Content Comparison

Table of Contents

Rule base type	Description
Based on declaration	Employee with an active declaration can access all the patient's medical data (including person's/preperson's medical data which were merged with person with active declaration).
Based on managing organization	Employee can read entities, created in his legal entity
Based on context episode	Employee can read medical data, that was collected during an episode of care, that employee has access to.
Based on diagnostic report	Employee can read medical data, that was collected as a part of a diagnostic report, managed by the employee's legal entity.
Based on origin episode	Employee can read medical data, that was collected as a part of a diagnostic report or episode of care, that employee has access to. Episode of care, that contains this service request, is considered as an origin episode in that case.
Based on care plan	Employee with active approval on the care plan can read or write the data based on this care plan
Based on patient	Employee with active approval on the patient can read the data related to this patient (including person's/preperson's medical data which were merged with person )

...

Rule: @rule_-2 \| Action: @read \| (GraphQL only)
Scenario:	Base	Resource	Routes	Context	Source of context	Logic
NHS employee can read patient’s data if he has Justification for monitoring Given Justification on monitoring patient's data given by the user (works only from Admin panel, graphql api) When I require read access Then I can read	Based on user token	episode	JustificationFilter schema	patient_id	person_id from JustificationFilter schema	There is an active token & an active justification
		encounter
		observation
		condition
		allergy_intolerance
		immunization
		risk_assessment
		device
		medication_statement
		medication_request
		medication_dispense
		service_request
		diagnostic_report
		procedure
		medication_administration
		care_plan
		activity

...

Rule: @rule_-1 \| Action: @read
Scenario:	Base	Resource	Routes	Context	Source of context	Logic
Employee can read insensitive patient’s data Given User access token with client_type not equal to cabinet When I require read access Then I can read	Based on user token	allergy_intolerance	by id by search params			There is an active token for client_type.name != CABINET
		immunization
		risk_assessment
		device
		medication_statement
		specimen

Rule: @rule_0 \| Action: @read
Scenario:	Base	Resource	Routes	Context	Source of context	Logic
Patient can read it's own data Given Patient has access_token given by Cabinet When I require read access Then I can read	Based on patient token	episode	by id by search params	patient_id	patient_id from URL	There is an active token given by Cabinet to a patient
		encounter
		observation
		condition
		allergy_intolerance
		immunization
		risk_assessment
		device
		medication_statement
		service_request
		diagnostic_report
		procedure
		medication_administration
		care_plan
		activity
		clinical_impression
		specimen

Rule: @rule_1 \| Action: @read
Scenario:	Base	Resource	Routes	Context	Source of context	Logic
Employee with active declaration can read all patient data (including merged persons/prepersons data) Given Active declaration with patientin the MSP from token And declaration from the same legal entity When I require read access Then I can read	Based on declaration and user token	episode	by id	person_id	person_id from URL	There is an active declaration between the patient and the employee in OPS from the same legal entity from token
			by search params
		encounter	by id
			by search params
			by id in episode context
			by search params in episode context
		observation	by id
			by search params
			by id in episode context
			by search params in episode context
		condition	by id
			by search params
			by id in episode context
			by search params in episode context
		service_request	by id
			by search params
		diagnostic_report	by id
			by search params
		procedure	by id
			by search params
		medication_administration	by id
			by search params
		care_plan	by id
			by search params
		activity	by id
			by search params
		approval	by id
			by search params
		clinical_impression	by id
			by search params
		medication_request_request & medication_request & medication_dispense	by id
			by search params

Rule: @rule_

device_request	by search params
device_request	by id (details in person context)
device_dispense	by search params in patient context
device_dispense	by id (details in person context)
device	by search params
device	by id (details in person context)
device_association	by search params
device_association	by id (details in person context)
detected_issue	by search params
detected_issue	by id (details in person context)

episode.managing_organization

Rule: @rule_2 \| Action: @read
Scenario:	Base	Resource	Routes	Context	Source of context	Logic
Employee can read entity created in the employee's legal entity Given Entity has been created on my legal entity When I require read access Then I can read	Based on managing organization	service_request	by id	requester_legal_entity + patient_id	DB.service_request.managing_organization	managing_organization==id
		service_request	by search param	requester_legal_entity + patient_id	search param {managing_organization} from URL	managing_organization (requester_legal_entity, )==token.client_id
		episode diagnostic_report procedures encounter condition observation	by id	managing_organisation + patient_id	DB.episode.managing_organization OR DB.diagnostic_report.managing_organization	managing_organization==id
			by search param	managing_organisation + patient_id	search param {requester_legal_entity} from URL	managing_organization (requester_legal_entity, )==token.client_id
		care_plan	by id	managing_organisation	DB.care_plan.managing_organization	managing_organization ==token.client_id
		activity	by activity id	managing_organisation	DB.care_plan.managing_organization	managing_organization ==token.client_id
		activity	by search params	managing_organisation	search param {managing_organization_id} from URL	managing_organization ==token.client_id
		medication_request_request & medication_request & medication_dispense	by id	legal_entity + patient_id	search param {legal_entity_id} from URL	legal_entity_id==id
			by search param	legal_entity + patient_id	search param {legal_entity_id} from URL	legal_entity_id==token.client_id

Rule: @rule_3 | Action: @read

Scenario:

Base

Resource

Routes

Context*

Source of context

Logic

Employee can read all the data of episodes created in the employee's legal entity

Given Episode context has been created on my legal entity

When I require read access

Then I can read

Based on context episode

encounter

by id

episode

DB.encounter.episode

device_request	by search params	requester_legal_entity	search param {requester_legal_entity} from URL	requester_legal_entity==token.client_id
	by id (details in person context)		DB.device_requests.requester_legal_entity	requester_legal_entity==token.client_id
device_dispenses	by search params in patient context	performer_legal_entity	search param {

episode

performer_legal_

id

observation

by id

episode

DB.observation.episode

entity} from URL

by id in episode context

episode_id from URL (path)

by search params in episode context

performer_legal_entity==token.client_id
by id (details in person context)	DB.device_requests.performer_legal_entity	performer_legal_entity==token.client_id
device	by search params	recorder_legal_entity	search param {

episode

recorder_legal_

id

procedure

by id

episode

DB.procedures.encounter.episode

entity} from URL

by id in episode context

episode_id from URL (path)

by search params in episode context

condition

by id

episode

DB.condition.episode

by search params

search param {episode_id} from URL

by id in episode context

episode_id from URL (path)

by search params in episode context

service_request

by id

episode

DB.service_request.encounter.episode

by search params

search param {episode_id} from URL

by id in episode context

episode_id from URL (path)

by search params in episode context

diagnostic_report

by id

episode

DB.diagnostic_report.encounter.episode

by search params

context_episode_id from URL (path)

recorder_legal_entity==token.client_id
by id	DB.devices.recorder_legal_entity	recorder_legal_entity==token.client_id
device_association	by search params	recorder_legal_entity	search param {recorder_legal_entity} from URL	recorder_legal_entity==token.client_id
device_association	by id	recorder_legal_entity	DB.device_associations.recorder_legal_entity	recorder_legal_entity==token.client_id
detected_issue	by search params	recorder_legal_entity	search param {recorder_legal_entity} from URL	recorder_legal_entity==token.client_id
detected_issue	by id	recorder_legal_entity	DB.detected_issues.recorder_legal_entity	recorder_legal_entity==token.client_id

Rule: @rule_5 medication_administrationdeviceIF context is encounter THEN:IF context is encounter THEN:IF context is encounter THEN:

Rule: @rule_3 \| Action: @read
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Employee can read all the data of episodes created in the employee's legal entity Given Episode context has been created on my legal entity When I require read access Then I can read	Based on context episode	encounter	by id	episode	DB.encounter.episode	episode.managing_organization==token.client_id
			by search params		search param {episode_id} from URL
			by id in episode		IF context is encounter THEN: DB.medication_administrations.context		episode_id from URL (path)
			by search params in episode context
		observation	by id	episode	DB.observation.episode
			by search params		search param {episode_id} from URL
			by id in episode context		episode		_id from URL (path)
			by search params in episode context
		condition	by id	episode	DB.devicescondition.context.episode
			by search params		search param {episode_id} from URL
			by id in episode context		episode_id from URL		risk_assessment(path)
			by search params in episode context
		service_request	by id	episode			DB.riskservice_assessmentsrequest.contextencounter.episode
			by search params				search param {episode_id} from URL
			medication_statement				by id in episode context	episode	_id from URL (path)
							by search params in episode context
		diagnostic_report	by id	episode	DB.medicationdiagnostic_statementsreport.contextencounter.episode
			by search params		search param {context_episode_id } from URL (path)
		immunizationprocedure	by id	episode	IF context is encounter THEN: DB.immunizationsprocedures.contextencounter.episode
			by search params		search param {episode_id} from URL
		allergymedication_intoleranceadministration	by id	episode	IF context is encounter THEN: DB.allergymedication_intolerancesadministrations.context.episode
			by search params		search param {episode_id} from URL
		medication_requestdevice	by id	episode	IF context is encounter THEN: DB.medication_requestdevices.context_.episode_id
			by search params		search param {episode_id} from URL
		medicationrisk_dispenseassessment	by id	episode	IF context is encounter THEN: DB.medicationrisk_requestassessments.context_.episode_id
			by search params		search param {episode_id} from URL
		medication_request_requeststatement	by id	episode	IF context is encounter THEN: DB.medication_request_requeststatements.context_episode_id.episode
			by search params		search param {episode_id} from URL
		immunization	by id	episode	IF context is encounter THEN: DB.immunizations.context.episode
			by search params		search param {episode_id} from URL
		clinicalallergy_impressionintolerance	by id	episode	IF context is encounter THEN: DB.clinicalallergy_impressionintolerances.context_.episode_id
			by search params		search param {episode_id} from URL

Rule: @rule_4 | Action: @read

Scenario:

Base

Resource

Routes

Context

Source of context

Logic

Employee with active approval can read all the data (including merged persons/prepersons data) of specified in approval patient

Given Active approval on patient

When I require read access

Then I can read

Based on patient_id

episode

by id

patient_id

patient_id from URL

There is an active approval on patient’s data granted to the to the employee (one of user's employee) in MongoDB

by search params

active diagnosis

short episodes by search params

by patient_id in observation context

by patient_id in condition context

by patient_id in procedure context

by patient_id in diagnostic_report context

encounter

by id

by search params

by id in episode context

by search params in episode context

short encounters by search params

short encounters by ID

observation

by id

by search params

short observations by search params

short observation by id

condition

by id

by search params

short conditions by search params

short conditions by id

service_request

list in episode context

by search params

by id in episode context

procedure

short procedures by id

short procedures by search params

diagnostic_report

by id

by search params

approved by patient_id

short diagnostic_reports by search params

by patient_id in observation context

short diagnostic_reports by id

care_plan

activity

clinical_impression

by id

by search params

medication_request_request

by id

by search params

medication_request

by id

by search params

medication_dispense

by id (details in person context)

by search params (by medication request id)

medication_request	by id	episode	DB.medication_request.context_episode_id
medication_request	by search params	episode	search param {episode_id} from URL
medication_dispense	by id	episode	DB.medication_request.context_episode_id
medication_dispense	by search params	episode	search param {episode_id} from URL
medication_request_request	by id	episode	DB.medication_request_request.context_episode_id
medication_request_request	by search params	episode	search param {episode_id} from URL
clinical_impression	by id	episode	DB.clinical_impression.context_episode_id
clinical_impression	by search params	episode	search param {episode_id} from URL
device_request	by search params	episode	search param {context_episode_id} from URL	episode.managing_organization==token.client_id
device_request	by id (details in person context)	episode	DB.device_requests.context_episode_id	device_requests.context_episode_id.managing_organization==token.client_id
device_dispense	by search params in patient context	episode	search param {context_episode_id} from URL	episode.managing_organization==token.client_id
device_dispense	by id (details in person context)	episode	DB.device_dispenses.context_episode_id	device_dispenses.context_episode_id.managing_organization==token.client_id
device_association	by search params	episode	search param {context_episode_id} from URL	episode.managing_organization==token.client_id
	by id	episode	DB.device_associations.context_episode_id	device_associations.context_episode_id.managing_organization==token.client_id
detected_issue	by search params	episode	search param {context_episode_id} from URL	episode.managing_organization==token.client_id
	by id	episode	DB.detected_issues.context_episode_id	detected_issues.context_episode_id.managing_organization==token.client_id

Rule: @rule_4 \| Action: @read
Scenario:	Base	Resource	Routes	Context

*

	Source of context	Logic
Employee

with active approval or employees from legal_entity

with active approval can read all the data (including merged persons/prepersons data) of specified in approval

episodes

patient

Given Active approval on

episode

patient

When I require read access

Then I can read

Based on

context episode

episode

by id

patient_id

http://DB.episode.id

episode

by id

patient_id

patient_id from URL

There is an active approval on patient’s data granted to the

episode granted

to the employee (one of user

's employee) OR to the legal_entity (one of legal_entity

's employee) in MongoDB

encounter


	by

id

search params

episode

DB.encounter.episode

active diagnosis

short episodes by search params

search param {episode

by patient_id

} from URL

in observation context

episode

episode

from URL (path)

search params in episode

patient_id in diagnostic_report context

observation

encounter

by id

episode

DB.observation.episode

by search params

search param {episode_id} from URL

by id in episode context

episode_id from URL (path)

condition.episode

by search params in episode context

condition

by id

episode

DB.

short encounters by search params
short encounters by ID
observation	by id
	by search params

search param {episode_id} from URL

by id in episode context

episode_id from URL (path)

short observations by search params
short observation by id
condition	by id
	by search params

in episode context

service request

DB.

short conditions by search params

short conditions by id

episode

service_

requset.encounter.episode

request	list in episode context
	by search params

search param {episode_id} from URL

by id in episode context

episode_id from URL (path)

by search params in episode context

by id in episode context
by id
by requisition
procedure	by id
	by search params
	short procedures by id
	short procedures by search params
diagnostic_report	by id

episode

DB.diagnostic_report.encounter.episode

by search params

approved by patient_id

short diagnostic_reports by search params

search param {episode

by patient_id

} from URL

medication_administration

by id

episode

IF context is encounter THEN:
DB.medication_administrations.context.episode

by search params

search param {episode_id} from URL

procedure

by id

episode

DB.procedures.encounter.episode

in observation context
short diagnostic_reports by id
care_plan	by id
	by search params
	by requisition
	by activity id
activity	by id
activity	by search params

search param {episode_id} from URL

clinical_impression	by id
	by search params
medication_request

& medication

_

dispense

request

by id

episode

by search params

DB.

medication_request

.context_episode_

medication_request_request

by id

episode

DB.medication_request_request.context_episode_id

by search params

search param {episode_id} from URL (can be used with {encounter_id} search param for sort by encounter)

clinical_impression

by id

episode

DB.clinical_impression.context_episode_id

by search params

search param {episode_id} from URL (can be used with {encounter_id} search param for sort by encounter)

Rule: @rule_6 | Action: @read

	by id
	by search params

search param {episode_id} from URL (can be used with {encounter_id} search param for sort by encounter)

medication_dispense	by id (details in person context)
medication_dispense	by search params (by medication request id)
device_request	by search params
device_request	by id (details in person context)
device_dispense	by search params in patient context
device_dispense	by id (details in person context)
device	by search params
	by id
	short devices by search params
	short devices by id
device_association	by search params
device_association	by id
detected_issue	by search params
detected_issue	by id

Rule: @rule_5 \| Action: @read
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Employee

can read entity originated by episode created in the employee's legal entityGiven Entity has been originated by mine legal entity

with active approval or employees from legal_entity with active approval can read all the data of specified in approval episodes

Given Active approval on episode

When I require read access

Then I can read

Based on

origin

context episode

encounter

by search params

Search param {origin_episode_id} from URL

diagnostic repost

by id

origin_episode

DB.diagnostic_report.origin_

episode

by id

origin_episode

DB.encounter.origin_episode

origin_episode.managing_organization==token.client_id

	http://DB.episode.id	There is an active approval on the episode granted to the employee (one of user's employee) OR to the legal_entity (one of legal_entity's employee) in MongoDB
encounter	by id		episode	DB.encounter.episode
	by search params

Search param

search param {

origin_episode

episode_id} from URL
by id in episode context	episode_id

}

from URL

procedures

(path)
	by search params in episode context
observation	by id

origin_

episode

DB.

procedures.encounter

observation.episode
by search params	search param {episode_id} from URL

Rule: @rule_7 | Action: @read

Scenario:

Base

Resource

Routes

Context*

Source of context

Logic

Employee can read all the data of diagnostic report originated by episode created in the employee's legal entity

Given Diagnostic report context has been originated by mine legal entity episode

When I require read access

Then I can read

Based on origin episode

observation

by id

diagnostic_report

DB.observation.diagnostic_report.origin_episode

origin_episode.managing_organization==token.client_id

by search params

Search param {diagnostic_report_id} from URL

Rule: @rule_8 | Action: @read

Scenario:

Base

Resource

Routes

Context*

Source of context

Logic

Employee can read all the data of encounter originated by episode created in the employee's legal entity

Given Encounter context has been originated by mine legal entity episode

When I require read access

Then I can read

Based on origin episode

observation

by id

encounter

DB.observation.context.origin_episode

origin_episode.managing_organization==token.client_id

by search params

Search param {encounter_id} from URL

condition

by id

encounter

DB.condition.context.origin_episode

by search params

Search param {encounter_id} from URL


by id in episode context	episode_id from URL (path)
by search params in episode context
condition	by id	episode	DB.condition.episode
	by search params		search param {episode_id} from URL
	by id in episode context		episode_id from URL (path)
	by search params in episode context
service request	by id	episode	DB.service_requset.encounter.episode
	by search params		search param {episode_id} from URL
	by id in episode context		episode_id from URL (path)
	by search params in episode context
diagnostic_report	by id

encounter

episode

DB.diagnostic_report.encounter.

origin_

episode

by search params

Search param

search param {

encounter

episode_id} from URL
medication_administration	by id

encounter

episode

IF context is encounter THEN:
DB.medication_administrations.context.

encounter

episode
by search params	search param {

encounter

episode_id} from URL
procedure	by id

encounter

episode	DB.procedures.encounter.episode
episode	by search params	search param {

encounter

episode_id} from URL
medication_request & medication_dispense	by id

~~encounter~~

episode	DB.medication_request.context_episode_id
episode	by search params	search param {

encounter

episode_id} from URL

medication_request_

(can be used with {encounter_id} search param for sort by encounter)
medication_request_request	by id

~~encounter~~

episode	DB.medication_request_request.context_episode_id
episode	by search params	search param {

encounter

episode_id} from URL

Rule: @rule_9 | Action: @read | NOT IMPLEMENTED YET

Scenario:

Base

Resource

Routes

Context

Source of context

Logic

Employee with active approval can read data, originated by the episode

(can be used with {encounter_id} search param for sort by encounter)
clinical_impression	by id	episode	DB.clinical_impression.context_episode_id
clinical_impression	by search params	episode	search param {episode_id} from URL (can be used with {encounter_id} search param for sort by encounter)
device_request	by search params	episode	search param {context_episode_id} from URL
device_request	by id (details in person context)	episode	DB.device_requests.context_episode_id
device_dispense	by search params in patient context	episode	search param {context_episode_id} from URL
device_dispense	by id (details in person context)	episode	DB.device_dispenses.context_episode_id
device	by search params	episode	search param {context_episode_id} from URL
device	by id	episode	DB.devices.context_episode_id
device_association	by search params	episode	search param {context_episode_id} from URL
device_association	by id	episode	DB.device_associations.context_episode_id
detected_issue	by search params	episode	search param {context_episode_id} from URL
detected_issue	by id	episode	DB.detected_issues.context_episode_id

Rule: @rule_6 \| Action: @read
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Employee can read entity originated by episode created in the employee's legal entity Given Entity has been originated by mine legal entity episode When I require read access Then I can read	Based on origin episode	encounter	by id	origin_episode	DB.encounter.origin_episode	origin_episode.managing_organization==token.client_id
			by search params		Search param {origin_episode_id} from URL
		diagnostic repost	by id	origin_episode	DB.diagnostic_report.origin_episode
			by search params		Search param {origin_episode_id} from URL
		procedures	by id	origin_episode	DB.procedures.encounter.episode
			by search params		search param {episode_id} from URL
		device_dispense	by search params in patient context	origin_episode	Search param {origin_episode_id} from URL
			by id (details in person context)		DB.device_dispense.origin_episode_id

Rule: @rule_7 \| Action: @read
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Employee can read all the data of diagnostic report originated by episode created in the employee's legal entity Given Diagnostic report context has been originated by mine legal entity episode When I require read access Then I can read	Based on origin episode	observation	by id	diagnostic_report	DB.observation.diagnostic_report.origin_episode	origin_episode.managing_organization==token.client_id
			by search params		Search param {diagnostic_report_id} from URL

Rule: @rule_8 \| Action: @read
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Employee can read all the data of encounter originated by episode created in the employee's legal entity Given Encounter context has been originated by mine legal entity episode When I require read access Then I can read	Based on origin episode	observation	by id	encounter	DB.observation.context.origin_episode	origin_episode.managing_organization==token.client_id
			by search params		Search param {encounter_id} from URL
		condition	by id	encounter	DB.condition.context.origin_episode
			by search params		Search param {encounter_id} from URL
		diagnostic_report	by id	encounter	DB.diagnostic_report.encounter.origin_episode
			by search params		Search param {encounter_id} from URL
		medication_administration	by id	encounter	IF context is encounter THEN: DB.medication_administrations.context.encounter
			by search params		search param {encounter_id} from URL
		procedure	by id	encounter	DB.procedures.encounter.episode
			by search params		search param {encounter_id} from URL
		~~medication_request~~	~~by id~~	~~encounter~~	~~DB.medication_request.context~~
			~~by search params~~		~~search param {encounter_id} from URL~~
		~~medication_request_request~~	~~by id~~	~~encounter~~	~~DB.medication_request_request.context~~
			~~by search params~~		~~search param {encounter_id} from URL~~
		device_dispense	by search params in patient context	encounter	Search param {encounter_id} from URL
			by id (details in person context)		DB.device_dispense.encounter.origin_episode_id

Rule: @rule_9 \| Action: @read \| NOT IMPLEMENTED YET
Scenario:	Base	Resource	Routes	Context	Source of context	Logic
Employee with active approval can read data, originated by the episode Given Active approval on patient When I require read access Then I can read		encounter
		observation
		condition
		service_request
		diagnostic_report

Rule: @rule_10 \| Action: @read
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Employee can read all the data of diagnostic report created in the employee's legal entity Given Diagnostic report context has been originated by mine legal entity When I require read access Then I can read	Based on diagnostic report	observation	by id	diagnostic_report	DB.observation.diagnostic_report.managing_organization	diagnostic_report.managing_organization==token.client_id
			by search params		Search param {diagnostic_report_id} from URL

Rule: @rule_11 \| Action: @read
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Employee with active approval or employees from legal_entity with active approval can read all the data of specified in approval diagnostic report Given Active approval on diagnostic report When I require read access Then I can read	Based on diagnostic report	diagnostic_report	by id	diagnostic_report	DB.diagnostic_report	There is an active approval on the diagnostic report granted to the employee (one of user's employee) OR to the legal_entity (one of legal_entity's employee) in MongoDB
		observation	by id	diagnostic_report	DB.observation.diagnostic_report.managing_organization
		observation	by search params	diagnostic_report	Search param {diagnostic_report_id} from URL

care_plan + patient_id_id

Rule: @rule_12 \| Action: @read
Scenario:	Base	Resource	Routes	Context	Source of context	Logic
Employee with active approval can read the data associated with the care plan Given Active approval on care_plan When I require read access Then I can read	Based on care plan	care_plan	by id	care_plan + patient_id	DB.care_plan.id=approvals.granted_resources[].value	There is an active approval (access_level=read) on the care_plan granted to the employee by the patient (one of user's employee) in MongoDB
		activity	by id	care_plan + patient_id	care_plan_id & patient_id from URL (path)
			by search params
		medication_request_request	by id	care_plan + patient_id	care_plan_id & patient_id from URL (path)
			by search params
		medication_request	by id	care_plan + patient_id	care_plan_id & patient_id from URL (path)
			by search params
		medication_dispense	by id	care_plan + patient_id	care_plan_id & patient_id from URL (path) )
			by search params
		device_request	by id	care_plan	DB.device_request.based_on.care_plan[].id=approvals.granted_resources[].value
			by search params		medication_dispense		by id	care_plan	& patient_id from URL (path)	by search params=approvals.granted_resources[].value.care_plan

+ patient_id_id

Rule: @rule_13 \| Action: @write
Scenario:	Base	Resource	Routes	Context	Source of context	Logic
Employee with active write approval can write the data associated with the care plan Given Active write approval on care_plan When I require write access Then I can write	Based on care plan	care_plan	~~by id~~ Cancel	care_plan ~~+ patient_id~~	DB.care_plan.id=approvals.granted_resources[].value	There is an active approval (access_level=write) on the care_plan granted to the employee by the patient (one of user's employee) in MongoDB
			Complete
		activity	~~by id~~ Prequalify		~~care_plan_id & patient_id from URL (path)~~ care_plan_id from URL (path) =approvals.granted_resources[].value
			~~by search params~~ Create
			Cancel
			Complete
		~~medication_request_request~~	~~by id~~	~~care_plan + patient_id~~	~~care_plan_id & patient_id from URL (path)~~
			~~by search params~~
		~~medication_request~~	~~by id~~	~~care_plan + patient_id~~	~~care_plan_id & patient_id from URL (path)~~
			~~by search params~~
		~~medication_dispense~~	~~by id~~	~~care_plan + patient_id~~	~~care_plan_id & patient_id from URL (path)~~
			~~by search params~~
		device_request	by id	care_plan	DB.device_request.based_on.care_plan		[].id=approvals.granted_resources[].value
			by search params		care_plan		& patient_id from URL (path)	~~by search params~~=approvals.granted_resources[].value.care_plan

serviceby id

Rule: @rule_14 \| Action: @read
Scenario:	Base	Resource	Routes	Context	Source of context	Logic
Employee with active approval on the care plan can read the data based on this care plan Given Entity based on care_plan When I require read access Then I can read	Based on care plan	service_request	by id	care_plan (based_on) + patient_id	DB.service_request.based_on.care_plan[].id=approvals.granted_resources[].value	There is an active approval (access_level=read/~~write~~) on the care_plan granted to the employee by the patient (one of user's employee) in MongoDB
		service_request	by search params	care_plan + patient_id	care_plan_id from URL (search param) & patient_id from path
		encounter	by id	patient_id ->. care_plan (based_on service_request)	DB.encounter.based_on.service_request.based_on.care_plan[].id=approvals.granted_resources[].value OR DB.diagnostic_report.based_on.service_request.based_on.care_plan[].id=approvals.granted_resources[].value OR DB.procedure.based_on.service_request.based_on.care_plan[].id=approvals.granted_resources[].id=approvals.granted_resources[].value OR DB.procedurevalue
		diagnostic_report	by id
		procedure	by id
		device_dispense	by id (details in person context)	care_plan (based_on device_request)	DB.device_dispense.based_on.		device_request.based_on.care_plan[].id=approvals.granted_resources[].value
diagnostic_report	by id
procedure

Rule: @rule_15 | Action: @read

Scenario:

Base

Resource

Routes

Context*

Source of context

Logic

Employee with verified unexpired approval on procedure can read all the data of this procedure

Given Active approval on procedure

When I require read access

Then I can read

Based on procedure

procedure

by id

procedure

DB.procedures._id

There is a verified unexpired approval on procedure granted to the employee (one of user's employee) in MongoDB

Rule: @rule_

15

16 \| Action: @read
Scenario

:

Base

Resource

Routes

Context*

Source of context

Logic

Employee with verified unexpired approval on procedure can read all the data of this procedure

Given Active approval on procedure

When I require read access

Then I can read

Based on procedure

procedure

by id

procedure

DB.procedures._id

There is a verified unexpired approval on procedure granted to the employee (one of user's employee) in MongoDB

...

Rule: @rule_16 | Action: @read

...

Scenario:

...

Base

...

Resource

...

Routes

...

Context*

...

Source of context

...

Logic

...

:	Base	Resource	Routes	Context*	Source of context	Logic
Employee with active approval can read all the data (including merged persons/prepersons data) of specified in approval resource types that relates to patient Given Active approval on resource type(s) When I require read access Then I can read	Based on patient_id	device	by search params	patient_id	patient_id from URL resource_type from URL	There is an active approval on resource type granted to the employee (one of user's employee) in MongoDB
		device	by id		patient_id from URL resource_type from URL
		device_association	by search params		patient_id from URL resource_type from URL
		device_association	by id		patient_id from URL resource_type from URL
		detected_issue	by search params		patient_id from URL resource_type from URL
		detected_issue	by id		patient_id from URL resource_type from URL

- all routes need to have patient_id in context as an core parameter

Rule: @rule_17 \| Action: @read
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Employee can read all the data associated with the care plan created in the employee's legal entity Given Care plan has been created on my legal entity When I require read access Then I can read	Based on care plan	activity	by id	care_plan+ patient_id	DB.activities.care_plan[].id	care_plan.managing_organization.id==token.client_id
		activity	by search params		care_plan_id from URL (search param) & patient_id from path
		medication_request_request	by id		DB.medication_request_request.based_on.care_plan[].id
			by search params		care_plan_id from URL (search param) & patient_id from path
			list in care plan context		care_plan_id & person_id from URL (search param)
		medication_request	by id		DB.medication_request.based_on.care_plan[].id
			by search params		care_plan_id from URL (search param) & patient_id from path
			list in care plan context		care_plan_id & person_id from URL (search param)
		service_request	by id		DB.service_request.based_on.care_plan[].id
		service_request	by search params		care_plan_id from URL (search param) & patient_id from path
		device_request	by id		DB.device_request.based_on.care_plan[].id
		device_request	by search params		care_plan_id from URL ('based_on' search param) & patient_id from path
		encounter	by id	care_plan (based_on service_request)+ patient_id	DB.encounter.based_on.service_request.based_on.care_plan[].id
		diagnostic_report	by id		DB.diagnostic_report.based_on.service_request.based_on.care_plan[].id
		procedure	by id		DB.procedure.based_on.service_request.based_on.care_plan[].id
		medication_dispense	by id (details in person context)	care_plan (based_on medication_request)+ patient_id	DB.medication_dispense.based_on.medication_request.based_on_care_plan_id
		device_dispense	by id (details in person context)	care_plan (based_on device_request)+ patient_id	DB.device_dispense.based_on.device_request.based_on.care_plan[].id

...

Version	Old Version 26	New Version Current
Changes made by	Anastasiia Prokhorova (SoE eHealth) (Unlicensed)	Oksana Demchenko
Saved on	Sep 04, 2024	Dec 04, 2024

Versions Compared

Key

Rule: @rule_-2 | Action: @read | (GraphQL only)

Rule: @rule_-1 | Action: @read

Rule: @rule_0 | Action: @read

Rule: @rule_1 | Action: @read

Rule: @rule_2 | Action: @read

Rule: @rule_3 | Action: @read

Rule: @rule_3 | Action: @read

Rule: @rule_4 | Action: @read

Rule: @rule_4 | Action: @read

Rule: @rule_5 | Action: @read

Rule: @rule_7 | Action: @read

Rule: @rule_8 | Action: @read

Rule: @rule_9 | Action: @read | NOT IMPLEMENTED YET

Rule: @rule_6 | Action: @read

Rule: @rule_7 | Action: @read

Rule: @rule_8 | Action: @read

Rule: @rule_9 | Action: @read | NOT IMPLEMENTED YET

Rule: @rule_10 | Action: @read

Rule: @rule_11 | Action: @read

Rule: @rule_12 | Action: @read

Rule: @rule_13 | Action: @write

Rule: @rule_14 | Action: @read

Rule: @rule_15 | Action: @read

Rule: @rule_

16 | Action: @read

Rule: @rule_16 | Action: @read

Rule: @rule_17 | Action: @read