There are a number of use cases when user should be granted with access to some resources (episode, encounter, etc.) based on different business rules.
JUST examples:
- User can read the complete patient medical data in case if it's employee has active declaration with the patient
- User can read some part of medical data in case if it's legal entity has declaration with the patient
- User can read episode details, in case if referral linked with the episode has been assigned to user,
- etc.
That's why ABAC (Attribute-based access control) paradigm should be used to control access to the medical data resources on the top of the scope model.
- please specify all the auth use-cases/principles. Iryna Biiovska Popov Konstantin (Unlicensed)