Restrict operations on resource type

This article shows how to create an access policy with restricted set of operations on Patient resource

Create a patient
POST /Patient
​
id: pt-1
resourceType: Patient
name:
  - given:
      - John
Create an access policy
Create an access policy which allows only [Fhir]Read operation on Patient.
POST /AccessPolicy
​
engine: matcho
matcho:
  operation:
    id:
      $enum: [Read, FhirRead]
  params:
    resource/type: Patient
Try it
Create
We won't be able to create new patient because we're not allowed to use [Fhir]Create operation
Request
Response
POST /Patient
​
id: pt-2
resourceType: Patient
name:
  - given:
      - Jane
resourceType: OperationOutcome
id: forbidden
text:
  status: generated
  div: Forbidden
issue:
- severity: fatal
  code: forbidden
  diagnostics: Forbidden
Read
[Fhir]Read operation works as expected and you are able to read previously created patient
Request
Response
GET /Patient/pt-1
name:
- given: [John]
id: pt-1
resourceType: Patient
What's going on here
When you make a query
GET /{resource-type}/{resource-id}
Aidbox router stores data in the request object:
Reference to the Read operation in the operation property.
Resource type Patient from the url to the params.recource/type property.
Access policy engine evaluates request object. And here it checks that operation.id property contains either Read or FhirRead string.
You can inspect request object using __debug query parameter.

Allow patients to see their own data

Configure multi-tenancy

Last modified 8d ago