Stream: implementers
Topic: Allowed Actions/Hateos
Jenni Syed (Mar 10 2020 at 16:57):
I've seen versions of this type of discussion in the past, but can't seem to find any final conclusion or common approach.
Use case: User A is signed in and accessing FHIR to read lists of resources. That specific user (and app) may have limitations on what type of actions they can take. We would like to be able to communicate "what can I do next". EG: I read the active allergies, there are 5. I can update/patch 2 of them. I can delete 1. I can read all.
Jenni Syed (Mar 10 2020 at 16:58):
I thought some of the discussion at connectathons started to lean towards common extensions (eg: tied to the interaction value set?), but I'm not finding any common extension that looks like it does this today.
Jenni Syed (Mar 10 2020 at 16:58):
This is different from conformance because it may be calculated based off biz rules and specific user privs (you don't authenticate to metadata...), and may vary based on the type of allergy/med/etc that is in the list
Jenni Syed (Mar 10 2020 at 16:59):
For example, you may not be able to modify an allergy if it's already in error. Or you don't have privs to modify CII drugs in this system. Etc
Jose Costa Teixeira (Mar 10 2020 at 17:06):
Interesting problem. Just for me to understand: is this more about permissions (who can do what for some purposes), or more about workflows (what actions can we expect to be possible at some point in time after or before some other actions)? Or neither?
Grahame Grieve (Mar 10 2020 at 19:18):
we've discussed this on and off over time. What we've leaned towards in the past is making some kind of operation that allows that app to ask whether a specific operation is possible before it lets the user spend time trying to start it
Grahame Grieve (Mar 10 2020 at 19:18):
or maybe asking the server to indicate what operations are possible in the response (a prefer header?) but we have never landed anything
Jenni Syed (Mar 11 2020 at 22:00):
@Jose Costa Teixeira in the end, it may end up being both. IE: for this specific resource instance, here's what you can do next
Jenni Syed (Mar 11 2020 at 22:00):
The reason you can't do something may be because of workflow (you can't/shouldn't modify an in error med, for eg) or privs
Jenni Syed (Mar 11 2020 at 22:01):
Ok, so it sounds like I'm not missing anything in the spec at the moment
Jose Costa Teixeira (Mar 11 2020 at 22:17):
We're having a discussion in Belgium about Privacy at the moment (who can change what), i want to prototype something. Possibly we'll use the Permission draft resource to test it
Last updated: Apr 12 2022 at 19:14 UTC
