Form's module access control can be set via aidbox
SDC Roles Access
SDC module suggests several roles which can be used independently or in a mix.
For DEVELOPMENT and configuration simplicity - it's better to use role with full access.
For PRODUCTION it's better to have separate roles, with more precise access patterns.
For example we can split users into 3 groups.
form designer - creates and manages forms
form filler - end user which filling the form
response manager - reviews responses + populates new forms
SDC Admin
Policies:
CRUD on all SDC resources (Questionnaire/QuestionnaireResponse/QuestionnaireTheme/SDCConfig/SDCPrintTemplate)
CRUD on production resources (Patient/Encounter/Observation resources)
terminology related endpoints
as-sdc-admin-forms-grid-rpc policy
Access to:
PUT /AccessPolicy/as-sdc-admin-forms-grid-rpc
content-type: text/yaml
accept: text/yaml
resourceType: AccessPolicy
id: as-sdc-admin-forms-grid-rpc
type: rpc
engine: matcho-rpc
rpc:
aidbox.sdc.grid/get-definition:
user:
roles:
$contains:
value: sdc-admin
aidbox.sdc.patient/forms-grid:
user:
roles:
$contains:
value: sdc-admin
aidbox.sdc.patient/documents-workflows-grid:
user:
roles:
$contains:
value: sdc-admin
as-sdc-admin-manage-sdc-resources policy
CRUD access to next resources:
PUT /AccessPolicy/as-sdc-admin-manage-sdc-resources
content-type: text/yaml
accept: text/yaml
id: as-sdc-admin-manage-sdc-resources
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-admin
uri:
$one-of:
- '#/Questionnaire/.*$'
- '#/Questionnaire$'
- '#/QuestionnaireResponse/.*$'
- '#/QuestionnaireResponse$'
- '#/QuestionnaireTheme/.*$'
- '#/QuestionnaireTheme$'
- '#/SDCPrintTemplate/.*$'
- '#/SDCPrintTemplate$'
- '#/SDCConfig/.*$'
- '#/SDCConfig$'
request-method:
$one-of:
- get
- post
- put
- delete
- patch
as-sdc-admin-manage-production-fhir-resources policy
CRUD access to next FHIR resources:
This is typical resources that often used in SDC Flow. But you are free to add your own.
PUT /AccessPolicy/as-sdc-admin-manage-production-fhir-resources
content-type: text/yaml
accept: text/yaml
id: as-sdc-admin-manage-production-fhir-resources
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-admin
uri:
$one-of:
- '#/Patient/.*$'
- '#/Patient$'
- '#/Encounter/.*$'
- '#/Encounter$'
- '#/Observation/.*$'
- '#/Observation$'
- '#/Organization/.*$'
- '#/Organization$'
- '#/Practitioner/.*$'
- '#/Practitioner$'
request-method:
$one-of:
- get
- post
- put
- delete
- patch
as-sdc-admin-use-sdc-operations policy
PUT /AccessPolicy/as-sdc-admin-use-sdc-operations
content-type: text/yaml
accept: text/yaml
id: as-sdc-admin-use-sdc-operations
resourceType: AccessPolicy
engine: matcho
matcho:
uri:
$one-of:
- '#\$save'
- '#\$generate-link'
- '#\$duplicate'
- '#\$sdc-config'
- '#\$process-response'
- '#\$validate'
- '#\$extract'
- '#\$populate'
- '#\$render'
- '#\$submit'
- '#\$usage'
- '#\$assemble-all'
- '#\$expand'
- '#\$validate-response'
- '#\$populatelink'
- '#\$sdc-file'
- '#\$generate-token'
- '#\$assemble'
- '#\$sdc-resource-types'
- '#\$ai-generate-questionnaire'
- '#\$openai-chat-completions'
request-method:
$one-of:
- post
- get
- put
- delete
- patch
as-sdc-admin-use-terminology-operations policy
Searching for ValueSets and concepts
PUT /AccessPolicy/as-sdc-admin-use-terminology-operations
content-type: text/yaml
accept: text/yaml
id: as-sdc-admin-use-terminology-operations
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-admin
uri:
$one-of:
- '#/ValueSet$'
- '#/ValueSet/\$expand$'
request-method:
$one-of:
- get
- post
Form Designer
This role give access for
Patient's and Encouner resources for populate purposes
Policies:
as-sdc-form-designer-forms-grid-rpc policy
grid with Questionnaires
PUT /AccessPolicy/as-sdc-form-designer-forms-grid-rpc
content-type: text/yaml
accept: text/yaml
resourceType: AccessPolicy
id: as-sdc-form-designer-forms-grid-rpc
type: rpc
engine: matcho-rpc
rpc:
aidbox.sdc.grid/get-definition:
user:
roles:
$contains:
value: sdc-form-designer
aidbox.sdc.patient/forms-grid:
user:
roles:
$contains:
value: sdc-form-designer
as-sdc-form-designer-read-config policy
Access to configuration
PUT /AccessPolicy/as-sdc-form-designer-read-config
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-read-config
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri: '/$sdc-config'
request-method: post
as-sdc-form-designer-manage-questionnaire policy
All operations for manaings and retrieving Questionnaire
PUT /AccessPolicy/as-sdc-form-designer-manage-questionnaire
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-manage-questionnaire
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri:
$one-of:
- '#/Questionnaire$'
- '#/Questionnaire/.*$'
- '#/Questionnaire/\$save'
- '#/Questionnaire/.*/\$usage'
- '#/Questionnaire/.*/\$duplicate'
request-method:
$one-of:
- get
- post
- put
- delete
as-sdc-form-designer-search-response policy
Searching for QuestionnaireResponses
Used for checking Questionnaire usage
PUT /AccessPolicy/as-sdc-form-designer-search-response
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-search-response
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri: '#/QuestionnaireResponse$'
request-method: get
as-sdc-form-designer-validate-questionnaire-and-response policy
Validate Questionnaire and QuestionnaireResponse
PUT /AccessPolicy/as-sdc-form-designer-validate-questionnaire-and-response
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-validate-questionnaire-and-response
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri:
$one-of:
- '#/Questionnaire/\$validate'
- '#/QuestionnaireResponse/\$validate'
request-method: post
as-sdc-form-designer-manage-themes policy
Retrive and manage Questionnaire themes
PUT /AccessPolicy/as-sdc-form-designer-manage-themes
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-manage-themes
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri:
$one-of:
- '#/QuestionnaireTheme$'
- '#/QuestionnaireTheme/.*'
request-method:
$one-of:
- get
- post
- put
- delete
as-sdc-form-designer-search-patient-and-encounter-for-populate policy
Search for Patient and Encounter
Used for populate debug console
PUT /AccessPolicy/as-sdc-form-designer-search-patient-and-encounter-for-populate
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-search-patient-and-encounter-for-populate
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri:
$one-of:
- '#/Encounter$'
- '#/Patient$'
request-method: get
as-sdc-form-designer-populate-questionnaire policy
Test populate in debug console
PUT /AccessPolicy/as-sdc-form-designer-populate-questionnaire
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-populate-questionnaire
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri: '#/Questionnaire/\$populate$'
request-method: post
as-sdc-form-designer-extract-questionnaire policy
Test extraction in Debug console
PUT /AccessPolicy/as-sdc-form-designer-extract-questionnaire
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-extract-questionnaire
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri: '#/QuestionnaireResponse/\$extract$'
request-method: post
as-sdc-form-designer-search-valueset policy
Search for valuesets
PUT /AccessPolicy/as-sdc-form-designer-search-valueset
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-search-valueset
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri: '#/ValueSet$'
request-method: get
as-sdc-form-designer-search-concepts policy
Search for concepts
Used for importing concepts
PUT /AccessPolicy/as-sdc-form-designer-search-concepts
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-search-concepts
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri: '#/ValueSet/\$expand$'
request-method:
$one-of:
- get
- post
as-sdc-form-designer-use-ai-tools policy
Generate Questionnaire from PDF
PUT /AccessPolicy/as-sdc-form-designer-use-ai-tools
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-use-ai-tools
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri:
$one-of:
- '/$ai-generate-questionnaire'
- '/$openai-chat-completions'
request-method: post
Form Filler
Form filler role can load Questionnaire and QuestionnaireResponse, fill and submit it
as-sdc-form-filler-read-config policy
Read configuration
PUT /AccessPolicy/as-sdc-form-filler-read-config
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-filler-read-config
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-filler
uri: '/$sdc-config'
request-method: post
as-sdc-form-filler-read-response policy
Read QuestionnaireResponse
PUT /AccessPolicy/as-sdc-form-filler-read-response
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-filler-read-response
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-filler
uri: '#/QuestionnaireResponse/.*'
request-method: get
as-sdc-form-filler-read-questionnaire policy
Read Questionnaire
PUT /AccessPolicy/as-sdc-form-filler-read-questionnaire
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-filler-read-questionnaire
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-filler
uri: '#/Questionnaire/$'
request-method: get
as-sdc-form-filler-save-response policy
Save QuestionnaireResponse
PUT /AccessPolicy/as-sdc-form-filler-save-response
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-filler-save-response
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-filler
uri: '#/QuestionnaireResponse/\$save'
request-method: post
as-sdc-form-filler-submit-response policy
Submit QuestionnaireResponse
PUT /AccessPolicy/as-sdc-form-filler-submit-response
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-filler-submit-response
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-filler
uri: '#/QuestionnaireResponse/\$submit'
request-method: post
as-sdc-form-filler-search-concepts policy
Search for concepts
Used in choice items with attached valueset
PUT /AccessPolicy/as-sdc-form-filler-search-concepts
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-filler-search-concepts
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-filler
uri: '#/ValueSet/\$expand'
request-method:
$one-of:
- post
- get
Response Manager
Response manager role has access to
as-sdc-response-manager-forms-grid-rpc policy
Forms grid with
PUT /AccessPolicy/as-sdc-response-manager-forms-grid-rpc
content-type: text/yaml
accept: text/yaml
resourceType: AccessPolicy
id: as-sdc-response-manager-forms-grid-rpc
type: rpc
engine: matcho-rpc
rpc:
aidbox.sdc.grid/get-definition:
user:
roles:
$contains:
value: sdc-response-manager
aidbox.sdc.patient/forms-grid:
user:
roles:
$contains:
value: sdc-response-manager
aidbox.sdc.patient/documents-workflows-grid:
user:
roles:
$contains:
value: sdc-response-manager
as-sdc-response-manager-search-config policy
Searh for SDCConfigs
Used for choosing config in 'share' (populatelink) UI
PUT /AccessPolicy/as-sdc-response-manager-search-config
content-type: text/yaml
accept: text/yaml
id: as-sdc-response-manager-search-config
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-response-manager
uri: '#/SDCConfig$'
request-method: get
as-sdc-response-manager-read-config policy
Read configuration
PUT /AccessPolicy/as-sdc-response-manager-read-config
content-type: text/yaml
accept: text/yaml
id: as-sdc-response-manager-read-config
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-response-manager
uri: '/$sdc-config'
request-method: post
as-sdc-response-manager-search-and-read-theme policy
Search and read theme
Used for choosing theme in 'share' (populatelink) UI
as-sdc-response-manager-search-and-read-questionnaire policy
Search and read Questionnaires
PUT /AccessPolicy/as-sdc-response-manager-search-and-read-questionnaire
content-type: text/yaml
accept: text/yaml
id: as-sdc-response-manager-search-and-read-questionnaire
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-response-manager
uri:
$one-of:
- '#/Questionnaire$'
- '#/Questionnaire/.*$'
request-method: get
as-sdc-response-manager-search-and-read-response policy
Search and read responses
PUT /AccessPolicy/as-sdc-response-manager-search-and-read-response
content-type: text/yaml
accept: text/yaml
id: as-sdc-response-manager-search-and-read-response
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-response-manager
uri:
$one-of:
- '#/QuestionnaireResponse'
- '#/QuestionnaireResponse/.*$'
request-method: get
as-sdc-response-manager-search-patient-and-encounter policy
Search and read
Used for choosing patient and encounter in 'share' (populatelink) UI
PUT /AccessPolicy/as-sdc-response-manager-search-patient-and-encounter
content-type: text/yaml
accept: text/yaml
id: as-sdc-response-manager-search-patient-and-encounter
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-response-manager
uri:
$one-of:
- '#/Encounter$'
- '#/Patient$'
request-method: get
as-sdc-response-manager-populate-questionnaire policy
Populate questionnaire (from 'share' UI)
PUT /AccessPolicy/as-sdc-response-manager-populate-questionnaire
content-type: text/yaml
accept: text/yaml
id: as-sdc-response-manager-populate-questionnaire
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-response-manager
uri: '#/Questionnaire/.*/\$populatelink$'
request-method: post
as-sdc-response-manager-generate-link policy
Generate access links for responses
PUT /AccessPolicy/as-sdc-response-manager-generate-link
content-type: text/yaml
accept: text/yaml
id: as-sdc-response-manager-generate-link
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-response-manager
uri: '#/QuestionnaireResponse/.*/\$generate-link$'
request-method: post
Test access policies
Examples of users with roles:
response manager + form filler
it's possible to mix roles together
SDC Admin
POST /User
content-type: text/yaml
accept: text/yaml
resourceType: User
id: sdc-admin-user
password: password
roles:
- value: sdc-admin
Form Designer
POST /User
content-type: text/yaml
accept: text/yaml
resourceType: User
id: form-designer-user
password: password
roles:
- value: sdc-form-designer
Form Filler
POST /User
content-type: text/yaml
accept: text/yaml
resourceType: User
id: form-filler-user
password: password
roles:
- value: sdc-form-filler
Response Manager
POST /User
content-type: text/yaml
accept: text/yaml
resourceType: User
id: response-manager-user
password: password
roles:
- value: sdc-response-manager
Mix roles (Form Filler + Response Manager)
POST /User
content-type: text/yaml
accept: text/yaml
resourceType: User
id: form-user
password: password
roles:
- value: sdc-response-manager
- value: sdc-form-filler
