/
RCC (CSI-2794) ABAC rules
  • In progress

    • ЕСОЗ - публічна документація

    RCC (CSI-2794) ABAC rules

    Owned by Natalia Horodytska (SoE eHealth)
    Last updated: Feb 12, 2025Version comment
    4 min read

    Rule: @rule_1 | Action: @read 

    Scenario: 

    Base

    Resource

    Routes

    Context

    Source of context

    Logic

    Employee with active declaration can read all patient data (including merged persons/prepersons data)

    Given Active declaration with patient in the MSP from token

    And declaration from the same legal entity

     

    When I require read access

    Then I can read

    Based on  declaration and user token

    episode

    by id

    person_id

    person_id from URL

    There is an active declaration between the patient and the employee in OPS from the same legal entity from token

    by search params

    encounter

    by id

    by search params

    by id in episode context

    by search params in episode context

    observation

    by id

    by search params

    by id in episode context

    by search params in episode context

    condition

    by id

    by search params

    by id in episode context

    by search params in episode context

    service_request

    by id

    by search params

    diagnostic_report

    by id

    by search params

    procedure

    by id

    by search params

    medication_administration

    by id

    by search params

    care_plan

    by id

    by search params

    activity

    by id

    by search params

    approval

    by id

    by search params

    clinical_impression

    by id

    by search params

    medication_request_request 

    & medication_request &
    medication_dispense

    by id

    by search params

    device_request

    by search params

    by id (details in person context)

    device_dispense

    by search params in patient context

    by id (details in person context)

    device

    by search params

     

     

     

    by id (details in person context)

     

     

     

    device_association

    by search params

     

     

     

    by id (details in person context)

     

     

     

    detected_issue

    by search params

     

     

     

    by id (details in person context)

     

     

     

    Rule: @rule_2 | Action: @read 

    Scenario: 

    Base

    Resource

    Routes

    Context

    Source of context

    Logic

    Employee can read entity created in the employee's legal entity 

     

    Given Entity has been created on my legal entity

    When I require read access

    Then I can read

    Based on managing organization

    service_request

    by id

    requester_legal_entity 
    + patient_id

    DB.service_request.managing_organization

    managing_organization==id

    by search param

    search param {managing_organization} from URL

    managing_organization (requester_legal_entity, )==token.client_id

    episode
    diagnostic_report
    procedures
    encounter
    condition
    observation

    by id

    managing_organisation + patient_id

    DB.episode.managing_organization OR DB.diagnostic_report.managing_organization

    managing_organization==id

    by search param

    search param {requester_legal_entity} from URL

    managing_organization (requester_legal_entity, )==token.client_id

    care_plan

    by id

     managing_organisation

    DB.care_plan.managing_organization

    managing_organization ==token.client_id

    by search params

    search param {managing_organization_id} from URL

    activity

    by activity id

    managing_organisation

    DB.care_plan.managing_organization

    managing_organization ==token.client_id

    by search params

    search param {managing_organization_id} from URL

    medication_request_request

    & medication_request &
    medication_dispense

    by id

    legal_entity + patient_id

    search param {legal_entity_id} from URL

    legal_entity_id==id

    by search param

    legal_entity_id==token.client_id

    device_request

    by search params

    requester_legal_entity

    search param {requester_legal_entity} from URL

    requester_legal_entity==token.client_id

    by id (details in person context)

    DB.device_requests.requester_legal_entity

    requester_legal_entity==token.client_id

    device_dispenses

    by search params in patient context

    performer_legal_entity

    search param {performer_legal_entity} from URL

    performer_legal_entity==token.client_id

    by id (details in person context)

    DB.device_requests.performer_legal_entity

    performer_legal_entity==token.client_id

    device

    by search params

    recorder_legal_entity

    search param {recorder_legal_entity} from URL

    recorder_legal_entity==token.client_id

    by id

    DB.devices.recorder_legal_entity

    recorder_legal_entity==token.client_id

    device_association

    by search params

    recorder_legal_entity

    search param {recorder_legal_entity} from URL

    recorder_legal_entity==token.client_id

    by id

    DB.device_associations.recorder_legal_entity

    recorder_legal_entity==token.client_id

    detected_issue

    by search params

    recorder_legal_entity

    search param {recorder_legal_entity} from URL

    recorder_legal_entity==token.client_id

    by id

    DB.detected_issues.recorder_legal_entity

    recorder_legal_entity==token.client_id

    Rule: @rule_4 | Action: @read 

    Scenario: 

    Base

    Resource

    Routes

    Context

    Source of context

    Logic

    Employee with active approval can read all the data (including merged persons/prepersons data) of specified in approval patient

    Given Active approval on patient

    When I require read access

    Then I can read

    Based on patient_id

     

     

     

     

     

    episode

    by id

     patient_id

     

     

     

     

    patient_id from URL

     

     

     

     

    There is an active approval on patient’s data granted to the to the employee (one of user's employee) in MongoDB

     

    by search params

    active diagnosis

    short episodes by search params

    by patient_id in observation context

    by patient_id in condition context

    by patient_id in procedure context

    by patient_id in diagnostic_report context

    encounter

    by id

    by search params

    by id in episode context

    by search params in episode context

    short encounters by search params

    short encounters by ID

    observation

    by id

    by search params

    short observations by search params

    short observation by id

    condition

    by id

    by search params

    short conditions by search params

    short conditions by id

    service_request

    list in episode context

    by search params

    by id in episode context

    by id

    by requisition

    procedure

    by id

    by search params

    short procedures by id

    short procedures by search params

    diagnostic_report

     by id

    by search params

    approved by patient_id

    short diagnostic_reports by search params

    by patient_id in observation context

    short diagnostic_reports by id

    care_plan

    by id

    by search params

    by requisition

    by activity id

    activity

    by id

    by search params

    clinical_impression

    by id

    by search params

    medication_request_request

    by id

    by search params

    medication_request

    by id

    by search params

    medication_dispense

    by id (details in person context)

    by search params (by medication request id)

    device_request

    by search params

    by id (details in person context)

    device_dispense

    by search params in patient context

    by id (details in person context)

    device

    by search params

     

     

     

    by id

     

     

     

    short devices by search params

     

     

     

    short devices by id

     

     

     

    device_association

    by search params

     

     

     

    by id

     

     

     

    detected_issue

    by search params

     

     

     

    by id

     

     

     

    Rule: @rule_12 | Action: @read 

    Scenario: 

    Base

    Resource

    Routes

    Context

    Source of context

    Logic

    Employee with active approval can read the data associated with the care plan

    Given Active approval on care_plan

    When I require read access

    Then I can read

    Based on care plan

    care_plan

    by id

    care_plan + patient_id

    DB.care_plan.id=approvals.granted_resources[].value

    There is an active approval (access_level=read) on the care_plan granted to the employee by the patient (one of user's employee) in MongoDB

    by search params

    DB.care_plan.based_on.care_plan_id=approvals.granted_resources[].value

    activity

    by id

    care_plan + patient_id

    care_plan_id & patient_id from URL (path) 

    by search params

    medication_request_request

    by id

    care_plan + patient_id

    care_plan_id & patient_id from URL (path) 

    by search params

    medication_request

    by id

    care_plan + patient_id

    care_plan_id & patient_id from URL (path) 

    by search params

    medication_dispense

    by id

    care_plan + patient_id

    care_plan_id & patient_id from URL (path) 

    by search params

    device_request

    by id

    care_plan + patient_id

    DB.device_request.based_on.care_plan[].id=approvals.granted_resources[].value

    by search params

    care_plan & patient_id from URL (path)=approvals.granted_resources[].value.care_plan

    Related content

    RC_(MC-1179)_[UPD] ABAC rules
    RC_(MC-1179)_[UPD] ABAC rules
    E-Health
    More like this
    RC._ABAC rules_EN
    RC._ABAC rules_EN
    E-Health
    More like this
    ABAC rules (EN)
    ABAC rules (EN)
    E-Health
    More like this
    AH] ABAC rules (EN) v.3
    AH] ABAC rules (EN) v.3
    E-Health
    More like this

    ЕСОЗ - публічна документація