Access Control in Forms

Form's access control

Form's module access control can be set via aidbox ACL engine

SDC Roles Access

SDC module suggests several roles which can be used independently or in a mix.

For DEVELOPMENT and configuration simplicity - it's better to use role with full access.

  • sdc admin - full access

For PRODUCTION it's better to have separate roles, with more precise access patterns.

For example we can split users into 3 groups.

  • form designer - creates and manages forms

  • form filler - end user which filling the form

  • response manager - reviews responses + populates new forms

SDC Admin

Policies:

  • Forms Grid

  • CRUD on all SDC resources (Questionnaire/QuestionnaireResponse/QuestionnaireTheme/SDCConfig/SDCPrintTemplate)

  • CRUD on production resources (Patient/Encounter/Observation resources)

  • all SDC operations

  • terminology related endpoints

policy
policy description

as-sdc-admin-forms-grid-rpc

Forms Grid with forms and responses

as-sdc-admin-manage-sdc-resources

Create/Update/Delete resources used in SDC Module

as-sdc-admin-manage-production-resources

Create/Update/Delete SDC related resources (Patient/Encounter/Observation/Practitioner)

as-sdc-admin-use-sdc-operations

Use all SDC operations

as-sdc-admin-use-terminology-operations

Use terminology operations (Search concepts, Valuesets) )

as-sdc-admin-forms-grid-rpc policy

Access to:

  • Questionnaires grid

  • Responses grid

PUT /AccessPolicy/as-sdc-admin-forms-grid-rpc
content-type: text/yaml
accept: text/yaml

resourceType: AccessPolicy
id: as-sdc-admin-forms-grid-rpc
type: rpc
engine: matcho-rpc
rpc:
 aidbox.sdc.grid/get-definition:
   user:
     roles:
       $contains:
         value: sdc-admin 

 aidbox.sdc.patient/forms-grid:
   user:
     roles:
       $contains:
         value: sdc-admin

 aidbox.sdc.patient/documents-workflows-grid:
   user:
     roles:
       $contains:
         value: sdc-admin

as-sdc-admin-manage-sdc-resources policy

CRUD access to next resources:

  • Questionnaire

  • QuestionnaireResponse

  • QuestionnaireTheme

  • SDCPrintTemplate

  • SDCConfig

PUT /AccessPolicy/as-sdc-admin-manage-sdc-resources
content-type: text/yaml
accept: text/yaml

id: as-sdc-admin-manage-sdc-resources
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-admin
  uri:
   $one-of:
      - '#/Questionnaire/.*$'
      - '#/Questionnaire$'
      - '#/QuestionnaireResponse/.*$'
      - '#/QuestionnaireResponse$'
      - '#/QuestionnaireTheme/.*$'
      - '#/QuestionnaireTheme$'
      - '#/SDCPrintTemplate/.*$'
      - '#/SDCPrintTemplate$'
      - '#/SDCConfig/.*$'
      - '#/SDCConfig$'
  request-method: 
     $one-of:
       - get
       - post
       - put
       - delete
       - patch

as-sdc-admin-manage-production-fhir-resources policy

CRUD access to next FHIR resources:

  • Patient

  • Encouner

  • Observation

  • Organization

  • Practitioner

This is typical resources that often used in SDC Flow. But you are free to add your own.

PUT /AccessPolicy/as-sdc-admin-manage-production-fhir-resources
content-type: text/yaml
accept: text/yaml

id: as-sdc-admin-manage-production-fhir-resources
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-admin
  uri:
   $one-of:
      - '#/Patient/.*$'
      - '#/Patient$'
      - '#/Encounter/.*$'
      - '#/Encounter$'
      - '#/Observation/.*$'
      - '#/Observation$'
      - '#/Organization/.*$'
      - '#/Organization$'
      - '#/Practitioner/.*$'
      - '#/Practitioner$'
  request-method: 
     $one-of:
       - get
       - post
       - put
       - delete
       - patch

as-sdc-admin-use-sdc-operations policy

PUT /AccessPolicy/as-sdc-admin-use-sdc-operations
content-type: text/yaml
accept: text/yaml

id: as-sdc-admin-use-sdc-operations
resourceType: AccessPolicy
engine: matcho
matcho:
  uri:
    $one-of:
    - '#\$save'
    - '#\$generate-link'
    - '#\$duplicate'
    - '#\$sdc-config'
    - '#\$process-response'
    - '#\$validate'
    - '#\$extract'
    - '#\$populate'
    - '#\$render'
    - '#\$submit'
    - '#\$usage'
    - '#\$assemble-all'
    - '#\$expand'
    - '#\$validate-response'
    - '#\$populatelink'
    - '#\$sdc-file'
    - '#\$generate-token'
    - '#\$assemble'
    - '#\$sdc-resource-types'
    - '#\$ai-generate-questionnaire'
    - '#\$openai-chat-completions'
    - '#\$sdc-resource-types'
    - '#\$sdc-resource-schema'
  request-method:
     $one-of:
       - post
       - get
       - put
       - delete
       - patch

as-sdc-admin-use-terminology-operations policy

Searching for ValueSets and concepts

PUT /AccessPolicy/as-sdc-admin-use-terminology-operations
content-type: text/yaml
accept: text/yaml

id: as-sdc-admin-use-terminology-operations
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-admin
  uri: 
    $one-of:
      - '#/ValueSet$'
      - '#/ValueSet/\$expand$'
  request-method:
    $one-of:
      - get
      - post

Form Designer

This role give access for

  • Forms Grid

  • Form Builder

  • Patient's and Encouner resources for populate purposes

Policies:

policy
policy description

as-sdc-form-designer-forms-grid-rpc

use forms grid

as-sdc-form-designer-read-config

read SDCConfig

as-sdc-form-designer-manage-themes

manage themes

as-sdc-form-designer-manage-questionnaire

Create/Read/Update/Delete Questionnaire

as-sdc-form-designer-populate-questionnaire

validate Questionnaire + QuestionnaireResponse

as-sdc-form-designer-extract-questionnaire

populate Questionnaire (+ search patient & encounter)

as-sdc-form-designer-validate-questionnaire-and-response

extract QuestionnaireResponse

as-sdc-form-designer-search-valueset

search for valuesets

as-sdc-form-designer-search-concepts

search for concepts

as-sdc-form-designer-use-ai-tools

use AI tools

as-sdc-form-designer-get-fhir-metadata

Get FHIR metadata to support Template resource editor

as-sdc-form-designer-forms-grid-rpc policy

grid with Questionnaires

PUT /AccessPolicy/as-sdc-form-designer-forms-grid-rpc
content-type: text/yaml
accept: text/yaml

resourceType: AccessPolicy
id: as-sdc-form-designer-forms-grid-rpc
type: rpc
engine: matcho-rpc
rpc:
 aidbox.sdc.grid/get-definition:
   user:
     roles:
       $contains:
         value: sdc-form-designer 

 aidbox.sdc.patient/forms-grid:
   user:
     roles:
       $contains:
         value: sdc-form-designer

as-sdc-form-designer-read-config policy

Access to configuration

PUT /AccessPolicy/as-sdc-form-designer-read-config
content-type: text/yaml
accept: text/yaml

id: as-sdc-form-designer-read-config
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-form-designer
  uri: '/$sdc-config'
  request-method: post

as-sdc-form-designer-manage-questionnaire policy

All operations for manaings and retrieving Questionnaire

PUT /AccessPolicy/as-sdc-form-designer-manage-questionnaire
content-type: text/yaml
accept: text/yaml

id: as-sdc-form-designer-manage-questionnaire
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-form-designer
  uri: 
    $one-of:
    - '#/Questionnaire$'
    - '#/Questionnaire/.*$'
    - '#/Questionnaire/\$save'
    - '#/Questionnaire/.*/\$usage'
    - '#/Questionnaire/.*/\$duplicate'
  request-method: 
    $one-of:
      - get
      - post
      - put
      - delete

as-sdc-form-designer-search-response policy

Searching for QuestionnaireResponses

Used for checking Questionnaire usage

PUT /AccessPolicy/as-sdc-form-designer-search-response
content-type: text/yaml
accept: text/yaml

id: as-sdc-form-designer-search-response
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-form-designer
  uri: '#/QuestionnaireResponse$'
  request-method: get

as-sdc-form-designer-validate-questionnaire-and-response policy

Validate Questionnaire and QuestionnaireResponse

PUT /AccessPolicy/as-sdc-form-designer-validate-questionnaire-and-response
content-type: text/yaml
accept: text/yaml

id: as-sdc-form-designer-validate-questionnaire-and-response
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-form-designer
  uri: 
    $one-of:
      - '#/Questionnaire/\$validate'
      - '#/QuestionnaireResponse/\$validate'
  request-method: post

as-sdc-form-designer-manage-themes policy

Retrive and manage Questionnaire themes

PUT /AccessPolicy/as-sdc-form-designer-manage-themes
content-type: text/yaml
accept: text/yaml

id: as-sdc-form-designer-manage-themes
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-form-designer
  uri: 
    $one-of: 
      - '#/QuestionnaireTheme$'
      - '#/QuestionnaireTheme/.*'
  request-method: 
    $one-of: 
      - get
      - post
      - put
      - delete

as-sdc-form-designer-search-patient-and-encounter-for-populate policy

Search for Patient and Encounter

Used for populate debug console

PUT /AccessPolicy/as-sdc-form-designer-search-patient-and-encounter-for-populate
content-type: text/yaml
accept: text/yaml

id: as-sdc-form-designer-search-patient-and-encounter-for-populate
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-form-designer
  uri: 
    $one-of: 
      - '#/Encounter$'
      - '#/Patient$'
  request-method: get

as-sdc-form-designer-populate-questionnaire policy

Test populate in debug console

PUT /AccessPolicy/as-sdc-form-designer-populate-questionnaire
content-type: text/yaml
accept: text/yaml

id: as-sdc-form-designer-populate-questionnaire
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-form-designer
  uri: '#/Questionnaire/\$populate$'
  request-method: post

as-sdc-form-designer-extract-questionnaire policy

Test extraction in Debug console

PUT /AccessPolicy/as-sdc-form-designer-extract-questionnaire
content-type: text/yaml
accept: text/yaml

id: as-sdc-form-designer-extract-questionnaire
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-form-designer
  uri: '#/QuestionnaireResponse/\$extract$'
  request-method: post

as-sdc-form-designer-search-valueset policy

Search for valuesets

PUT /AccessPolicy/as-sdc-form-designer-search-valueset
content-type: text/yaml
accept: text/yaml

id: as-sdc-form-designer-search-valueset
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-form-designer
  uri: '#/ValueSet$'
  request-method: get

as-sdc-form-designer-search-concepts policy

Search for concepts

Used for importing concepts

PUT /AccessPolicy/as-sdc-form-designer-search-concepts
content-type: text/yaml
accept: text/yaml

id: as-sdc-form-designer-search-concepts
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-form-designer
  uri: '#/ValueSet/\$expand$'
  request-method: 
    $one-of:
      - get
      - post

as-sdc-form-designer-use-ai-tools policy

Generate Questionnaire from PDF

PUT /AccessPolicy/as-sdc-form-designer-use-ai-tools
content-type: text/yaml
accept: text/yaml

id: as-sdc-form-designer-use-ai-tools
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-form-designer
  uri: 
    $one-of:
    - '/$ai-generate-questionnaire'
    - '/$openai-chat-completions'
  request-method: post

as-sdc-form-designer-get-fhir-metadata

Get FHIR metadata about Resources and their schemas

PUT /AccessPolicy/as-sdc-form-designer-get-fhir-metadata
content-type: text/yaml
accept: text/yaml

id: as-sdc-form-designer-get-fhir-metadata
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-form-designer
  uri: 
    $one-of:
    - '#\$sdc-resource-types'
    - '#\$sdc-resource-schema'
  request-method: get

Form Filler

Form filler role can load Questionnaire and QuestionnaireResponse, fill and submit it

policy
policy description

as-sdc-form-filler-read-config

Read SDCConfig

as-sdc-form-filler-read-questionnaire

Read Questionnaire and use it for rendering

as-sdc-form-filler-read-response

Read saved resposne and render it

as-sdc-form-filler-save-response

Save changed response

as-sdc-form-filler-submit-response

Submit response

as-sdc-form-filler-search-concepts

Search terminology concepts

as-sdc-form-filler-read-config policy

Read configuration

PUT /AccessPolicy/as-sdc-form-filler-read-config
content-type: text/yaml
accept: text/yaml

id: as-sdc-form-filler-read-config
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-form-filler
  uri: '/$sdc-config'
  request-method: post

as-sdc-form-filler-read-response policy

Read QuestionnaireResponse

PUT /AccessPolicy/as-sdc-form-filler-read-response
content-type: text/yaml
accept: text/yaml

id: as-sdc-form-filler-read-response
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-form-filler
  uri: '#/QuestionnaireResponse/.*'
  request-method: get

as-sdc-form-filler-read-questionnaire policy

Read Questionnaire

PUT /AccessPolicy/as-sdc-form-filler-read-questionnaire
content-type: text/yaml
accept: text/yaml

id: as-sdc-form-filler-read-questionnaire
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-form-filler
  uri: '#/Questionnaire/$'
  request-method: get

as-sdc-form-filler-save-response policy

Save QuestionnaireResponse

PUT /AccessPolicy/as-sdc-form-filler-save-response
content-type: text/yaml
accept: text/yaml

id: as-sdc-form-filler-save-response
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-form-filler
  uri: '#/QuestionnaireResponse/\$save'
  request-method:  post

as-sdc-form-filler-submit-response policy

Submit QuestionnaireResponse

PUT /AccessPolicy/as-sdc-form-filler-submit-response
content-type: text/yaml
accept: text/yaml

id: as-sdc-form-filler-submit-response
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-form-filler
  uri: '#/QuestionnaireResponse/\$submit'
  request-method:  post

as-sdc-form-filler-search-concepts policy

Search for concepts

Used in choice items with attached valueset

PUT /AccessPolicy/as-sdc-form-filler-search-concepts
content-type: text/yaml
accept: text/yaml

id: as-sdc-form-filler-search-concepts
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-form-filler
  uri: '#/ValueSet/\$expand'
  request-method: 
    $one-of:
       - post
       - get

Response Manager

Response manager role has access to

  • Forms grid

  • Responses grid

  • Read responses

  • Questionnaire population

  • shared link generation

policy
policy description

as-sdc-response-manager-forms-grid-rpc

Forms grid with forms and responses

as-sdc-response-manager-search-config

Search SDCConfigs before populate

as-sdc-response-manager-read-config

Read SDCConfig

as-sdc-response-manager-search-and-read-theme

Search and Read QuestionnaireTheme

as-sdc-response-manager-read-questionnaire

Read Quetionnaire for opening forms

as-sdc-response-manager-read-response

Read QuestionnaireResponse for looking into responses

as-sdc-response-manager-search-patient-and-encounter

Search for Encounters and Patients

as-sdc-response-manager-populate-questionnaire

Create new empty/prefilled responses

as-sdc-response-manager-generate-link

Create access link for response

as-sdc-response-manager-forms-grid-rpc policy

Forms grid with

  • Questionnaires

  • QuestionnaireResponses

PUT /AccessPolicy/as-sdc-response-manager-forms-grid-rpc
content-type: text/yaml
accept: text/yaml

resourceType: AccessPolicy
id: as-sdc-response-manager-forms-grid-rpc
type: rpc
engine: matcho-rpc
rpc:
 aidbox.sdc.grid/get-definition:
   user:
     roles:
       $contains:
         value: sdc-response-manager 
         
 aidbox.sdc.patient/forms-grid:
   user:
     roles:
       $contains:
         value: sdc-response-manager

 aidbox.sdc.patient/documents-workflows-grid:
   user:
     roles:
       $contains:
         value: sdc-response-manager

as-sdc-response-manager-search-config policy

Searh for SDCConfigs

Used for choosing config in 'share' (populatelink) UI

PUT /AccessPolicy/as-sdc-response-manager-search-config
content-type: text/yaml
accept: text/yaml

id: as-sdc-response-manager-search-config
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-response-manager
  uri: '#/SDCConfig$'
  request-method: get

as-sdc-response-manager-read-config policy

Read configuration

PUT /AccessPolicy/as-sdc-response-manager-read-config
content-type: text/yaml
accept: text/yaml

id: as-sdc-response-manager-read-config
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-response-manager
  uri: '/$sdc-config'
  request-method: post

as-sdc-response-manager-search-and-read-theme policy

Search and read theme

Used for choosing theme in 'share' (populatelink) UI

PUT /AccessPolicy/as-sdc-response-manager-search-and-read-theme
content-type: text/yaml
accept: text/yaml

id: as-sdc-response-manager-search-and-read-theme
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-response-manager
  uri: 
    $one-of: 
      - '#/QuestionnaireTheme$'
      - '#/QuestionnaireTheme/.*'
  request-method: get

as-sdc-response-manager-search-and-read-questionnaire policy

Search and read Questionnaires

PUT /AccessPolicy/as-sdc-response-manager-search-and-read-questionnaire
content-type: text/yaml
accept: text/yaml

id: as-sdc-response-manager-search-and-read-questionnaire
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-response-manager
  uri: 
    $one-of:
    - '#/Questionnaire$' 
    - '#/Questionnaire/.*$'
  request-method: get

as-sdc-response-manager-search-and-read-response policy

Search and read responses

PUT /AccessPolicy/as-sdc-response-manager-search-and-read-response
content-type: text/yaml
accept: text/yaml

id: as-sdc-response-manager-search-and-read-response
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-response-manager
  uri: 
    $one-of:
    - '#/QuestionnaireResponse' 
    - '#/QuestionnaireResponse/.*$'
  request-method: get

as-sdc-response-manager-search-patient-and-encounter policy

Search and read

  • Patient

  • Encounter

Used for choosing patient and encounter in 'share' (populatelink) UI

PUT /AccessPolicy/as-sdc-response-manager-search-patient-and-encounter
content-type: text/yaml
accept: text/yaml

id: as-sdc-response-manager-search-patient-and-encounter
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-response-manager
  uri: 
    $one-of:
    - '#/Encounter$' 
    - '#/Patient$'
  request-method: get

as-sdc-response-manager-populate-questionnaire policy

Populate questionnaire (from 'share' UI)

PUT /AccessPolicy/as-sdc-response-manager-populate-questionnaire
content-type: text/yaml
accept: text/yaml

id: as-sdc-response-manager-populate-questionnaire
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-response-manager
  uri: '#/Questionnaire/.*/\$populatelink$'
  request-method: post

as-sdc-response-manager-generate-link policy

Generate access links for responses

PUT /AccessPolicy/as-sdc-response-manager-generate-link
content-type: text/yaml
accept: text/yaml

id: as-sdc-response-manager-generate-link
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      $contains:
        value: sdc-response-manager
  uri: '#/QuestionnaireResponse/.*/\$generate-link$'
  request-method: post

Test access policies

Examples of users with roles:

  • sdc admin

  • form designer

  • form filler

  • response manager

  • response manager + form filler

it's possible to mix roles together

SDC Admin

POST /User
content-type: text/yaml
accept: text/yaml

resourceType: User
id: sdc-admin-user
password: password
roles: 
  - value: sdc-admin

Form Designer

POST /User
content-type: text/yaml
accept: text/yaml

resourceType: User
id: form-designer-user
password: password
roles: 
  - value: sdc-form-designer

Form Filler

POST /User
content-type: text/yaml
accept: text/yaml

resourceType: User
id: form-filler-user
password: password
roles: 
  - value: sdc-form-filler

Response Manager

POST /User
content-type: text/yaml
accept: text/yaml

resourceType: User
id: response-manager-user
password: password
roles: 
  - value: sdc-response-manager

Mix roles (Form Filler + Response Manager)

POST /User
content-type: text/yaml
accept: text/yaml

resourceType: User
id: form-user
password: password
roles: 
  - value: sdc-response-manager
  - value: sdc-form-filler

Last updated

Was this helpful?