Access to eHealth services and eHealth data in the eHealth Infrastructure are controlled by authentication and authorization based on tokens. The Token based security is described in Token Based Security. This page described how services in the eHealth Infrastructure rely on fields in the JWT access token to perform the access control. This access control comprises Role Based Access Control (RBAC) and Attribute Based Access Control (ABAC).

Content on this page

1 Content on this page
2 Role-Based Access Control
3 Attribute-Based Access Control
- 3.1 PlanDefinition/ActivityDefinition
  - 3.1.1 PlanDefinition/ActivityDefinition
  - 3.1.2 PlanDefinition$apply
- 3.2 DocumentReference
  - 3.2.1 DocumentReference.read/search
  - 3.2.2 DocumentReference.create/update
- 3.3 EpisodeOfCare/Condition/Provenance/Consent
  - 3.3.1 EpisodeOfCare.create-episode-of-care
  - 3.3.2 EpisodeOfCare.read
  - 3.3.3 EpisodeOfCare.patch/updateCareteams
  - 3.3.4 EpisodeOfCare.search
  - 3.3.5 Condition
  - 3.3.6 Provenance.read
  - 3.3.7 Provenance.search
  - 3.3.8 Consent.create/read/patch
  - 3.3.9 Consent.search
- 3.4 CarePlan/ServiceRequest
  - 3.4.1 CarePlan/ServiceRequest Read/Suggest-care-teams
  - 3.4.2 CarePlan/ServiceRequest Update/Update-care-teams
  - 3.4.3 CarePlan: Update careteam special case
  - 3.4.4 CarePlan Search
- 3.5 Goal
  - 3.5.1 Goal Create/Read/Update
  - 3.5.2 Goal Search
- 3.6 CommunicationRequest
  - 3.6.1 CommunicationRequest Create/Read/Update/Delete
  - 3.6.2 CommunicationRequest Search
- 3.7 ClinicalImpression/Task
  - 3.7.1 ClinicalImpression create/read/update/$set-measurement-validity
  - 3.7.2 ClinicalImpression.search
  - 3.7.3 Task create/read/update
  - 3.7.4 Task search
- 3.8 Observation/QuestionnaireResponse/Media/Communication (ehealth-communication)
  - 3.8.1 Communication read
  - 3.8.2 Communication create/patch
  - 3.8.3 Communication search
  - 3.8.4 Observation read
  - 3.8.5 Observation search
  - 3.8.6 QuestionnaireResponse read
  - 3.8.7 QuestionnaireResponse search
  - 3.8.8 QuestionnaireResponse (status in progress) create/update
  - 3.8.9 Media read
  - 3.8.10 Media search
  - 3.8.11 $submit-measurement
  - 3.8.12 $search-measurements
  - 3.8.13 $search-measurements-bundle-limit
- 3.9 Organization/Practitioner/CareTeam
- 3.10 Device/DeviceMetric/DeviceUseStatement
  - 3.10.1 Device/DeviceMetric create/update/delete
  - 3.10.2 Device read
  - 3.10.3 DeviceUseStatement create/update
  - 3.10.4 DeviceUseStatement read
- 3.11 Device/DeviceMetric/DeviceUseStatement - Work in Progress (will be in effect with next release)
  - 3.11.1 Device/DeviceMetric create
  - 3.11.2 Device/DeviceMetric update/delete
  - 3.11.3 DeviceUseStatement create/update
  - 3.11.4 DeviceUseStatement read
  - 3.11.5 DeviceUseStatement search
- 3.12 Questionnaire
  - 3.12.1 Questionnaire
- 3.13 Actionguidance
  - 3.13.1 Actionguidance
- 3.14 View
  - 3.14.1 View
- 3.15 Transform
- 3.16 Terminology: ConceptMap/CodeSystem/ValueSet/NamingSystem
- 3.17 Questionnaire Terminology: ConceptMap/CodeSystem/ValueSet/NamingSystem
- 3.18 Library
  - 3.18.1 Library evaluate
- 3.19 SSL Domain
  - 3.19.1 SSL Catalogue service
    - 3.19.1.1 Catalogue
    - 3.19.1.2 CatalogueItem
    - 3.19.1.3 Annotation
    - 3.19.1.4 Whitelist
    - 3.19.1.5 BlackList
    - 3.19.1.6 Problem
    - 3.19.1.7 Package
  - 3.19.2 SSL Order Service
    - 3.19.2.1 Order
    - 3.19.2.2 OrderLine
    - 3.19.2.3 Contract
    - 3.19.2.4 Party
- 3.20 Reports
  - 3.20.1 Schedule/Fetch <Report_name>
- 3.21 Patient/Appointment/Communication(eHealthMessage)/Person
  - 3.21.1 Patient.read
  - 3.21.2 Patient.write
  - 3.21.3 Patient$updatePatientWithSKRSData
  - 3.21.4 Patient$createPatient
  - 3.21.5 Appointment.read
  - 3.21.6 Appointment.write
  - 3.21.7 Appointment$exportAsiCal
  - 3.21.8 RelatedPerson.read
  - 3.21.9 RelatedPerson.write
  - 3.21.10 Communication.read
  - 3.21.11 Communication.write
  - 3.21.12 Person$match
- 3.22 Group Appointment
  - 3.22.1 Note on Patching a Partial View

Role-Based Access Control

The RBAC part of the access control is based on the user’s list of process privileges contained in the access token.

Access Token Field	Meaning	Example Value

Access Token Field	Meaning	Example Value
realm_access	List of process privileges, that is, what is the user allowed to do.	`"realm_access": { "roles": [ "Patient.read", "Patient.write" ] }`

What operations the user is allowed to invoke is stated in the "realm_access" attribute. In the example above the user is allowed to issue a "Patient.read" and a "Patient.write". This means that the user can get and edit patient records. This part of the security model is the RBAC part, as the claims here are entirely based on what role the user has.

Attribute-Based Access Control

The ABAC part of the access control combines the access token user type with security token context(s) and, at times, also the access token user id. These are typically compared to attributes of the data from the services.

Access Token Field	Meaning	Example Value

Access Token Field	Meaning	Example Value
context	List of items that are set in context. context in combination with items in realm_access governs the access to all resources in the eHealth infrastructure.	`"context": { "organization_id" : "https://fut.com/fhir/Organization/1", "care_team_id": https://fut.com/fhir/CareTeam/4, "episode_of_care_id": https://fut.com/fhir/EpisodeOfCare/10, "patient_id": "https://fut.com/fhir/Patient/8" }`
user_id	Id of the user. Can be either an FHIR patient Id, FHIR practitioner Id or a KeyCloak ID	"user_id": " e03ccef7-b0b1-4f68-8e16-6fc2f865a922"
user_type	Can be either SYSTEM, PATIENT, PRACTITIONER or SSL	"user_type": "PATIENT"

Each resource type (see IG Profiles) has certain restrictions to what context is required to allow data retrieval or data manipulation.

PlanDefinition/ActivityDefinition

These resources are not patient-related. Read and Search operations do not require any security context apart from the privilege.

PlanDefinition/ActivityDefinition

User Type

FHIR Operation

Organization Context

Property updated → role needed

Practitioner

create/update

required:

must match modifierRole.reference

PlanDefinition/ActivityDefinition creation or modifierRole changed → owner

All other updates → owner or co-author

System

-

PlanDefinition$apply

User Type

EpisodeOfCare Context

CareTeam Context

Practitioner

required:

Must match EpisodeOfCare.id

required:

Must match EpisodeOfCare.team

System

-

DocumentReference

These resources are not patient-related.

User Type	Context
DocumentReference.read/search
Practitioner / Patient	-
System	-

Read and Search operations do not require any security context apart from the privilege.

DocumentReference.create/update

User Type

Organization Context

Practitioner / Patient

required:

must match DocumentReference.custodian

System

-

EpisodeOfCare/Condition/Provenance/Consent

EpisodeOfCare cannot be created directly. They are created by calling the custom operation: create-episode-of-care

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
EpisodeOfCare.create-episode-of-care
Practitioner	must not be present	required: must match EpisodeOfCare.Patient	required: Must match EpisodeOfCare.team
The patient	must not be present	required: must match EpisodeOfCare.Patient	-
System	-	-	-

EpisodeOfCare.read

User Type

EpisodeOfCare Context

Practitioner/Patient

required:

must match EpisodeOfCare

System

-

User Type	EpisodeOfCare Context	CareTeam Context
EpisodeOfCare.patch/updateCareteams
Practitioner	required: must match EpisodeOfCare	required: Must match EpisodeOfCare.team
Patient	required: must match EpisodeOfCare	-
System	-	-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
EpisodeOfCare.search
Practitioner	must not be present	optional but when present: must match the Patient search parameter	required: Must match CareTeam search parameter
Patient	must not be present	Always present: must match the Patient search parameter	-
System	-	-	-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
Condition
Practitioner	required: must match Condition.episodeOfCare	required: must match Condition.subject	-
Patient	required: must match Condition.episodeOfCare	required: must match Condition.subject	-
System	-	-	-

User Type	EpisodeOfCare Context	CareTeam Context
Provenance.read
Practitioner	required: must match Provenance.target	-
Patient	required: must match Provenance.target	-
System	-	-

User Type	EpisodeOfCare Context	CareTeam Context
Provenance.search
Practitioner	required: must match the EpisodeOfCare search parameter (provenance.target)	-
Patient	required: must match the EpisodeOfCare search parameter (provenance.target)	-
System	-	-

User Type	EpisodeOfCare Context	Patient context	CareTeam Context
Consent.create/read/patch
Practitioner	Required Must match data.reference	Required Must match data.patient	-
Patient	Required Must match data.reference	Required Must match data.patient	-
System	-	-	-

User Type	EpisodeOfCare Context	CareTeam Context
Consent.search
Practitioner	required: must match the EpisodeOfCare search parameter (consent.data.reference)	-
Patient	required: must match the EpisodeOfCare search parameter (consent.data.reference)	-
System	-	-

CarePlan/ServiceRequest

ServiceRequest is considered a part of a CarePlan and does not have separate privileges.

CarePlan cannot be created directly. It is created and assigned to a Patient by calling PlanDefinition$apply

User Type	EpisodeOfCare Context	CareTeam Context
CarePlan/ServiceRequest Read/Suggest-care-teams
Practitioner	required: must match CarePlan/ServiceRequest .episodeOfCare	required: Careplan: Context must match CarePlan.careTeam or Careplan.episodeOfCare.team ServiceRequest: Context must match CarePlan.careTeam or Careplan.episodeOfCare.team for the CarePlan that the ServiceRequest belongs to.
Patient	required: must match CarePlan/ServiceRequest.episodeOfCare	-
System	-	-

User Type	EpisodeOfCare Context	CareTeam Context	Extra permission
CarePlan/ServiceRequest Update/Update-care-teams
Practitioner	required: must match CarePlan/ServiceRequest.episodeOfCare	required: Careplan: Context must match CarePlan.careTeam or CarePlan.episodeOfCare.team ServiceRequest: Context must match CarePlan.careTeam or CarePlan.episodeOfCare.team for the CarePlan that the ServiceRequest belongs to.
Practitioner	required: must match CarePlan/ServiceRequest.episodeOfCare
Patient	required: must match CarePlan/ServiceRequest.episodeOfCare	-	Only allowed if definition.topic is 'self-treatment'
System	-	-

CarePlan: Update careteam special case

User Type

EpisodeOfCare Context

CareTeam Context

Extra permission

Practitioner

required:

must match CarePlan.episodeOfCare

required:

Must match CarePlan.careTeam

Careplan$update.responsibility permission required in token to update careteam element

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
CarePlan Search
Practitioner	optional but when present: must match searchparam episodeOfCare	optional but when present: must match searchparam theSubject Only checked if EpisodeOfCare Context is not set.	required: Must match search parameter CarePlan.careteam or CarePlan.episodeOfCare.team. (Only a single search parameter is allowed for this element)
Patient	optional but when present: must match searchparam episodeOfCare	Always present and must match searchparam theSubject Only checked if EpisodeOfCare Context is not set.	-
System	-	-	-

Goal

Goal is considered as part of a CarePlan and does not have separate privileges.

User Type	Patient Context	EpisodeOfCare Context	CareTeam Context
Goal Create/Read/Update
Practitioner	required: Must match Goal.subject	required: must match Goal.addresses.episodeOfCare	required: must match Goal.addresses.episodeOfCare.team or Careplan.careteam for the CarePlan that the Goal.addresses ServiceRequest belongs to.
Patient	required: Must match Goal.subject	-	-
System	-	-	-

Goal Search
User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
Practitioner	required: must match search param: addresses.episodeOfCare	-	required: must match search param addresses.episodeOfCare.team or Careplan.careteam for the CarePlan that the addresses ServiceRequest belongs to.
Patient	-	required: Must match search param addresses.subject	-
System	-	-	-

CommunicationRequest

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context	Details
CommunicationRequest Create/Read/Update/Delete
Practitioner	CommunicationRequest.episodeOfCare and EpisodeOfCare security token context must match. If CommunicationRequest.episodeOfCare is null then the security token must not have an episodeOfCare context	required must match CommunicationRequest.subject	required must match CommunicationRequest.recipient if the recipient contains a careteam
Practitioner		required must match CommunicationRequest.subject
Patient	optional but when present it must match CommunicationRequest.episodeOfCare If CommunicationRequest.episodeOfCare is null then the security token must not have an episodeOfCare context	required must match CommunicationRequest.subject	-	For UPDATE only Status is allowed to be changed.
Patient		required must match CommunicationRequest.subject	-
System	-		-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
CommunicationRequest Search
Practitioner	If EpisodeOfCare context is present, then searchparam and context must match If EpisodeOfCare context is not present, then the search parameter must include at least one of: episodeOfCare:missing=true recipient=<careteam> matching CareTeam context	optional but when present: must match searchparam patient	required if the search param recipient is a careteam. The search param and careteam context must match.
Patient	optional but when present must match searchparam: episodeOfCare	Always present and must match searchparam CommunicationRequest.recipient	-
Patient			-
System	-	-	-

ClinicalImpression/Task

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
ClinicalImpression create/read/update/$set-measurement-validity
Practitioner	required: must match ClinicalImpression.episodeOfCare	required: must match ClinicalImpression.subject	required: must be in ClinicalImpression.ehealth-careplan.careTeam or ClinicalImpression.episodeOfCare.team
Patient	optional but when present: must match ClinicalImpression.episodeOfCare	required when EOC context is not present: must match ClinicalImpression.subject	-
System	-	-	-

User Type	EpisodeOfCare Context	Patient Context	CareTeam Context
ClinicalImpression.search
Practitioner	optional when present: do not need to match searchparam: episodeOfCare	optional must match searchparam: subject Only checked if EOC context is not present:	required: either searchparam: episodeOfCare or searchparam: careplan must be provided: if searchparam: episodeOfCare is provided: CareTeam context must be in EpisodeOfCare.team for all referenced EpisodeOfCare ids if searchparam: careplan is provided: CareTeam context must be in CarePlan.careTeam for all referenced CarePlan.
Patient	optional but when present: must match searchparam: episodeOfCare	required when EpisodeOfCare Context is not present: must match searchparam: subject	-
System	-	-	-

User Type	EpisodeOfCare Context
Task create/read/update

Access Control in eHealth Services

Content on this page

Role-Based Access Control

Attribute-Based Access Control

PlanDefinition/ActivityDefinition

PlanDefinition/ActivityDefinition

PlanDefinition$apply

DocumentReference

DocumentReference.read/search

DocumentReference.create/update

EpisodeOfCare/Condition/Provenance/Consent

EpisodeOfCare.create-episode-of-care

EpisodeOfCare.read

EpisodeOfCare.patch/updateCareteams

EpisodeOfCare.search

Condition

Provenance.read

Provenance.search

Consent.create/read/patch

Consent.search

CarePlan/ServiceRequest

CarePlan/ServiceRequest Read/Suggest-care-teams

CarePlan/ServiceRequest Update/Update-care-teams

CarePlan: Update careteam special case

CarePlan Search

Goal

Goal Create/Read/Update

Goal Search

CommunicationRequest

CommunicationRequest Create/Read/Update/Delete

CommunicationRequest Search

ClinicalImpression/Task

ClinicalImpression create/read/update/$set-measurement-validity

ClinicalImpression.search

Task create/read/update