| Table of Contents |
|---|
Specification
Validations
Authorization
- Verify the validity of access token
- Return (401, 'unauthorized') in case of validation fails
- Verify that token is not expired
- in case of error - return (401, 'unauthorized')
- Check user scopes in order to perform this action (scope = 'service_request:read')
- Return (403, 'invalid scopes') in case of invalid scope(s)
Validate data consistency
- Ensure that requested episode of care relates to requested patient
- Return (404, 'not found') in case of error
Check user privileges
If ANY of this rules is met - user has privileges to access this data
Otherwise - access to this data is denied. Return (403, 'forbidden')
Rule 1: User who has active declaration with patient is "authorized" to manage all patient's data
- Extract user_id, client_id, client_type
2. Determine the party_id associated with this user_id
| Code Block | ||
|---|---|---|
| ||
SELECT pu.party_id
FROM party_users pu
WHERE pu.user_id = :user_id; |
3. Determine employees related to this party_id in current MSP
| Code Block | ||
|---|---|---|
| ||
SELECT e.id
FROM employees e
WHERE e.party_id = :party_id
AND e.legal_entity_id = :client_id; |
4. Find patient declarations in this MSP
| Code Block | ||
|---|---|---|
| ||
SELECT d.id
FROM declarations d
WHERE d.legal_entity_id = :client_id
AND d.employee_id IN (:employees)
AND d.status IN ('active', 'pending_verification')
AND d.person_id = :patient_id; |
Rule 2: User with active approval to this episode can view episode details and its child entities
TBD
Service logic
- Return all service requests related to specified episode of care
- Find all encounters related to specified episode of care (Medical Events DB: $.encounters[*].episode.identifier.value == :episode_id)
- Find all service requests related to received encounters (Medical Events DB: $.service_requests[*].context.identifier.value IN :encounters)