FHIR API HIEBus™ FHIR API
Interface Guide

Roles Permissions

The endpoint configuration Roles Permissions tab lets you configure permissions for each endpoint. Permissions are associated with user roles. A user receives the permissions for all his/her roles, plus–if specified–the Default permissions that apply to any role.

Permitted Operations

For each role, you can specify one or more resources for which to configure permissions. For each resource, you can specify possible system interactions: read, create, update, and delete.

A special ‘Default’ resource permission (corresponding to an empty resource type) applies to all resources that are not explicitly listed.

Required Parameters

You can also restrict searches by requiring certain search parameters. This helps to prevent overly broad searches.

For example: For a patient search, you may require part of a family name or patient identifier to prevent someone from generically searching for all patients named “John”.

For each required parameter, you have several additional options to configure:

Permitted Operations

You can control which search operations are permitted using that parameter.

For example: For patient family name, you may restrict the ‘contains’ search to prevent someone from doing a very vague search.

Minimum Search Length

For string-based parameters such as names, you can specify a minimum search length for that parameter.

For example: For a patient search, you may restrict the family name search to require a minimum of 5 characters, to prevent someone from simply finding all patients with names starting with “S”.

Complete Tokens

Finally, token search parameters (like identifiers and codes) can be restricted to accept only complete tokens. This means they can only be searched by complete identifiers, meaning identifiers with both a system (i.e., an identifier type) and a code (i.e., an identifier value). This forbids searches like ../Patient?identifier=1234 for identifiers of any type that can be very time consuming on some deployments.

Prohibit Chaining

When chaining is enabled, it’s possible to do a search on multiple resources at the same time. For example, searching for Observation?patient.family=Smith would search for all Observations belonging to someone with a family name of ‘Smith’.

You can disallow chaining for a given search parameter. In the example above, you could select “No chaining” for the ‘Patient’ parameter on the Observation resource.

Setting Up Permissions

To configure role permissions for an endpoint, select the ‘Roles Permissions’ tab on the FHIR configuration screen. Each endpoint can have different permissions.

Adding Roles

To add permissions for a new role:

  1. Click ‘Add Role’.
  2. Enter the role name.
Permissions - Add Role
Permissions - Add Role

You can configure multiple roles for a given endpoint, giving different permissions to each.

Adding Resources

To add a new resource to a role:

  1. Hover over the role name and click the “+”.
  2. Enter the resource type name, or leave blank for the settings to apply to the ‘Default’ resource.
  3. Select which operations–read, write, etc.–the role should be permitted for this resource.
Permissions - Add Resource
Permissions - Add Resource
Permissions - Add Operations
Permissions - Add Operations

You can add multiple resources to a role, allowing different permissions for each one.

Adding Search Restrictions

To add a new search restriction to a resource:

  1. Hover over the resource name and click the “+”.
  2. Enter a search parameter name.
  3. For string parameters, optionally enter a minimum search length.
  4. Select search restrictions.
Permissions - Add Search
Permissions - Add Search
Permissions - Search Restrictions
Permissions - Search Restrictions

Combining Search Restrictions

If you add multiple search parameters using the “+” next to the resource name, the user may specify ANY of the listed search parameters.

Permissions - Allow Any Specified Parameter
Permissions - Allow Any Specified Parameter

If you add multiple search parameters within the search restriction box, the user must specify ALL of the listed search parameters.

Permissions - Require All Parameters
Permissions - Require All Parameters

Sample Operation Configurations

The following screens show a variety of sample configurations.

All users can only read Patient resources:

Permissions - All Users Can Read Patients
Permissions - All Users Can Read Patients

All users can read all resources and do anything on Patient resources:

Permissions - All Users Can Read Everything
Permissions - All Users Can Read Everything
Permissions - All Users Can Read/Modify Patients
Permissions - All Users Can Read/Modify Patients

All users can read all resources, users with the Admin role can do anything (create, read, update, delete) on all resources:

Permissions - All Users Can Read Everything
Permissions - All Users Can Read Everything
Permissions - Admin Users Can Read/Modify Everything
Permissions - Admin Users Can Read/Modify Everything

Sample Search Configurations

Observation searches must specify the patient:

Search Parameters - Patient Required for Observation
Search Parameters - Patient Required for Observation

Observation searches must specify the patient, and chaining is not allowed:

Search Parameters - Patient No Chaining
Search Parameters - Patient No Chaining

Patient searches must specify the family name (with at least 5 characters), an identifier (such as MRN or SSN), or the CareEvolution internal identifier (_id):

Search Parameters - Patient Family Identifier
Search Parameters - Patient Family Identifier

Patient searches must specify the family name, but the ‘contains’ operator is not permitted:

Search Parameters - Patient Family No Contains
Search Parameters - Patient Family No Contains

Patient searches must contain both family and birthdate (if only one is present, the search will be rejected):

Search Parameters - Patient Family And Birthdate
Search Parameters - Patient Family And Birthdate

Patient search parameters will only accept complete identifiers:

Search Parameters - Patient Family Complete Identifiers
Search Parameters - Patient Family Complete Identifiers