Stream: implementers
Topic: SMART on FHIR extensions
David Moorhouse (Oct 15 2019 at 20:10):
Is there anyway of extending SMART on FHIR scope attributes ?
My use case is to allow certain users to be tagged as administrators by the IDP so that the resource server can serve certain resources only to those authorised admin users.
Ordinary users will have the usual "openid+fhirUser+user/." scope
I'm thinking my admin users would have something like "openid+fhirUser+user/.+admin" for the scope.
Is there a need to register scope extensions ? I can't see anything in the OIDC or the Smart documentation.
Severin Skillman (Oct 15 2019 at 20:42):
My understanding is that access control rules that can't be described by SMART scopes are left to the EHR's decision control engine to handle based on context available to the EHR upon authorization and may well be specific to your use case.
If your admin permissions can be adequately represented by a set of SMART scopes then you may want to consider defining a "role" with your IDP and assign it to your admin users. Upon authentication the IDP could add the scopes in the role to the access token.
David Moorhouse (Oct 15 2019 at 22:59):
Thanks Severin, I'll follow down that path.
Stephen MacVicar (Oct 16 2019 at 11:40):
This section describes adding additional scopes: http://hl7.org/fhir/smart-app-launch/scopes-and-launch-context/index.html#extensions
David Moorhouse (Oct 17 2019 at 20:07):
That's interesting, but there is no way of registration and discovery of scope extensions as far as I can see. It looks more like a name clash avoidance mechanism.
David Moorhouse (Oct 17 2019 at 22:09):
What I was hoping to use for was something along the lines of a scope like "admin/system.read" - which would be granted to users in administrator roles.
David Moorhouse (Oct 17 2019 at 22:10):
... and "admin/system.write" to allow a super user to change parts of the system config.
Jenni Syed (Oct 18 2019 at 14:37):
The general pattern is [scoping]/[Resource].[action]
Jenni Syed (Oct 18 2019 at 14:37):
If a user is involved, I would expect it to be a user/... or patient/... scope (if restricted to a specific patient record)
Jenni Syed (Oct 18 2019 at 14:38):
Those both mean "the app has access to do what the user can do with this resource"
Jenni Syed (Oct 18 2019 at 14:38):
IE: user/AllergyIntolerance.write == The application has access to write any allergies that the user can do
Jenni Syed (Oct 18 2019 at 14:38):
What resource in FHIR is your system admin config stored?
Jenni Syed (Oct 18 2019 at 14:40):
or if not a FHIR resource, is there a reason the "user/..." scope wouldn't work?
Jenni Syed (Oct 18 2019 at 14:40):
if you need to extend it, I'm curious if there's benefit in maintaining the pattern for your use case or not :)
Last updated: Apr 12 2022 at 19:14 UTC
