Stream: argonaut
Topic: Granular Scopes without query string
Jeffrey Taylor (Sep 23 2020 at 12:34):
Let's say I have the patient/Observation.rs. Does this mean I can search/query all observations for this patient? How does this contrast to the patient/Observation.rs?_security=L,N scope?
It's not clear to me if patient/Observation.rs grants me access to all, or maybe just "U" (unrestricted) observations, and I need an additional security scope (patient/Observation.rs?_security=L,N) to see Observations with more restrictive security tags.
I'm sure this has been asked before, but I can't find a place on zulip or github docs where it is explained.
Josh Mandel (Sep 23 2020 at 14:00):
The intended semantics is that an unrestricted scope allows unrestricted access -- at least, as unrestricted as the user who is approving the access. (An app launched by a user is always limited to seeing only data that the user can see.)
Jeffrey Taylor (Sep 23 2020 at 17:19):
Thanks Josh.
So having both scopes (patient/Observation.rs, patient/Observation.rs?_security=L,N) is duplicative, as the first scope is already "looser" than the second?
Josh Mandel (Sep 23 2020 at 17:29):
Correct. I tend to say something like "the second scope is covered by the first".
Jeffrey Taylor (Sep 23 2020 at 17:33):
Thank you!
Last updated: Apr 12 2022 at 19:14 UTC
