ЕСОЗ - публічна документація
(RC-01 FORBIDDEN) Create approval
Specification
Validate request
Validate request using JSON schema
Authorize
Verify the validity of access token
Check user scope approval:create in order to perform this action
Logic
Approvals are processed in the async way
User can create approval only for employee from his legal entity
client_id from token should be linked with employee_id from granted_to object.
granted_to.employee_id should be active.
If service_request block is presented in request
(only in active status)
use Response.permitted_resources as resources for approval(could be episode or diagnostic_report).
if forbidden_group block is presented in request
Check forbidden group in the request exists and is_active in DB
in case of error return - 404 (not found)
Check patient_id:
if belongs to person, then GET auth_method from MPI using {patient_id}
If it's OTP:
send SMS to the auth_phone via otp_verification service POST /verifications
save approval to DB
save authentication_method_current.type and number to DB
return authentication_method_current.type = OTP
If it is offline
save approval to DB
save authentication_method_current.type and number to DB
return authentication_method_current.type = offline
if it is null:
return error 409 (Person hasn’t active authentication methods. It is necessary to add)
if belongs to preperson:
save approval to DB
set approval status = active
set approval urgent = null
Validate access_level
Validate that access_level correspond to granted_resources:
In case error return 422 ("Resource types [\"$.granted_resources[].code\"] not allowed to use write access_level")
granted_resources | access_level | access to | |
---|---|---|---|
resources | episode_of_care | read | Reading all the data of specified in approval episode |
diagnostic_report | read | Reading all the data of specified in approval diagnostic report | |
care_plan | read | Reading all the data of specified in approval care plan | |
care_plan | write | Creating activities for care plan | |
service_request | episode_of_care diagnostic_report | read | Reading data from permitted_resources in approval service request |
forbidden_group | forbidden_group | read | Reading all the medical events with items (codes/services/service_groups) of specified in approval forbidden groups |
Validate authorize_with
The patient can pass the id of his auth_method which he wants to confirm the approval. The necessary auth method can be found by making Get person's auth methods
validate auth_method.id is UUID
in case error return 422
search auth method in MPI.person_authentication_method
in case error return 422, "such authentication method doesn't exist"
search auth method of this patient where MPI.person_authentication_method.person_id = $.patient.id
in case error return 422, "such authentication method does not belong to this person"
validate if auth_method.type = NA
error return 422, "Сannot be confirmed by a method with type= NA. Use a different method."
validate that this method is active ( authentication_method.ended_at > now() and is_active = true)
This field is optional and set in new field authorize_with
and save type
and phone_number
in approvals.urgent.authentication_method_current.
If approval doesn't have this field, then choose that method which is returned from mpi as person's default method.
Additional logic
All the approvals in status "new" should be deleted 12 hours after creation - env. configuration parameter
All approvals with forbidden_group has its own expires_at config parameter (longer than for another approvals) - env. configuration parameter
ЕСОЗ - публічна документація