RC._ABAC rules_EN

1 Rule: @rule_-2 | Action: @read | (GraphQL only)
2 Rule: @rule_-1 | Action: @read
3 Rule: @rule_0 | Action: @read
4 Rule: @rule_1 | Action: @read
5 Rule: @rule_2 | Action: @read
6 Rule: @rule_3 | Action: @read
7 Rule: @rule_4 | Action: @read
8 Rule: @rule_5 | Action: @read
9 Rule: @rule_6 | Action: @read
10 Rule: @rule_7 | Action: @read
11 Rule: @rule_8 | Action: @read
12 Rule: @rule_9 | Action: @read | NOT IMPLEMENTED YET
13 Rule: @rule_10 | Action: @read
14 Rule: @rule_11 | Action: @read
15 Rule: @rule_12 | Action: @read
16 Rule: @rule_13 | Action: @write
17 Rule: @rule_14 | Action: @read

Rule base type	Description

Rule base type	Description
Based on declaration	Employee with an active declaration can access all the patient's medical data (including person's/preperson's medical data which were merged with person with active declaration)
Based on managing organization	Employee can read entities, created in his MSP
Based on context episode	Employee can read medical data, that was collected during an episode of care, that employee has access to.
Based on diagnostic report	Employee can read medical data, that was collected as a part of a diagnostic report, managed by the employee's legal entity.
Based on origin episode	Employee can read medical data, that was collected as a part of a diagnostic report or episode of care, that employee has access to. Episode of care, that contains this service request, is considered as an origin episode in that case.
Based on care plan	Employee with active approval on the care plan can read or write the data based on this care plan
Based on patient	Employee with active approval on the patient can read the data related to this patient (including person's/preperson's medical data which were merged with this patient)

Rule: @rule_-2 \| Action: @read \| (GraphQL only)
Scenario:	Base	Resource	Routes	Context	Source of context	Logic
NHS employee can read patient’s data if he has Justification for monitoring Given Justification on monitoring patient's data given by the user (works only from Admin panel, graphql api) When I require read access Then I can read	Based on user token	episode	JustificationFilter schema	patient_id	person_id from JustificationFilter schema	There is an active token & an active justification
		encounter
		observation
		condition
		allergy_intolerance
		immunization
		risk_assessment
		device
		medication_statement
		medication_request
		medication_dispense
		service_request
		diagnostic_report
		procedure
		medication_administration
		care_plan
		activity

Rule: @rule_-1 \| Action: @read
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Employee can read insensitive patient’s data Given User access token with client_type not equal to cabinet When I require read access Then I can read	Based on user token	allergy_intolerance	by id by search params			There is an active token for client_type.name != CABINET
		immunization
		risk_assessment
		device
		medication_statement
		specimen

Rule: @rule_0 \| Action: @read
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Patient can read it's own data Given Patient has access_token given by Cabinet When I require read access Then I can read	Based on patient token	episode	by id by search params		patient_id from URL	There is an active token given by Cabinet to a patient
		encounter
		observation
		condition
		allergy_intolerance
		immunization
		risk_assessment
		device
		medication_statement
		service_request
		diagnostic_report
		procedure
		medication_administration
		care_plan
		activity
		clinical_impression
		specimen

Rule: @rule_1 \| Action: @read
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Employee with active declaration can read all patient data (including merged persons/prepersons data) Given Active declaration with patient in the MSP from token When I require read access Then I can read	Based on declaration and user token	episode	by id	person_id	person_id from URL	There is an active declaration between the patient and the employee in OPS from the MSP from token
			by search params
		encounter	by id
			by search params
			by id in episode context
			by search params in episode context
		observation	by id
			by search params
			by id in episode context
			by search params in episode context
		condition	by id
			by search params
			by id in episode context
			by search params in episode context
		service_request	by id
			by search params
		diagnostic_report	by id
			by search params
		procedure	by id
			by search params
		medication_administration	by id
			by search params
		care_plan	by id
		activity	by id
			by search params
		approval	by id
			by search params
		clinical_impression	by id
			by search params
		medication_request_request & medication_request & medication_dispense	by id
			by search params
		device_requests	by search params
			by id (details in person context)

Rule: @rule_2 \| Action: @read
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Employee can read entity created in the employee's MSP Given Entity has been created on my MSP When I require read access Then I can read	Based on managing organization	service_request	by id	requester_legal_entity	DB.service_request.managing_organization	managing_organization==id
			by search param		search param {managing_organization} from URL	managing_organization (requester_legal_entity)==token.client_id
		episode diagnostic_report procedures encounter condition observation	by id	managing_organisation	DB.episode.managing_organization OR DB.diagnostic_report.managing_organization	managing_organization==id
			by search param		search param {requester_legal_entity} from URL	managing_organization (requester_legal_entity)==token.client_id
		care_plan	by id	managing_organisation	DB.care_plan.managing_organization	managing_organization ==token.client_id
		activity	by activity id	managing_organisation	DB.care_plan.managing_organization
			by search params		search param {managing_organization_id} from URL
		medication_request_request & medication_request	by id	legal_entity	search param {legal_entity_id} from URL	legal_entity_id==id
			by search param			legal_entity_id ==token.client_id
		medication_dispense	by id (details in person context)	legal_entity	search param {legal_entity_id} from URL	legal_entity_id==id
			by search params (by MR id)			legal_entity_id ==token.client_id
		device_requests	by search params	requester_legal_entity	search param {requester_legal_entity} from URL	requester_legal_entity==token.client_id
			by id (details in person context)		DB.device_requests.requester_legal_entity	requester_legal_entity==token.client_id

Rule: @rule_3 \| Action: @read
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Employee can read all the data of episodes created in the employee's MSP Given Episode context has been created on my MSP When I require read access Then I can read	Based on context episode	encounter	by id	episode	DB.encounter.episode	episode.managing_organization==token.client_id
			by search params		search param {episode_id} from URL
			by id in episode context		episode_id from URL (path)
			by search params in episode context		episode_id from URL (path)
		observation	by id	episode	DB.observation.episode	context_episode_id.managing_organization==token.client_id
			by search params		search param {episode_id} from URL	episode.managing_organization==token.client_id
			by id in episode context		episode_id from URL (path)
			by search params in episode context		episode_id from URL (path)
		condition	by id	episode	DB.condition.episode	context_episode_id.managing_organization==token.client_id
			by search params		search param {episode_id} from URL	episode.managing_organization==token.client_id
			by id in episode context		episode_id from URL (path)
			by search params in episode context		episode_id from URL (path)
		service_request	by id	episode	DB.service_request.encounter.episode	service_request.encounter.episode.managing_organization==token.client_id
			by search params		search param {episode_id} from URL	episode.managing_organization==token.client_id
			by id in episode context		episode_id from URL (path)
			by search params in episode context		episode_id from URL (path)
		diagnostic_report	by id	episode	DB.diagnostic_report.encounter.episode	diagnostic_report.encounter.episode.managing_organization==token.client_id
		diagnostic_report	by search params	episode	context_episode_id from URL (path)	episode.managing_organization==token.client_id
		procedure	by id	episode	DB.procedures.encounter.episode	procedures.encounter.episode.managing_organization==token.client_id
		procedure	by search params	episode	search param {episode_id} from URL	episode.managing_organization==token.client_id
		medication_administration	by id	episode	IF context is encounter THEN: DB.medication_administrations.context.episode	medication_administration.encounter.episode.managing_organization==token.client_id
		medication_administration	by search params	episode	search param {episode_id} from URL	episode.managing_organization==token.client_id
		device	by id	episode	IF context is encounter THEN: DB.devices.context.episode	devices.encounter.episode.managing_organization==token.client_id
		device	by search params	episode	search param {episode_id} from URL	episode.managing_organization==token.client_id
		risk_assessment	by id	episode	IF context is encounter THEN: DB.risk_assessments.context.episode	risk_assessments.encounter.episode.managing_organization==token.client_id
		risk_assessment	by search params	episode	search param {episode_id} from URL	episode.managing_organization==token.client_id
		medication_statement	by id	episode	IF context is encounter THEN: DB.medication_statements.context.episode	medication_statements.encounter.episode.managing_organization==token.client_id
		medication_statement	by search params	episode	search param {episode_id} from URL	episode.managing_organization==token.client_id
		immunization	by id	episode	IF context is encounter THEN: DB.immunizations.context.episode	immunizations.encounter.episode.managing_organization==token.client_id
		immunization	by search params	episode	search param {episode_id} from URL	episode.managing_organization==token.client_id
		allergy_intolerance	by id	episode	IF context is encounter THEN: DB.allergy_intolerances.context.episode	allergy_intolerances.encounter.episode.managing_organization==token.client_id
		allergy_intolerance	by search params	episode	search param {episode_id} from URL	episode.managing_organization==token.client_id
		medication_request	by id	episode	DB.medication_request.context_episode_id	medication_requests.context_episode_id.managing_organization==token.client_id
		medication_request	by search params	episode	search param {episode_id} from URL	episode.managing_organization==token.client_id
		medication_dispense	by id	episode	DB.medication_request.context_episode_id	medication_dispenses.medication_requests.context_episode_id.managing_organization==token.client_id
		medication_dispense	by search params	episode	search param {episode_id} from URL	episode.managing_organization==token.client_id
		medication_request_request	by id	episode	DB.medication_request_request.context_episode_id	medication_request_requests.context_episode_id.managing_organization==token.client_id
		medication_request_request	by search params	episode	search param {episode_id} from URL	episode.managing_organization==token.client_id
		clinical_impression	by id	episode	DB.clinical_impression.context_episode_id	clinical_impressions.context_episode_id.managing_organization==token.client_id
		clinical_impression	by search params	episode	search param {episode_id} from URL	episode.managing_organization==token.client_id
		device_requests	by search params	episode	search param {context_episode_id} from URL	episode.managing_organization==token.client_id
		device_requests	by id (details in person context)	episode	DB.device_requests.context_episode_id	device_requests.context_episode_id.managing_organization==token.client_id

Rule: @rule_4 \| Action: @read
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Employee with active approval can read all the data (including merged persons/prepersons data) of specified in approval patient Given Active approval on patient When I require read access Then I can read	Based on patient_id	episode	by id	patient_id	patient_id OR person_id from URL	There is an active approval on patient’s data granted to the employee (one of user's employee) in MongoDB
			by search params
			active diagnosis
			short episodes by search params
			by patient_id in observation context
			by patient_id in condition context
			by patient_id in procedure context
			by patient_id in diagnostic_report context
		encounter	by id
			by search params
			by id in episode context
			by search params in episode context
			short encounters by search params
			short encounters by ID
		observation	by id
			by search params
			short observations by search params
			short observation by id
		condition	by id
			by search params
			short conditions by search params
			short conditions by id
		service_request	list in episode context
			by search params
			by id in episode context
			by id
			by requisition
		procedure	by id
			by search params
			short procedures by id
			short procedures by search params
		diagnostic_report	by id
			by search params
			approved by patient_id
			short diagnostic_reports by search params
			by patient_id in observation context
			short diagnostic_reports by id
		care_plan	by id
		activity	by activity id
		activity	by search params
		medication_request	by id
		medication_request	by search params
		medication_request_request	by id
		medication_request_request	by search params
		medication_dispense	by id (details in person context)
		medication_dispense	by search params (by MR id)
		clinical_impression	by id
		clinical_impression	by search params
		device_requests	by search params
		device_requests	by id (details in person context)

Rule: @rule_5 \| Action: @read
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Employee with active approval or employees from legal_entity with active approval can read all the data of specified in approval episodes Given Active approval on episode When I require read access Then I can read	Based on context episode	episode	by id		DB.episode.id	There is an active approval on the episode granted to the employee (one of user's employee) OR to the legal_entity (one of legal_entity's employee) in MongoDB
		encounter	by id	episode	DB.encounter.episode
			by search params		search param {episode_id} from URL
			by id in episode context		episode_id from URL (path)
			by search params in episode context
		observation	by id	episode	DB.observation.episode
			by search params		search param {episode_id} from URL
			by id in episode context		episode_id from URL (path)
			by search params in episode context
		condition	by id	episode	DB.condition.episode
			by search params		search param {episode_id} from URL
			by id in episode context		episode_id from URL (path)
			by search params in episode context
		service request	by id	episode	DB.service_requset.encounter.episode
			by search params		search param {episode_id} from URL
			by id in episode context		episode_id from URL (path)
			by search params in episode context
		diagnostic_report	by id	episode	DB.diagnostic_report.encounter.episode
			by search params		search param {episode_id} from URL
		medication_administration	by id	episode	IF context is encounter THEN: DB.medication_administrations.context.episode
			by search params		search param {episode_id} from URL
		procedure	by id	episode	DB.procedures.encounter.episode
			by search params		search param {episode_id} from URL
		medication_request & medication_dispense	by id	episode	DB.medication_request.context_episode_id
			by search params		search param {episode_id} from URL
		medication_request_request	by id	episode	DB.medication_request_request.context_episode_id
			by search params		search param {episode_id} from URL
		clinical_impression	by id	episode	DB.clinical_impression.context_episode_id
			by search params		search param {episode_id} from URL
		device_requests	by search params	episode	search param {context_episode_id} from URL
			by id (details in person context)		DB.device_requests.context_episode_id

Rule: @rule_6 \| Action: @read
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Employee can read entity originated by episode created in the employee's MSP Given Entity has been originated by mine MSP episode When I require read access Then I can read	Based on origin episode	encounter	by id	origin_episode	DB.encounter.origin_episode	origin_episode.managing_organization==token.client_id
			by search params		Search param {origin_episode_id} from URL
		diagnostic repost	by id	origin_episode	DB.diagnostic_report.origin_episode
			by search params		Search param {origin_episode_id} from URL
		procedures	by id	origin_episode	DB.procedures.encounter.episode
			by search params		search param {episode_id} from URL

Rule: @rule_7 \| Action: @read
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Employee can read all the data of diagnostic report originated by episode created in the employee's MSP Given Diagnostic report context has been originated by mine MSP episode When I require read access Then I can read	Based on origin episode	observation	by id	diagnostic_report	DB.observation.diagnostic_report.origin_episode	origin_episode.managing_organization==token.client_id
			by search params		Search param {diagnostic_report_id} from URL

Rule: @rule_8 \| Action: @read
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Employee can read all the data of encounter originated by episode created in the employee's MSP Given Encounter context has been originated by mine MSP episode When I require read access Then I can read	Based on origin episode	observation	by id	encounter	DB.observation.context.origin_episode	origin_episode.managing_organization==token.client_id
			by search params		Search param {encounter_id} from URL
		condition	by id	encounter	DB.condition.context.origin_episode
			by search params		Search param {encounter_id} from URL
		diagnostic_report	by id	encounter	DB.diagnostic_report.encounter.origin_episode
			by search params		Search param {encounter_id} from URL
		medication_administration	by id	encounter	IF context is encounter THEN: DB.medication_administrations.context.encounter
			by search params		search param {encounter_id} from URL
		procedure	by id	encounter	DB.procedures.encounter.episode
			by search params		search param {encounter_id} from URL

Rule: @rule_9 \| Action: @read \| NOT IMPLEMENTED YET
Scenario:	Base	Resource	Routes	Context	Source of context	Logic
Employee with active approval can read data, originated by the episode Given Active approval on patient When I require read access Then I can read		encounter
		observation
		condition
		service_request
		diagnostic_report

Rule: @rule_10 \| Action: @read
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Employee can read all the data of diagnostic report created in the employee's MSP Given Diagnostic report context has been originated by mine MSP When I require read access Then I can read	Based on diagnostic report	observation	by id	diagnostic_report	DB.observation.diagnostic_report.managing_organization	diagnostic_report.managing_organization==token.client_id
			by search params		Search param {diagnostic_report_id} from URL

Rule: @rule_11 \| Action: @read
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Employee with active approval or employees from legal_entity with active approval can read all the data of specified in approval diagnostic report Given Active approval on diagnostic report When I require read access Then I can read	Based on diagnostic report	observation	by id	diagnostic_report	DB.observation.diagnostic_report.managing_organization	There is an active approval on the diagnostic report granted to the employee (one of user's employee) OR to the legal_entity (one of legal_entity's employee) in MongoDB
			by search params		Search param {diagnostic_report_id} from URL

Rule: @rule_12 \| Action: @read
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Employee with active approval can read the data associated with the care plan Given Active approval on care_plan When I require read access Then I can read	Based on care plan	care_plan	by id	care_plan	DB.care_plan.id=approvals.granted_resources[].value	There is an active approval (access_level=read) on the care_plan granted to the employee by the patient (one of user's employee) in MongoDB
		activity	by id	care_plan	care_plan_id & patient_id from URL (path)
			by search params
		medication_request_request	by id	care_plan	care_plan_id & patient_id from URL (path)
			by search params
		medication_request	by id	care_plan	care_plan_id & patient_id from URL (path)
			by search params
		medication_dispense	by id	care_plan	care_plan_id & patient_id from URL (path)
			by search params

Rule: @rule_13 \| Action: @write
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Employee with active approval can write the data associated with the care plan Given Active approval on care_plan When I require write access Then I can write	Based on care plan	care_plan	by id	care_plan	DB.care_plan.id=approvals.granted_resources[].value	There is an active approval (access_level=write) on the care_plan granted to the employee by the patient (one of user's employee) in MongoDB
		activity	by id	care_plan	care_plan_id & patient_id from URL (path)
			by search params
		medication_request_request	by id	care_plan	care_plan_id & patient_id from URL (path)
			by search params
		medication_request	by id	care_plan	care_plan_id & patient_id from URL (path)
			by search params
		medication_dispense	by id	care_plan	care_plan_id & patient_id from URL (path)
			by search params

Rule: @rule_14 \| Action: @read
Scenario:	Base	Resource	Routes	Context*	Source of context	Logic
Employee with active approval on the care plan can read the data based on this care plan Given Entity based on care_plan When I require read access Then I can read	Based on care plan	service_request	by id	care_plan (based_on)	DB.service_request.based_on.care_plan[].id=approvals.granted_resources[].value	There is an active approval (access_level=read/write) on the care_plan granted to the employee by the patient (one of user's employee) in MongoDB
		service_request	by search params	care_plan	care_plan_id from URL (search param) & patient_id from path
		encounter	by id	care_plan (based_on service_request)	DB.encounter.based_on.service_request.based_on.care_plan[].id=approvals.granted_resources[].value OR DB.diagnostic_report.based_on.service_request.based_on.care_plan[].id=approvals.granted_resources[].value OR DB.procedure.based_on.service_request.based_on.care_plan[].id=approvals.granted_resources[].value
		diagnostic_report	by id
		procedure	by id

- all routes need to have patient_id in context as an core parameter

RC._ABAC rules_EN

Rule: @rule_-2 | Action: @read | (GraphQL only)

Rule: @rule_-1 | Action: @read

Rule: @rule_0 | Action: @read

Rule: @rule_1 | Action: @read

Rule: @rule_2 | Action: @read

Rule: @rule_3 | Action: @read

Rule: @rule_4 | Action: @read

Rule: @rule_5 | Action: @read

Rule: @rule_6 | Action: @read

Rule: @rule_7 | Action: @read

Rule: @rule_8 | Action: @read

Rule: @rule_9 | Action: @read | NOT IMPLEMENTED YET

Rule: @rule_10 | Action: @read

Rule: @rule_11 | Action: @read

Rule: @rule_12 | Action: @read

Rule: @rule_13 | Action: @write

Rule: @rule_14 | Action: @read