Access Control in Forms
Form's access control
Form's module access control can be set via aidbox ACL engine
SDC Roles Access
SDC module suggests several roles which can be used independently or in a mix.
For DEVELOPMENT and configuration simplicity - it's better to use role with full access.
sdc admin - full access
For PRODUCTION it's better to have separate roles, with more precise access patterns.
For example we can split users into 3 groups.
form designer - creates and manages forms
form filler - end user which filling the form
response manager - reviews responses + populates new forms
SDC Admin
Policies:
Forms Grid
CRUD on all SDC resources (Questionnaire/QuestionnaireResponse/QuestionnaireTheme/SDCConfig/SDCPrintTemplate)
CRUD on production resources (Patient/Encounter/Observation resources)
all SDC operations
terminology related endpoints
as-sdc-admin-forms-grid-rpc
Forms Grid with forms and responses
as-sdc-admin-manage-sdc-resources
Create/Update/Delete resources used in SDC Module
as-sdc-admin-manage-production-resources
Create/Update/Delete SDC related resources (Patient/Encounter/Observation/Practitioner)
as-sdc-admin-use-sdc-operations
Use all SDC operations
as-sdc-admin-use-terminology-operations
Use terminology operations (Search concepts, Valuesets) )
as-sdc-admin-forms-grid-rpc policy
Access to:
Questionnaires grid
Responses grid
PUT /AccessPolicy/as-sdc-admin-forms-grid-rpc
content-type: text/yaml
accept: text/yaml
resourceType: AccessPolicy
id: as-sdc-admin-forms-grid-rpc
type: rpc
engine: matcho-rpc
rpc:
aidbox.sdc.grid/get-definition:
user:
roles:
$contains:
value: sdc-admin
aidbox.sdc.patient/forms-grid:
user:
roles:
$contains:
value: sdc-admin
aidbox.sdc.patient/documents-workflows-grid:
user:
roles:
$contains:
value: sdc-admin
as-sdc-admin-manage-sdc-resources policy
CRUD access to next resources:
Questionnaire
QuestionnaireResponse
QuestionnaireTheme
SDCPrintTemplate
SDCConfig
PUT /AccessPolicy/as-sdc-admin-manage-sdc-resources
content-type: text/yaml
accept: text/yaml
id: as-sdc-admin-manage-sdc-resources
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-admin
uri:
$one-of:
- '#/Questionnaire/.*$'
- '#/Questionnaire$'
- '#/QuestionnaireResponse/.*$'
- '#/QuestionnaireResponse$'
- '#/QuestionnaireTheme/.*$'
- '#/QuestionnaireTheme$'
- '#/SDCPrintTemplate/.*$'
- '#/SDCPrintTemplate$'
- '#/SDCConfig/.*$'
- '#/SDCConfig$'
request-method:
$one-of:
- get
- post
- put
- delete
- patch
as-sdc-admin-manage-production-fhir-resources policy
CRUD access to next FHIR resources:
Patient
Encouner
Observation
Organization
Practitioner
This is typical resources that often used in SDC Flow. But you are free to add your own.
PUT /AccessPolicy/as-sdc-admin-manage-production-fhir-resources
content-type: text/yaml
accept: text/yaml
id: as-sdc-admin-manage-production-fhir-resources
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-admin
uri:
$one-of:
- '#/Patient/.*$'
- '#/Patient$'
- '#/Encounter/.*$'
- '#/Encounter$'
- '#/Observation/.*$'
- '#/Observation$'
- '#/Organization/.*$'
- '#/Organization$'
- '#/Practitioner/.*$'
- '#/Practitioner$'
request-method:
$one-of:
- get
- post
- put
- delete
- patch
as-sdc-admin-use-sdc-operations policy
PUT /AccessPolicy/as-sdc-admin-use-sdc-operations
content-type: text/yaml
accept: text/yaml
id: as-sdc-admin-use-sdc-operations
resourceType: AccessPolicy
engine: matcho
matcho:
uri:
$one-of:
- '#\$save'
- '#\$generate-link'
- '#\$duplicate'
- '#\$sdc-config'
- '#\$process-response'
- '#\$validate'
- '#\$extract'
- '#\$populate'
- '#\$render'
- '#\$submit'
- '#\$usage'
- '#\$assemble-all'
- '#\$expand'
- '#\$validate-response'
- '#\$populatelink'
- '#\$sdc-file'
- '#\$generate-token'
- '#\$assemble'
- '#\$sdc-resource-types'
- '#\$ai-generate-questionnaire'
- '#\$openai-chat-completions'
- '#\$sdc-resource-types'
- '#\$sdc-resource-schema'
request-method:
$one-of:
- post
- get
- put
- delete
- patch
as-sdc-admin-use-terminology-operations policy
Searching for ValueSets and concepts
PUT /AccessPolicy/as-sdc-admin-use-terminology-operations
content-type: text/yaml
accept: text/yaml
id: as-sdc-admin-use-terminology-operations
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-admin
uri:
$one-of:
- '#/ValueSet$'
- '#/ValueSet/\$expand$'
request-method:
$one-of:
- get
- post
Form Designer
This role give access for
Forms Grid
Form Builder
Patient's and Encouner resources for populate purposes
Policies:
as-sdc-form-designer-forms-grid-rpc
use forms grid
as-sdc-form-designer-read-config
read SDCConfig
as-sdc-form-designer-manage-themes
manage themes
as-sdc-form-designer-manage-questionnaire
Create/Read/Update/Delete Questionnaire
as-sdc-form-designer-populate-questionnaire
validate Questionnaire + QuestionnaireResponse
as-sdc-form-designer-extract-questionnaire
populate Questionnaire (+ search patient & encounter)
as-sdc-form-designer-validate-questionnaire-and-response
extract QuestionnaireResponse
as-sdc-form-designer-search-valueset
search for valuesets
as-sdc-form-designer-search-concepts
search for concepts
as-sdc-form-designer-use-ai-tools
use AI tools
as-sdc-form-designer-get-fhir-metadata
Get FHIR metadata to support Template resource editor
as-sdc-form-designer-forms-grid-rpc policy
grid with Questionnaires
PUT /AccessPolicy/as-sdc-form-designer-forms-grid-rpc
content-type: text/yaml
accept: text/yaml
resourceType: AccessPolicy
id: as-sdc-form-designer-forms-grid-rpc
type: rpc
engine: matcho-rpc
rpc:
aidbox.sdc.grid/get-definition:
user:
roles:
$contains:
value: sdc-form-designer
aidbox.sdc.patient/forms-grid:
user:
roles:
$contains:
value: sdc-form-designer
as-sdc-form-designer-read-config policy
Access to configuration
PUT /AccessPolicy/as-sdc-form-designer-read-config
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-read-config
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri: '/$sdc-config'
request-method: post
as-sdc-form-designer-manage-questionnaire policy
All operations for manaings and retrieving Questionnaire
PUT /AccessPolicy/as-sdc-form-designer-manage-questionnaire
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-manage-questionnaire
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri:
$one-of:
- '#/Questionnaire$'
- '#/Questionnaire/.*$'
- '#/Questionnaire/\$save'
- '#/Questionnaire/.*/\$usage'
- '#/Questionnaire/.*/\$duplicate'
request-method:
$one-of:
- get
- post
- put
- delete
as-sdc-form-designer-search-response policy
Searching for QuestionnaireResponses
Used for checking Questionnaire usage
PUT /AccessPolicy/as-sdc-form-designer-search-response
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-search-response
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri: '#/QuestionnaireResponse$'
request-method: get
as-sdc-form-designer-validate-questionnaire-and-response policy
Validate Questionnaire and QuestionnaireResponse
PUT /AccessPolicy/as-sdc-form-designer-validate-questionnaire-and-response
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-validate-questionnaire-and-response
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri:
$one-of:
- '#/Questionnaire/\$validate'
- '#/QuestionnaireResponse/\$validate'
request-method: post
as-sdc-form-designer-manage-themes policy
Retrive and manage Questionnaire themes
PUT /AccessPolicy/as-sdc-form-designer-manage-themes
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-manage-themes
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri:
$one-of:
- '#/QuestionnaireTheme$'
- '#/QuestionnaireTheme/.*'
request-method:
$one-of:
- get
- post
- put
- delete
as-sdc-form-designer-search-patient-and-encounter-for-populate policy
Search for Patient and Encounter
Used for populate debug console
PUT /AccessPolicy/as-sdc-form-designer-search-patient-and-encounter-for-populate
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-search-patient-and-encounter-for-populate
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri:
$one-of:
- '#/Encounter$'
- '#/Patient$'
request-method: get
as-sdc-form-designer-populate-questionnaire policy
Test populate in debug console
PUT /AccessPolicy/as-sdc-form-designer-populate-questionnaire
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-populate-questionnaire
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri: '#/Questionnaire/\$populate$'
request-method: post
as-sdc-form-designer-extract-questionnaire policy
Test extraction in Debug console
PUT /AccessPolicy/as-sdc-form-designer-extract-questionnaire
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-extract-questionnaire
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri: '#/QuestionnaireResponse/\$extract$'
request-method: post
as-sdc-form-designer-search-valueset policy
Search for valuesets
PUT /AccessPolicy/as-sdc-form-designer-search-valueset
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-search-valueset
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri: '#/ValueSet$'
request-method: get
as-sdc-form-designer-search-concepts policy
Search for concepts
Used for importing concepts
PUT /AccessPolicy/as-sdc-form-designer-search-concepts
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-search-concepts
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri: '#/ValueSet/\$expand$'
request-method:
$one-of:
- get
- post
as-sdc-form-designer-use-ai-tools policy
Generate Questionnaire from PDF
PUT /AccessPolicy/as-sdc-form-designer-use-ai-tools
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-use-ai-tools
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri:
$one-of:
- '/$ai-generate-questionnaire'
- '/$openai-chat-completions'
request-method: post
as-sdc-form-designer-get-fhir-metadata
Get FHIR metadata about Resources and their schemas
PUT /AccessPolicy/as-sdc-form-designer-get-fhir-metadata
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-designer-get-fhir-metadata
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-designer
uri:
$one-of:
- '#\$sdc-resource-types'
- '#\$sdc-resource-schema'
request-method: get
Form Filler
Form filler role can load Questionnaire and QuestionnaireResponse, fill and submit it
as-sdc-form-filler-read-config
Read SDCConfig
as-sdc-form-filler-read-questionnaire
Read Questionnaire and use it for rendering
as-sdc-form-filler-read-response
Read saved resposne and render it
as-sdc-form-filler-save-response
Save changed response
as-sdc-form-filler-submit-response
Submit response
as-sdc-form-filler-search-concepts
Search terminology concepts
as-sdc-form-filler-read-config policy
Read configuration
PUT /AccessPolicy/as-sdc-form-filler-read-config
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-filler-read-config
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-filler
uri: '/$sdc-config'
request-method: post
as-sdc-form-filler-read-response policy
Read QuestionnaireResponse
PUT /AccessPolicy/as-sdc-form-filler-read-response
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-filler-read-response
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-filler
uri: '#/QuestionnaireResponse/.*'
request-method: get
as-sdc-form-filler-read-questionnaire policy
Read Questionnaire
PUT /AccessPolicy/as-sdc-form-filler-read-questionnaire
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-filler-read-questionnaire
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-filler
uri: '#/Questionnaire/$'
request-method: get
as-sdc-form-filler-save-response policy
Save QuestionnaireResponse
PUT /AccessPolicy/as-sdc-form-filler-save-response
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-filler-save-response
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-filler
uri: '#/QuestionnaireResponse/\$save'
request-method: post
as-sdc-form-filler-submit-response policy
Submit QuestionnaireResponse
PUT /AccessPolicy/as-sdc-form-filler-submit-response
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-filler-submit-response
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-filler
uri: '#/QuestionnaireResponse/\$submit'
request-method: post
as-sdc-form-filler-search-concepts policy
Search for concepts
Used in choice items with attached valueset
PUT /AccessPolicy/as-sdc-form-filler-search-concepts
content-type: text/yaml
accept: text/yaml
id: as-sdc-form-filler-search-concepts
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-form-filler
uri: '#/ValueSet/\$expand'
request-method:
$one-of:
- post
- get
Response Manager
Response manager role has access to
Forms grid
Responses grid
Read responses
Questionnaire population
shared link generation
as-sdc-response-manager-forms-grid-rpc
Forms grid with forms and responses
as-sdc-response-manager-search-config
Search SDCConfigs before populate
as-sdc-response-manager-read-config
Read SDCConfig
as-sdc-response-manager-search-and-read-theme
Search and Read QuestionnaireTheme
as-sdc-response-manager-read-questionnaire
Read Quetionnaire for opening forms
as-sdc-response-manager-read-response
Read QuestionnaireResponse for looking into responses
as-sdc-response-manager-search-patient-and-encounter
Search for Encounters and Patients
as-sdc-response-manager-populate-questionnaire
Create new empty/prefilled responses
as-sdc-response-manager-generate-link
Create access link for response
as-sdc-response-manager-forms-grid-rpc policy
Forms grid with
Questionnaires
QuestionnaireResponses
PUT /AccessPolicy/as-sdc-response-manager-forms-grid-rpc
content-type: text/yaml
accept: text/yaml
resourceType: AccessPolicy
id: as-sdc-response-manager-forms-grid-rpc
type: rpc
engine: matcho-rpc
rpc:
aidbox.sdc.grid/get-definition:
user:
roles:
$contains:
value: sdc-response-manager
aidbox.sdc.patient/forms-grid:
user:
roles:
$contains:
value: sdc-response-manager
aidbox.sdc.patient/documents-workflows-grid:
user:
roles:
$contains:
value: sdc-response-manager
as-sdc-response-manager-search-config policy
Searh for SDCConfigs
Used for choosing config in 'share' (populatelink) UI
PUT /AccessPolicy/as-sdc-response-manager-search-config
content-type: text/yaml
accept: text/yaml
id: as-sdc-response-manager-search-config
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-response-manager
uri: '#/SDCConfig$'
request-method: get
as-sdc-response-manager-read-config policy
Read configuration
PUT /AccessPolicy/as-sdc-response-manager-read-config
content-type: text/yaml
accept: text/yaml
id: as-sdc-response-manager-read-config
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-response-manager
uri: '/$sdc-config'
request-method: post
as-sdc-response-manager-search-and-read-theme policy
Search and read theme
Used for choosing theme in 'share' (populatelink) UI
PUT /AccessPolicy/as-sdc-response-manager-search-and-read-theme
content-type: text/yaml
accept: text/yaml
id: as-sdc-response-manager-search-and-read-theme
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-response-manager
uri:
$one-of:
- '#/QuestionnaireTheme$'
- '#/QuestionnaireTheme/.*'
request-method: get
as-sdc-response-manager-search-and-read-questionnaire policy
Search and read Questionnaires
PUT /AccessPolicy/as-sdc-response-manager-search-and-read-questionnaire
content-type: text/yaml
accept: text/yaml
id: as-sdc-response-manager-search-and-read-questionnaire
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-response-manager
uri:
$one-of:
- '#/Questionnaire$'
- '#/Questionnaire/.*$'
request-method: get
as-sdc-response-manager-search-and-read-response policy
Search and read responses
PUT /AccessPolicy/as-sdc-response-manager-search-and-read-response
content-type: text/yaml
accept: text/yaml
id: as-sdc-response-manager-search-and-read-response
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-response-manager
uri:
$one-of:
- '#/QuestionnaireResponse'
- '#/QuestionnaireResponse/.*$'
request-method: get
as-sdc-response-manager-search-patient-and-encounter policy
Search and read
Patient
Encounter
Used for choosing patient and encounter in 'share' (populatelink) UI
PUT /AccessPolicy/as-sdc-response-manager-search-patient-and-encounter
content-type: text/yaml
accept: text/yaml
id: as-sdc-response-manager-search-patient-and-encounter
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-response-manager
uri:
$one-of:
- '#/Encounter$'
- '#/Patient$'
request-method: get
as-sdc-response-manager-populate-questionnaire policy
Populate questionnaire (from 'share' UI)
PUT /AccessPolicy/as-sdc-response-manager-populate-questionnaire
content-type: text/yaml
accept: text/yaml
id: as-sdc-response-manager-populate-questionnaire
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-response-manager
uri: '#/Questionnaire/.*/\$populatelink$'
request-method: post
as-sdc-response-manager-generate-link policy
Generate access links for responses
PUT /AccessPolicy/as-sdc-response-manager-generate-link
content-type: text/yaml
accept: text/yaml
id: as-sdc-response-manager-generate-link
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
$contains:
value: sdc-response-manager
uri: '#/QuestionnaireResponse/.*/\$generate-link$'
request-method: post
Test access policies
Examples of users with roles:
sdc admin
form designer
form filler
response manager
response manager + form filler
it's possible to mix roles together
SDC Admin
POST /User
content-type: text/yaml
accept: text/yaml
resourceType: User
id: sdc-admin-user
password: password
roles:
- value: sdc-admin
Form Designer
POST /User
content-type: text/yaml
accept: text/yaml
resourceType: User
id: form-designer-user
password: password
roles:
- value: sdc-form-designer
Form Filler
POST /User
content-type: text/yaml
accept: text/yaml
resourceType: User
id: form-filler-user
password: password
roles:
- value: sdc-form-filler
Response Manager
POST /User
content-type: text/yaml
accept: text/yaml
resourceType: User
id: response-manager-user
password: password
roles:
- value: sdc-response-manager
Mix roles (Form Filler + Response Manager)
POST /User
content-type: text/yaml
accept: text/yaml
resourceType: User
id: form-user
password: password
roles:
- value: sdc-response-manager
- value: sdc-form-filler
Last updated
Was this helpful?