ЕСОЗ - публічна документація
ABAC rules
| Description |
---|---|
Based on declaration | Doctor with an active declaration can access all the patient's medical data. |
Based on managing organization | User can read entities, created in his MSP |
Based on context episode | User can read medical data, that was collected during an episode of care, that user has access to. |
Based on diagnostic report | User can read medical data, that was collected as a part of a diagnostic report, managed by the user's legal entity. |
Based on origin episode | Doctor can read medical data, that was collected as a part of a diagnostic report or episode of care, that user has access to. |
Based on care plan | User with active approval on the care plan can read or write the data based on this care plan |
Rule | Base | Resource | Routes | Context | Logic | Source of context |
---|---|---|---|---|---|---|
@rule_-1 @read @allergy_intolerance @immunization @risk_assessment @device @medication_statement Scenario: Employee can read insensitive patient’s data Given User access token with client_type not equal to cabinet When I require read access Then I can read | Based on user token | by id | There is an active token | |||
by search params | There is an active token | |||||
@rule_0 @read @episode @encounter @observation @condition @allergy_intolerance @immunization @risk_assessment @device @medication_statement @service_request @diagnostic_report @procedure@medication_administration @care_plan @activity Scenario: Patient can read it's own data Given Patient has access_token given by Cabinet When I require read access Then I can read | Based on patient token | by id | patient_id | There is an active token given by Cabinet to a patient | ||
by search params | ||||||
@rule_1 @read @episode @encounter @observation @condition @service_request @diagnostic_report @procedure @medication_administration @care_plan @activity @approval Scenario: Doctor with active declaration can read all patient data Given Active declaration with patient And declaration from the same MSP When I require read access Then I can read | Based on declaration
| episode | by id | patient_id
| There is an active declaration between the patient and the doctor in OPS | patient_id from URL
|
by search params | ||||||
encounter
| by id | |||||
by search params | ||||||
by id in episode context | ||||||
by search params in episode context | ||||||
observation
| by id | |||||
by search params | ||||||
by id in episode context | ||||||
by search params in episode context | ||||||
condition | by id | |||||
by search params | ||||||
by id in episode context | ||||||
by search params in episode context | ||||||
service_request | by id | |||||
by search params | ||||||
diagnostic_report | by id | |||||
by search params | ||||||
care_plan | by id | |||||
by search params | ||||||
activity | by id | |||||
by search params | ||||||
approval | by id | |||||
by search params | ||||||
@rule_2 @read @episode @service_request @diagnostic_report @procedures Scenario: Doctor can read entity created in the doctors MSP Given Entity has been created on my MSP When I require read access Then I can read
| Based on managing organization
| episode | by id | episode | managing_organization==token.client_id
| DB.episode.managing_organization |
by search params | search param {managing_organization} from URL | |||||
service_request | by id | service request | DB.service_request.managing_organization | |||
by search params | search param {requester_legal_entity} from URL | |||||
diagnostic_report | by id | diagnostic_report | DB.diagnostic_report.managing_organization | |||
by search params | search param {managing_organization} from URL | |||||
procedures | by search params | managing_organization | search param {managing_organization} from URL | |||
@rule_3 @read @encounter @observation @condition @service_request @diagnostic_report @device @medication_statement @immunization @risk_assessment @medication_administration @procedure @allergy_intolerance Scenario: Doctor can read all the data of episodes created in the doctors MSP Given Episode context has been created on my MSP When I require read access Then I can read | Based on context episode | encounter | by id | episode
| episode.managing_organization==token.client_id
| DB.encounter.episode |
by search params | search param {episode_id} from URL | |||||
by id in episode context | episode_id from URL (path) | |||||
by search params in episode context | ||||||
observation | by id | DB.observation.episode | ||||
by search params | search param {episode_id} from URL | |||||
by id in episode context | episode_id from URL (path) | |||||
by search params in episode context | ||||||
condition | by id | DB.condition.episode | ||||
by search params | search param {episode_id} from URL | |||||
by is in episode context |
| |||||
by search params in episode context | ||||||
service_request | by id | DB.service_request.encounter.episode.managing_organization | ||||
by search params | search param {episode_id} from URL | |||||
by id in episode context | episode_id from URL (path) | |||||
diagnostic_report | by id | DB.diagnostic_report.encounter.episode.managing_organization | ||||
by search params | context_episode_id from URL (path) | |||||
medication_statement | by id | IF context is encounter THEN: | ||||
by search params | search param {episode_id} from URL | |||||
immunization | by id | IF context is encounter THEN: | ||||
by search params | search param {episode_id} from URL | |||||
by id in episode context | episode_id from URL (path) | |||||
by search params in episode context | ||||||
device | by id | IF context is encounter THEN: | ||||
by search params | search param {episode_id} from URL | |||||
risk_assessment | by id | IF context is encounter THEN: | ||||
by search params | search param {episode_id} from URL | |||||
medication_administration | by id | IF context is encounter THEN: | ||||
by search params | search param {episode_id} from URL | |||||
procedure | by id | DB.procedures.encounter.episode.managing_organization | ||||
by search params | search param {episode_id} from URL | |||||
allergy_intolerance | by id | IF context is encounter THEN: | ||||
by search params | search param {episode_id} from URL | |||||
by id in episode context | episode_id from URL (path) | |||||
by search params in episode context | ||||||
@rule_4 @read @episode @encounter @observation @condition @allergy_intolerance @immunization @risk_assessment @device @medication_statement @service_request @diagnostic_report @medication_administration Scenario: Doctor with active approval can read all the data of specified in approval patient Given Active approval on patient When I require read access Then I can read | not implemented yet | |||||
@rule_5 @read @episode @encounter @observation @condition @allergy_intolerance @immunization @risk_assessment @device @medication_statement@service_request @diagnostic_report @procedure @medication_administration Scenario: Doctor with active approval can read all the data of specified in approval episodes Given Active approval on episode When I require read access Then I can read | Based on context episode
| episode | by id | episode
| There is an active approval on the episode granted to the employee (one of user's employee) in MongoDB
| |
encounter
| by id | DB.encounter.episode | ||||
by search params | search param {episode_id} from URL | |||||
by id in episode context | episode_id from URL (path) | |||||
by search params in episode context | ||||||
observation
| by id | DB.observation.episode | ||||
by search params | search param {episode_id} from URL | |||||
by id in episode context | episode_id from URL (path) | |||||
by search params in episode context | ||||||
condition
| by id | DB.condition.episode | ||||
by search params | search param {episode_id} from URL | |||||
by id in episode context | episode_id from URL (path) | |||||
by search params in episode context | ||||||
service request | by id | DB.service_requset.encounter.episode | ||||
by search params | search param {episode_id} from URL | |||||
by id in episode context | episode_id from URL (path) | |||||
diagnostic report | by id | DB.diagnostic_report.encounter.episode | ||||
by search params | search param {episode_id} from URL | |||||
procedure | by id | DB.procedures.encounter.episode | ||||
by search params | search param {episode_id} from URL | |||||
@rule_6 @read @diagnostic_report @encounter @procedure Scenario: Doctor can read entity originated by episode created in the doctors MSP Given Entity has been originated by mine MSP episode When I require read access Then I can read | Based on origin episode
| encounter | by id | origin_episode
| origin_episode.managing_organization==token.client_id
| DB.encounter.origin_episode |
by search params | Search param {origin_episode_id} from URL | |||||
diagnostic repost | by id | DB.diagnostic_report.origin_episode | ||||
by search params | Search param {origin_episode_id} from URL | |||||
procedures | by search params | DB.diagnostic_report.origin_episode | ||||
@rule_7 @read @observation Scenario: Doctor can read all the data of diagnostic report originated by episode created in the doctors MSP Given Diagnostic report context has been originated by mine MSP episode When I require read access Then I can read | Based on origin episode | observation | by id | diagnostic_report | origin_episode.managing_organization==token.client_id | DB.observation.diagnostic_report.origin_episode |
by search params | Search param {diagnostic_report_id} from URL | |||||
@rule_8 @read @observation @condition @allergy_intolerance @immunization @risk_assessment @device @medication_statement @service_request @diagnostic_report @procedure @medication_administration Scenario: Doctor can read all the data of encounter originated by episode created in the doctors MSP Given Encounter context has been originated by mine MSP episode When I require read access Then I can read | Based on origin episode | observation | by id | encounter
| origin_episode.managing_organization==token.client_id
| DB.observation.context.origin_episode |
by search params | Search param {encounter_id} from URL | |||||
condition | by id | DB.condition.context.origin_episode | ||||
by search params | Search param {encounter_id} from URL | |||||
service request | by id | DB.service_request.encounter.origin_episode | ||||
by search params | Search param {encounter_id} from URL | |||||
diagnostic_report | by id | DB.diagnostic_report.encounter.origin_episode | ||||
by search params | Search param {encounter_id} from URL | |||||
procedure | by id | DB.procedure.origin_episode | ||||
by search params | Search param {encounter_id} from URL | |||||
@rule_9 @read @encounter @observation @condition @service_request @diagnostic_report Scenario: Doctor with active approval can read data, originated by the episode Given Active approval on episode When I require read access Then I can read | not implemented yet | |||||
@rule_10 @read @observation Scenario: Doctor can read all the data of diagnostic report created in the doctors MSP Given Diagnostic report context has been originated by mine MSP When I require read access Then I can read | Based on diagnostic report | observation | by id | diagnostic_report | diagnostic_report.managing_organization==token.client_id | DB.observation.diagnostic_report.managing_organization |
by search params | Search param {diagnostic_report_id} from URL | |||||
@rule_11 @read @observation Scenario: Doctor with active approval can read all the data of specified in approval diagnostic report Given Active approval on diagnostic report When I require read access Then I can read | Based on diagnostic report | observation | by id | diagnostic_report | There is an active approval on the diagnostic report granted to the employee (one of user's employee) in MongoDB | DB.observation.diagnostic_report |
by search params | Search param {diagnostic_report_id} from URL | |||||
@rule_12 @read @care_plan @activity @medication_request @medication_request_request Scenario: Doctor with active approval can read the data associated with the care plan. Given Active approval on care_plan When I require read access Then I can read | Based on care plan | care_plan | by id | care_plan
| There is an active approval (access_level=read) on the care_plan granted to the employee (one of user's employee) in MongoDB
| DB.care_plan.id=approvals.granted_resources[].value |
activity | by id | care_plan_id from URL (path) DB.activities.care_plan[].id=approvals.granted_resources[].value | ||||
by search params | ||||||
medication_request_requests | by search params | care_plan_id from URL (path) DB.medication_request_requests.based_on.care_plan[].id=approvals.granted_resources[].value | ||||
medication_requests | by search params | care_plan_id from URL (path) DB.medication_requests.based_on.care_plan[].id=approvals.granted_resources[].value | ||||
@rule_13 @write @care_plan @activity @medication_request @medication_request_request Scenario: Doctor with active approval can write the data associated with the care plan. Given Active approval on care_plan When I require write access Then I can write | Based on care plan | care_plan | by id | care_plan | There is an active approval (access_level=write) on the care_plan granted to the employee (one of user's employee) in MongoDB | DB.care_plan.id=approvals.granted_resources[].value |
complete | ||||||
cancel | ||||||
activity | by id | care_plan_id from URL (path) DB.activities.care_plan[].id=approvals.granted_resources[].value | ||||
by search params | ||||||
create | ||||||
complete | ||||||
cancel | ||||||
medication_request_requests | by search params | care_plan_id from URL (path) DB.medication_request_requests.based_on.care_plan[].id=approvals.granted_resources[].value | ||||
medication_requests | by search params | care_plan_id from URL (path) DB.medication_requests.based_on.care_plan[].id=approvals.granted_resources[].value | ||||
@rule_14 @read @service_request @encounter @diagnostic_report @procedure Scenario: User with active approval on the care plan can read the data based on this care plan. Given Entity based on care_plan And Active approval on care_plan When I require read access Then I can read | Based on care plan | service_request | by id | care_plan | There is an active approval (access_level=read/write) on the care_plan granted to the employee (one of user's employee) in MongoDB
| DB.service_request.based_on.care_plan[].id=approvals.granted_resources[].value |
by search params | DB.service_request.based_on.care_plan[].id=approvals.granted_resources[].value | |||||
encounter | by id | DB.encounters.incoming_referral.[].service_requests.based_on.care_plan[].id=approvals.granted_resources[].value | ||||
diagnostic_report | by id | DB.diagnostic_reports.based_on.[].service_requests.based_on.care_plan[].id=approvals.granted_resources[].value | ||||
procedure | by id | DB.procedures.based_on.[].service_requests.based_on.care_plan[].id=approvals.granted_resources[].value |
ЕСОЗ - публічна документація