How to restrict operations on resource type
This article demonstrates how to create an access policy with restricted set of operations on Patient resource
Create a patient
Create an access policy
Create an access policy which allows only [Fhir]Read
operation on Patient.
Try it
Create
We won't be able to create new patient because we're not allowed to use [Fhir]Create
operation
Read
[Fhir]Read
operation works as expected and you are able to read previously created patient
What's going on here
When you make a query
Aidbox router stores data in the request object:
Reference to the
Read
operation in theoperation
property.Resource type
Patient
from the url to theparams.recource/type
property.
Access policy engine evaluates request object. And here it checks that operation.id
property contains either Read
or FhirRead
string.
You can inspect request object using __debug
query parameter.
Last updated