| Table of Contents |
|---|
...
Authorization module performs access control to the eHealth resources. Protected objects - REST endpoint + method
For example:
GET /api/legal_entities
POST /api/employee_requests
POST /api/employee_requests/:id/approve
Auth module doesn't take into attention the exact instance of the resource. It stops on the resource type level.
For example `POST /api/employee_requests/:id/approve`. Auth will check whether user can approve employee_requests in general, not the particular :id of employee_request.
Protection levels
| Level | Description |
|---|---|
| no protection | some endpoints are not protected at all. In this case auth is not used. User→>eHealth system-->>eHealth For example: GET /api/dictionaries GET /api/uaddresses/regions |
| direct access | Is used to access resources directly without MIS brokers. User-->>eHealth System will check whether user has access to the requested resource. access_token with the proper scope is required to access resource for example, endpoints that are used by the NHS admin: GET /api/innms |
| broker access | Is used to access ehealth resources via MIS providers User-->>MIS-->>eHealth access_token with the proper scope is required MIS api-key with the proper broker_scope is required Most of the endpoints are protected with this level |
| api-key access | Is used to access ehealth resources by other systems (clients). For example - MISes. No user token is required.MIS-->>eHealth MIS→>eHealth List of endpoints: GET /api/events/id GET /api/events POST /api/legal_entities |
Functional requirements
Authentication
...