FHIR Chat · Permission · implementers

Stream: implementers

Topic: Permission

view this post on Zulip Tommy Vu (Feb 17 2022 at 08:29):

Hello,
currently, we have Oauth2 server for authentication/authorization purpose and i can set roles as Patient, RelatedPerson, Practitioner per each created account. I want to ask that which resource supporting permission part ?
How to grant access for one person who has more than one roles such as Patient, RelatedPerson, Practitioner Can i use "Person" ?

view this post on Zulip Mike Lohmeier (Feb 17 2022 at 22:34):

It sounds like you're asking how to perform Roles Based Access Control when a user has multiple roles in the system. This really depends on your implementation. The FHIR resources can be just that, resources that you want to protect and have nothing to do with authn/authz except being behind the Policy Decision Point. On the opposite spectrum, your users can map to FHIR resources and you keep your oAuth2 server in sync with FHIR writes.

Is the use case you have a single Practitioner can have many different roles based on their relationship with the provider's org? See, https://www.hl7.org/fhir/practitionerrole.html

Is the use case you have a single Practitioner can have many different roles based on their relationship with caring for patient(s)? See,
https://www.hl7.org/fhir/careteam.html

There's also a Permission resource in FHIR r5 that allows for explicit permissions without need for context.
https://hl7.org/fhir/5.0.0-snapshot1/permission-definitions.html

I'd be interested in if you really have a single user needing 1 login for Patient and Practitioner roles. That would be a beast and might be just easier to make the user have 2 logins.

view this post on Zulip Tommy Vu (Feb 18 2022 at 02:55):

thanks for your helpful info

view this post on Zulip John Moehrke (Feb 18 2022 at 20:59):

I agree with Mike... Note also that Role-Based-Access-Control is usually far more refined than the FHIR resources you mention. Hence PractitionerRole, which has codes... Also these roles tend to be useful beyond just FHIR Resources, meaning all kinds of data, so they tend to be managed in a general User model. see - http://build.fhir.org/secpriv-module.html#user

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -