...
- ABAC might (NOT MUST) be used as a plug for any ME endpoint or even ehealth endpoint. Otherwise there might be performance issues.
- It should be checked on the gateway level.
- We do limit access by default. It means that all the rules describe conditions when access is allowed. If there is no rule matched - access is forbidden.
- If ABAC failed to answer - access is forbidden.
- ABAC - mission critical service
- interface - : external: http, data providers: RPC
- Input:
- WHO
- user_id
- client_id + client_type
- action: CREATE, READ, UPDATE, DELETE
- WHAT
-
object_type + object_id - list of contexts (patient, episode):
object_type + object_id
-
- WHO
- Output:
- decision: true/false
To be considered in future!! Conditions - optional. Is relevant for lists. Defines additional instructions for the requested application.Anchor Future Future - For example: client_id context should be applied
- For example: speciality context should be applied
- Technically ABAC can take decision based on attributes of any entity. But to minimize load on the service it has been decided that we do restrict access not lower that on EPISODE level.
- examples:
- access to endpoint like `/api/patients/{patient_id}/conditions/{condition_id}` will be granted based on patient level rule
- access to endpoint like `/api/patients/{patient_id}/conditions/` will be granted based on patient level rule
- access to endpoint like `/api/patients/{patient_id}/episodes/{episode_id}/encounters/` can be granted based on patient or episode level rule
- If there is a rule that allows user to get access to the patient level, but no rule that allows on the episode level, access should be allowed
- examples:
...