assigning-careteam must be in the context
  - Removing a Patient/RelatedPerson participant is also allowed if the relevant patient is in context
- ehealth-creator and ehealth-responsible can patch all parts of the appointment
- ehealth-performer can patch all parts of the appointment, except ehealth-responsible
- All other Practitioner/SSL users can only add/remove Patient/RelatedPerson participants

Note on Patching a Partial View

Please note that due to the filtering of participants, in some scenarios a client holds only a partial view of the appointment (with some participants missing due to security filtering).
This has an impact when removing a participant in a PATCH using an index, e.g. [{ "op": "remove", "path": "/participant/0" }]. What is in index 0 of the partial view, might not be what is actually in index 0 in the full version of the resource.
The server is aware of this dilemma and “maps” indexes when receiving an HTTP patch request, based on the JWT user_id/context used for the request. The server assumes the patch request is performed by the same user_id/context as the patch content indexes were constructed from.

This means that PATCH operations should be performed with the same JWT as was used when reading the group appointment resource that the patch content (indexes) is based on.

Role-Based Access Control

Attribute-Based Access Control

PlanDefinition/ActivityDefinition

DocumentReference

EpisodeOfCare/Condition/Provenance/Consent

CarePlan/ServiceRequest

CarePlan/ServiceRequest Read/Suggest-care-teams

Goal

CommunicationRequest

ClinicalImpression/Task

ClinicalImpression create/read/update

ClinicalImpression.search

Task create/read/update

Task search

Observation/QuestionnaireResponse/Media/Communication (ehealth-communication)

Organization/Practitioner/CareTeam

Device/DeviceMetric/DeviceUseStatement

Device/DeviceMetric/DeviceUseStatement - Work in Progress (will be in effect with next release)

Questionnaire

Actionguidance

View

Transform

Terminology: ConceptMap/CodeSystem/ValueSet/NamingSystem

Questionnaire Terminology: ConceptMap/CodeSystem/ValueSet/NamingSystem

Library

SSL Domain

SSL Catalogue service

Catalogue

CatalogueItem

Annotation

Whitelist

BlackList

Problem

Package

SSL Order Service

Order

OrderLine

Contract

Party

Reports

Patient/Appointment/Communication(eHealthMessage)/Person

Group Appointment

Note on Patching a Partial View