ЕСОЗ - публічна документація
RC_ABAC rules v2_UA
- 1 Rule: @rule_-2 | Action: @read | (GraphQL only)
- 2 Rule: @rule_-1 | Action: @read
- 3 Rule: @rule_0 | Action: @read
- 4 Rule: @rule_1 | Action: @read
- 5 Rule: @rule_2 | Action: @read
- 6 Rule: @rule_3 | Action: @read
- 7 Rule: @rule_4 | Action: @read | TO IMPLEMENT
- 8 Rule: @rule_5 | Action: @read
- 9 Rule: @rule_6 | Action: @read
- 10 Rule: @rule_7 | Action: @read
- 11 Rule: @rule_8 | Action: @read
- 12 Rule: @rule_9 | Action: @read | NOT IMPLEMENTED YET
- 13 Rule: @rule_10 | Action: @read
- 14 Rule: @rule_11 | Action: @read
- 15 Rule: @rule_12 | Action: @read
- 16 Rule: @rule_13 | Action: @write
- 17 Rule: @rule_14 | Action: @read
Тип правила | Опис |
---|---|
Based on declaration | Лікар з активною декларацією має доступ до всіх даних пацієнта. |
Based on managing organization | Користувач може переглядати сутності, створені в даній MSP |
Based on context episode | Користувач може переглядати дані, які створені в рамках епізоду лікування, до яких користувач має доступ. |
Based on diagnostic report | Користувач може переглядати дані, які є складовою діагностичного звіту, який керується юридичною особою користувача. |
Based on origin episode | Лікар може переглядати дані, які бути створені як частина діагностичного звіту або епізоду лікування, до яких користувач має доступ. |
Based on care plan | Користувач з діючим дозволом на план лікування може переглядати та редагувати дані на основі даного плану лікування |
Rule: @rule_-2 | Action: @read | (GraphQL only) | ||||||
Правило | На чому основано | Ресурс | Посилання | Контекст | Джерело контенту | Логіка |
---|---|---|---|---|---|---|
NHS employee can read patient’s data if he has Justification for monitoring
Given Justification on monitoring patient's data given by the user (works only from Admin panel, graphql api) | На токені користувача | episode | JustificationFilter schema | patient_id | person_id from JustificationFilter schema | Є активний токен & та активне підтвердження |
encounter | ||||||
observation | ||||||
condition | ||||||
allergy_intolerance | ||||||
immunization | ||||||
risk_assessment | ||||||
device | ||||||
medication_statement | ||||||
medication_request | ||||||
medication_dispense | ||||||
service_request | ||||||
diagnostic_report | ||||||
procedure | ||||||
medication_administration | ||||||
care_plan | ||||||
activity |
Rule: @rule_-1 | Action: @read | ||||||
Правило | На чому основано | Ресурс | Посилання | Контекст | Джерело контенту | Логіка |
---|---|---|---|---|---|---|
Employee can read insensitive patient’s data When I require read access Then I can read | На токені користувача | allergy_intolerance | by id |
|
| Є активний токен для client_type.name != CABINET |
immunization | ||||||
risk_assessment | ||||||
device | ||||||
medication_statement |
Rule: @rule_0 | Action: @read | ||||||
Правило | На чому основано | Ресурс | Посилання | Контекст | Джерело контенту | Логіка |
---|---|---|---|---|---|---|
Patient can read it's own data When I require read access Then I can read | На токені користувача | episode | by id | patient_id | patient_id from URL | Є активний токен виданий пацієнту з Cabinet |
encounter | ||||||
observation | ||||||
condition | ||||||
allergy_intolerance | ||||||
immunization | ||||||
risk_assessment | ||||||
device | ||||||
medication_statement | ||||||
service_request | ||||||
diagnostic_report | ||||||
procedure | ||||||
medication_administration | ||||||
care_plan | ||||||
activity | ||||||
clinical_impression |
Rule: @rule_1 | Action: @read | ||||||
Правило | На чому основано | Ресурс | Посилання | Контекст | Джерело контенту | Логіка |
---|---|---|---|---|---|---|
Employee with active declaration can read all patient data When I require read access Then I can read | На основі декларації та токену користувача | episode | by id | person_id | person_id from URL | Це активна декларація між пацієнтом та лікарем OPS того ж MSP з токену |
by search params | ||||||
encounter | by id | |||||
by search params | ||||||
by id in episode context | ||||||
by search params in episode context | ||||||
observation | by id | |||||
by search params | ||||||
by id in episode context | ||||||
by search params in episode context | ||||||
condition | by id | |||||
by search params | ||||||
by id in episode context | ||||||
by search params in episode context | ||||||
service_request | by id | |||||
by search params | ||||||
diagnostic_report | by id | |||||
by search params | ||||||
procedure | by id | |||||
by search params | ||||||
medication_administration | by id | |||||
by search params | ||||||
care_plan | by id | |||||
by search params | ||||||
activity | by id | |||||
by search params | ||||||
approval | by id | |||||
by search params | ||||||
clinical_impression | by id | |||||
by search params | ||||||
medication_request_request
| by id | |||||
by search params | ||||||
medication_request | by id | |||||
by search params | ||||||
medication_dispense | by id | |||||
by search params (Search Medication dispenses by Medication request ID) |
Rule: @rule_2 | Action: @read | ||||||
Правило | На чому основано | Ресурс | Посилання | Контекст | Джерело контенту | Логіка |
---|---|---|---|---|---|---|
Employee can read entity created in the employee's MSP When I require read access Then I can read | На основі керуючої організації | service_request | by id | requester_legal_entity | DB.service_request.managing_organization | managing_organization==id |
by search param | search param {managing_organization} from URL | managing_organization (requester_legal_entity, )==token.client_id | ||||
episode | by id | managing_organisation + patient_id | DB.episode.managing_organization OR DB.diagnostic_report.managing_organization | managing_organization==id | ||
by search param | search param {requester_legal_entity} from URL | managing_organization (requester_legal_entity, )==token.client_id | ||||
medication_request_request | by id | legal_entity + patient_id | search param {legal_entity_id} from URL | legal_entity_id==id | ||
by search param | legal_entity_id ==token.client_id | |||||
medication_request | by id | legal_entity + patient_id | search param {legal_entity_id} from URL | legal_entity_id==id | ||
by search param | legal_entity_id ==token.client_id | |||||
medication_dispense | by id | legal_entity + patient_id | search param {legal_entity_id} from URL | legal_entity_id==id | ||
by search param (Search Medication dispenses by Medication request ID) | legal_entity_id ==token.client_id |
Rule: @rule_3 | Action: @read | ||||||
Правило | На чому основано | Ресурс | Посилання | Контекст | Джерело контенту | Логіка |
---|---|---|---|---|---|---|
Employee can read all the data of episodes created in the employee's MSP Given Episode context has been created on my MSP When I require read access Then I can read | На основі контексту епізоду | encounter | by id | episode | DB.encounter.episode | episode.managing_organization==token.client_id |
by search params | search param {episode_id} from URL | |||||
by id in episode context | episode_id from URL (path) | |||||
by search params in episode context | ||||||
observation | by id | episode | DB.observation.episode | |||
by search params | search param {episode_id} from URL | |||||
by id in episode context | episode_id from URL (path) | |||||
by search params in episode context | ||||||
condition | by id | episode | DB.condition.episode | |||
by search params | search param {episode_id} from URL | |||||
by id in episode context | episode_id from URL (path) | |||||
by search params in episode context | ||||||
service_request | by id | episode | DB.service_request.encounter.episode | |||
by search params | search param {episode_id} from URL | |||||
by id in episode context | episode_id from URL (path) | |||||
by search params in episode context | ||||||
diagnostic_report | by id | episode | DB.diagnostic_report.encounter.episode | |||
by search params | context_episode_id from URL (path) | |||||
procedure | by id | episode | DB.procedures.encounter.episode | |||
by search params | search param {episode_id} from URL | |||||
medication_administration | by id | episode | IF context is encounter THEN: | |||
by search params | search param {episode_id} from URL | |||||
device | by id | episode | IF context is encounter THEN: | |||
by search params | search param {episode_id} from URL | |||||
risk_assessment | by id | episode | IF context is encounter THEN: | |||
by search params | search param {episode_id} from URL | |||||
medication_statement | by id | episode | IF context is encounter THEN: | |||
by search params | search param {episode_id} from URL | |||||
immunization | by id | episode | IF context is encounter THEN: | |||
by search params | search param {episode_id} from URL | |||||
allergy_intolerance | by id | episode | IF context is encounter THEN: | |||
by search params | search param {episode_id} from URL | |||||
medication_request | by id | episode | DB.medication_request.context_episode_id | |||
by search params | search param {episode_id} from URL | |||||
medication_dispense | by id | episode | DB.medication_request.context_episode_id | |||
by search params (Search Medication dispenses by Medication request ID) | search param {episode_id} from URL | |||||
medication_request_request | by id | episode | DB.medication_request_request.context_episode_id | |||
by search params | search param {episode_id} from URL | |||||
clinical_impression | by id | episode | DB.clinical_impression.context_episode_id | |||
by search params | search param {episode_id} from URL |
Rule: @rule_4 | Action: @read | TO IMPLEMENT | ||||||
Правило | На чому основано | Ресурс | Посилання | Контекст | Джерело контенту | Логіка |
---|---|---|---|---|---|---|
Employee with active approval can read all the data of specified in approval patient Given Active approval on patient When I require read access Then I can read | На основі patient_id
| episode | patient_id
| patient_id з URL
| Наявний активний дозвіл на дані пацієнта, який наданий співробітнику (одниз зі співробітників користувача) в MongoDB
| |
encounter | ||||||
observation | ||||||
condition | ||||||
service_request | ||||||
procedure | ||||||
diagnostic_report | ||||||
care_plan | ||||||
activity | ||||||
Rule: @rule_5 | Action: @read | ||||||
Правило | На чому основано | Ресурс | Посилання | Контекст | Джерело контенту | Логіка |
---|---|---|---|---|---|---|
Employee with active approval can read all the data of specified in approval episodes Given Active approval on episode When I require read access Then I can read | На основі контексту епізоду | episode | by id |
| DB.episode.id | Наявний активний дозвіл на епізод виданий співробітником (одним із співробітник користувача) в MongoDB |
encounter | by id | episode | DB.encounter.episode | |||
by search params | search param {episode_id} from URL | |||||
by id in episode context | episode_id from URL (path) | |||||
by search params in episode context | ||||||
observation | by id | episode | DB.observation.episode | |||
by search params | search param {episode_id} from URL | |||||
by id in episode context | episode_id from URL (path) | |||||
by search params in episode context | ||||||
condition | by id | episode | DB.condition.episode | |||
by search params | search param {episode_id} from URL | |||||
by id in episode context | episode_id from URL (path) | |||||
by search params in episode context | ||||||
service request | by id | episode | DB.service_requset.encounter.episode | |||
by search params | search param {episode_id} from URL | |||||
by id in episode context | episode_id from URL (path) | |||||
by search params in episode context | ||||||
diagnostic_report | by id | episode | DB.diagnostic_report.encounter.episode | |||
by search params | search param {episode_id} from URL | |||||
medication_administration | by id | episode | IF context is encounter THEN: | |||
by search params | search param {episode_id} from URL | |||||
procedure | by id | episode | DB.procedures.encounter.episode | |||
by search params | search param {episode_id} from URL | |||||
medication_request | by id | episode | DB.medication_request.context_episode_id | |||
by search params | search param {episode_id} from URL | |||||
medication_dispense | by id | episode | DB.medication_request.context_episode_id | |||
by search param (Search Medication dispenses by Medication request ID) | search param {episode_id} from URL | |||||
medication_request_request | by id | episode | DB.medication_request_request.context_episode_id | |||
by search params | search param {episode_id} from URL | |||||
clinical_impression | by id | episode | DB.clinical_impression.context_episode_id | |||
by search params | search param {episode_id} from URL |
Rule: @rule_6 | Action: @read | ||||||
Правило | На чому основано | Ресурс | Посилання | Контекст | Джерело контенту | Логіка |
---|---|---|---|---|---|---|
Employee can read entity originated by episode created in the employee's MSP Given Entity has been originated by mine MSP episode When I require read access Then I can read | На основі первинного епізоду | encounter | by id | origin_episode | DB.encounter.origin_episode | origin_episode.managing_organization==token.client_id |
by search params | Search param {origin_episode_id} from URL | |||||
diagnostic repost | by id | origin_episode | DB.diagnostic_report.origin_episode | |||
by search params | Search param {origin_episode_id} from URL | |||||
procedures | by id | origin_episode | DB.procedures.encounter.episode | |||
by search params | search param {episode_id} from URL |
Rule: @rule_7 | Action: @read | ||||||
Правило | На чому основано | Ресурс | Посилання | Контекст | Джерело контенту | Логіка |
---|---|---|---|---|---|---|
Employee can read all the data of diagnostic report originated by episode created in the employee's MSP Given Diagnostic report context has been originated by mine MSP episode When I require read access Then I can read | На основі первинного епізоду | observation | by id | diagnostic_report | DB.observation.diagnostic_report.origin_episode | origin_episode.managing_organization==token.client_id |
by search params | Search param {diagnostic_report_id} from URL |
Rule: @rule_8 | Action: @read | ||||||
Правило | На чому основано | Ресурс | Посилання | Контекст | Джерело контенту | Логіка |
---|---|---|---|---|---|---|
Employee can read all the data of encounter originated by episode created in the employee's MSP Given Encounter context has been originated by mine MSP episode When I require read access Then I can read | На основі первинного епізоду | observation | by id | encounter | DB.observation.context.origin_episode | origin_episode.managing_organization==token.client_id |
by search params | Search param {encounter_id} from URL | |||||
condition | by id | encounter | DB.condition.context.origin_episode | |||
by search params | Search param {encounter_id} from URL | |||||
diagnostic_report | by id | encounter | DB.diagnostic_report.encounter.origin_episode | |||
by search params | Search param {encounter_id} from URL | |||||
medication_administration | by id | encounter | IF context is encounter THEN: | |||
by search params | search param {encounter_id} from URL | |||||
procedure | by id | encounter | DB.procedures.encounter.episode | |||
by search params | search param {encounter_id} from URL | |||||
medication_request | by id | encounter | DB.medication_request.context | |||
by search params | search param {encounter_id} from URL | |||||
medication_request_request | by id | encounter | DB.medication_request_request.context | |||
by search params | search param {encounter_id} from URL |
Rule: @rule_9 | Action: @read | NOT IMPLEMENTED YET | ||||||
Правило | На чому основано | Ресурс | Посилання | Контекст | Джерело контенту | Логіка |
---|---|---|---|---|---|---|
Employee with active approval can read data, originated by the episode Given Active approval on patient When I require read access Then I can read |
| encounter |
|
|
|
|
| observation |
|
|
|
| |
| condition |
|
|
|
| |
| service_request |
|
|
|
| |
| diagnostic_report |
|
|
|
|
Rule: @rule_10 | Action: @read | ||||||
Правило | На чому основано | Ресурс | Посилання | Контекст | Джерело контенту | Логіка |
---|---|---|---|---|---|---|
Employee can read all the data of diagnostic report created in the employee's MSP Given Diagnostic report context has been originated by mine MSP When I require read access Then I can read | На основі діагностичного звіту | observation | by id | diagnostic_report | DB.observation.diagnostic_report.managing_organization | diagnostic_report.managing_organization==token.client_id |
by search params | Search param {diagnostic_report_id} from URL |
Rule: @rule_11 | Action: @read | ||||||
Правило | На чому основано | Ресурс | Посилання | Контекст | Джерело контенту | Логіка |
---|---|---|---|---|---|---|
Employee with active approval can read all the data of specified in approval diagnostic report Given Active approval on diagnostic report When I require read access Then I can read | На основі діагностичного звіту | observation | by id | diagnostic_report | DB.observation.diagnostic_report.managing_organization | Наявний активний дозвід на діагностичний звіт наданий співробітником (одним з співробітників користувача) в MongoDB |
by search params | Search param {diagnostic_report_id} from URL |
Rule: @rule_12 | Action: @read | ||||||
Правило | На чому основано | Ресурс | Посилання | Контекст | Джерело контенту | Логіка |
---|---|---|---|---|---|---|
Employee with active approval can read the data associated with the care plan Given Active approval on care_plan When I require read access Then I can read | На основі плану лікування | care_plan | by id | care_plan + patient_id | DB.care_plan.id=approvals.granted_resources[].value | Наявний активний апрувал (access_level=read) на care_plan, наданий пацієнтом співробітнику (один з співробітників користувача) в MongoDB |
activity | by id | care_plan + patient_id | care_plan_id & patient_id from URL (path) | |||
by search params | ||||||
medication_request_request | by id | care_plan + patient_id | care_plan_id & patient_id from URL (path) | |||
by search params | ||||||
medication_request | by id | care_plan + patient_id | care_plan_id & patient_id from URL (path) | |||
by search params | ||||||
medication_dispense | by id | care_plan + patient_id | care_plan_id & patient_id from URL (path) | |||
by search params (Search Medication dispenses by Medication request ID) |
Rule: @rule_13 | Action: @write | ||||||
Правило | На чому основано | Ресурс | Посилання | Контекст | Джерело контенту | Логіка |
---|---|---|---|---|---|---|
Employee with active approval can write the data associated with the care plan Given Active approval on care_plan When I require write access Then I can write | На основі плану лікування | care_plan | by id | care_plan + patient_id | DB.care_plan.id=approvals.granted_resources[].value | Наявний активний дозвіл (access_level=write) на care_plan наданий співробітнику (одним з співробітників користувача) в MongoDB |
activity | by id | care_plan + patient_id | care_plan_id & patient_id from URL (path) | |||
by search params | ||||||
medication_request_request | by id | care_plan + patient_id | care_plan_id & patient_id from URL (path) | |||
by search params | ||||||
medication_request | by id | care_plan + patient_id | care_plan_id & patient_id from URL (path) | |||
by search params | ||||||
medication_dispense | by id | care_plan + patient_id | care_plan_id & patient_id from URL (path) | |||
by search params (Search Medication dispenses by Medication request ID) |
Rule: @rule_14 | Action: @read | ||||||
Правило | На чому основано | Ресурс | Посилання | Контекст | Джерело контенту | Логіка |
---|---|---|---|---|---|---|
Employee with active approval on the care plan can read the data based on this care plan Given Entity based on care_plan When I require read access Then I can read | На основі плану лікування | service_request | by id | care_plan (based_on) + patient_id | DB.service_request.based_on.care_plan[].id=approvals.granted_resources[].value | Наявний активний дозвіл (access_level=read/write) на care_plan наданий співробітнику (одним з співробітників користувача) в MongoDB |
by search params | care_plan + patient_id | care_plan_id from URL (search param) & patient_id from path | ||||
encounter | by id | patient_id ->. care_plan (based_on service_request) | DB.encounter.based_on.service_request.based_on.care_plan[].id=approvals.granted_resources[].value OR DB.diagnostic_report.based_on.service_request.based_on.care_plan[].id=approvals.granted_resources[].value OR DB.procedure.based_on.service_request.based_on.care_plan[].id=approvals.granted_resources[].value | |||
diagnostic_report | by id | |||||
procedure | by id |
- Для всіх ресурсів повинен бути вказаний patient_id в контексті додаткого параметру
ЕСОЗ - публічна документація