RCC (CSI-2794) ABAC rules

Rule: @rule_1 \| Action: @read
Scenario:	Base	Resource	Routes	Context	Source of context	Logic
Employee with active declaration can read all patient data (including merged persons/prepersons data) Given Active declaration with patient in the MSP from token And declaration from the same legal entity When I require read access Then I can read	Based on declaration and user token	episode	by id	person_id	person_id from URL	There is an active declaration between the patient and the employee in OPS from the same legal entity from token
		episode	by search params
		encounter	by id
			by search params
			by id in episode context
			by search params in episode context
		observation	by id
			by search params
			by id in episode context
			by search params in episode context
		condition	by id
			by search params
			by id in episode context
			by search params in episode context
		service_request	by id
		service_request	by search params
		diagnostic_report	by id
		diagnostic_report	by search params
		procedure	by id
		procedure	by search params
		medication_administration	by id
		medication_administration	by search params
		care_plan	by id
		care_plan	by search params
		activity	by id
		activity	by search params
		approval	by id
		approval	by search params
		clinical_impression	by id
		clinical_impression	by search params
		medication_request_request & medication_request & medication_dispense	by id
			by search params
		device_request	by search params
		device_request	by id (details in person context)
		device_dispense	by search params in patient context
		device_dispense	by id (details in person context)
		device	by search params
		device	by id (details in person context)
		device_association	by search params
		device_association	by id (details in person context)
		detected_issue	by search params
		detected_issue	by id (details in person context)

Rule: @rule_2 \| Action: @read
Scenario:	Base	Resource	Routes	Context	Source of context	Logic
Employee can read entity created in the employee's legal entity Given Entity has been created on my legal entity When I require read access Then I can read	Based on managing organization	service_request	by id	requester_legal_entity + patient_id	DB.service_request.managing_organization	managing_organization==id
		service_request	by search param	requester_legal_entity + patient_id	search param {managing_organization} from URL	managing_organization (requester_legal_entity, )==token.client_id
		episode diagnostic_report procedures encounter condition observation	by id	managing_organisation + patient_id	DB.episode.managing_organization OR DB.diagnostic_report.managing_organization	managing_organization==id
			by search param	managing_organisation + patient_id	search param {requester_legal_entity} from URL	managing_organization (requester_legal_entity, )==token.client_id
		care_plan	by id	managing_organisation	DB.care_plan.managing_organization	managing_organization ==token.client_id
		care_plan	by search params	managing_organisation	search param {managing_organization_id} from URL	managing_organization ==token.client_id
		activity	by activity id	managing_organisation	DB.care_plan.managing_organization	managing_organization ==token.client_id
		activity	by search params	managing_organisation	search param {managing_organization_id} from URL	managing_organization ==token.client_id
		medication_request_request & medication_request & medication_dispense	by id	legal_entity + patient_id	search param {legal_entity_id} from URL	legal_entity_id==id
			by search param	legal_entity + patient_id	search param {legal_entity_id} from URL	legal_entity_id==token.client_id
		device_request	by search params	requester_legal_entity	search param {requester_legal_entity} from URL	requester_legal_entity==token.client_id
		device_request	by id (details in person context)	requester_legal_entity	DB.device_requests.requester_legal_entity	requester_legal_entity==token.client_id
		device_dispenses	by search params in patient context	performer_legal_entity	search param {performer_legal_entity} from URL	performer_legal_entity==token.client_id
		device_dispenses	by id (details in person context)	performer_legal_entity	DB.device_requests.performer_legal_entity	performer_legal_entity==token.client_id
		device	by search params	recorder_legal_entity	search param {recorder_legal_entity} from URL	recorder_legal_entity==token.client_id
		device	by id	recorder_legal_entity	DB.devices.recorder_legal_entity	recorder_legal_entity==token.client_id
		device_association	by search params	recorder_legal_entity	search param {recorder_legal_entity} from URL	recorder_legal_entity==token.client_id
		device_association	by id	recorder_legal_entity	DB.device_associations.recorder_legal_entity	recorder_legal_entity==token.client_id
		detected_issue	by search params	recorder_legal_entity	search param {recorder_legal_entity} from URL	recorder_legal_entity==token.client_id
		detected_issue	by id	recorder_legal_entity	DB.detected_issues.recorder_legal_entity	recorder_legal_entity==token.client_id

Rule: @rule_4 \| Action: @read
Scenario:	Base	Resource	Routes	Context	Source of context	Logic
Employee with active approval can read all the data (including merged persons/prepersons data) of specified in approval patient Given Active approval on patient When I require read access Then I can read	Based on patient_id	episode	by id	patient_id	patient_id from URL	There is an active approval on patient’s data granted to the to the employee (one of user's employee) in MongoDB
			by search params
			active diagnosis
			short episodes by search params
			by patient_id in observation context
			by patient_id in condition context
			by patient_id in procedure context
			by patient_id in diagnostic_report context
		encounter	by id
			by search params
			by id in episode context
			by search params in episode context
			short encounters by search params
			short encounters by ID
		observation	by id
			by search params
			short observations by search params
			short observation by id
		condition	by id
			by search params
			short conditions by search params
			short conditions by id
		service_request	list in episode context
			by search params
			by id in episode context
			by id
			by requisition
		procedure	by id
			by search params
			short procedures by id
			short procedures by search params
		diagnostic_report	by id
			by search params
			approved by patient_id
			short diagnostic_reports by search params
			by patient_id in observation context
			short diagnostic_reports by id
		care_plan	by id
			by search params
			by requisition
			by activity id
		activity	by id
		activity	by search params
		clinical_impression	by id
		clinical_impression	by search params
		medication_request_request	by id
		medication_request_request	by search params
		medication_request	by id
		medication_request	by search params
		medication_dispense	by id (details in person context)
		medication_dispense	by search params (by medication request id)
		device_request	by search params
		device_request	by id (details in person context)
		device_dispense	by search params in patient context
		device_dispense	by id (details in person context)
		device	by search params
			by id
			short devices by search params
			short devices by id
		device_association	by search params
		device_association	by id
		detected_issue	by search params
		detected_issue	by id

Rule: @rule_12 \| Action: @read
Scenario:	Base	Resource	Routes	Context	Source of context	Logic
Employee with active approval can read the data associated with the care plan Given Active approval on care_plan When I require read access Then I can read	Based on care plan	care_plan	by id	care_plan + patient_id	DB.care_plan.id=approvals.granted_resources[].value	There is an active approval (access_level=read) on the care_plan granted to the employee by the patient (one of user's employee) in MongoDB
			by search params		DB.care_plan.based_on.care_plan_id=approvals.granted_resources[].value
		activity	by id	care_plan + patient_id	care_plan_id & patient_id from URL (path)
			by search params
		medication_request_request	by id	care_plan + patient_id	care_plan_id & patient_id from URL (path)
			by search params
		medication_request	by id	care_plan + patient_id	care_plan_id & patient_id from URL (path)
			by search params
		medication_dispense	by id	care_plan + patient_id	care_plan_id & patient_id from URL (path)
			by search params
		device_request	by id	care_plan + patient_id	DB.device_request.based_on.care_plan[].id=approvals.granted_resources[].value
			by search params		care_plan & patient_id from URL (path)=approvals.granted_resources[].value.care_plan

Rule: @rule_1 | Action: @read

Rule: @rule_2 | Action: @read

Rule: @rule_4 | Action: @read

Rule: @rule_12 | Action: @read