Restrict operations on resource type
This article shows how to create an access policy with restricted set of operations on Patient resource
POST /Patient
id: pt-1
resourceType: Patient
name:
- given:
- John
Create an access policy which allows only
[Fhir]Read
operation on Patient.POST /AccessPolicy
engine: matcho
matcho:
operation:
id:
$enum: [Read, FhirRead]
params:
resource/type: Patient
We won't be able to create new patient because we're not allowed to use
[Fhir]Create
operationRequest
Response
POST /Patient
id: pt-2
resourceType: Patient
name:
- given:
- Jane
resourceType: OperationOutcome
id: forbidden
text:
status: generated
div: Forbidden
issue:
- severity: fatal
code: forbidden
diagnostics: Forbidden
[Fhir]Read
operation works as expected and you are able to read previously created patientRequest
Response
GET /Patient/pt-1
name:
- given: [John]
id: pt-1
resourceType: Patient
When you make a query
GET /{resource-type}/{resource-id}
Aidbox router stores data in the request object:
- Reference to the
Read
operation in theoperation
property. - Resource type
Patient
from the url to theparams.recource/type
property.
Access policy engine evaluates request object. And here it checks that
operation.id
property contains either Read
or FhirRead
string.Last modified 8d ago