https://medplum.com logo
Join Discord
Powered by
access policy _compartment support within graphql ...
# support
a
Hi medplum team, we've been using a hybrid approach with both REST and GraphQL queries across our application. As we attempted to roll out new 
CarePlan
resources with sub-referenced goals, we discovered that our access policy logic was not supported correctly, as it was using Medplum's standard REST queries. When using our standard criteria-based access control with one of the 
advanced-search-parameters
(
https://www.medplum.com/docs/search/advanced-search-parameters
) , specifically 
_compartment
, the access policy is applied, as expected, on the top level resource within a GraphQL query, but when attempting to include a referenced resource, the Access Policy logic fails. Testing other 
advanced-search-parameters
within a criteria-based access control, it appears that some (i.e. 
_lastUpdated
and 
_id
) are supported in this scenario, whereas others are not. As we've relied heavily on compartment-based access policies, any differential support for this within your GraphQL implementation is certainly not ideal. Any workaround or proposed solution would be much appreciated! For added context, here's an example snippet from the AccessPolicy:
Copy code
{
      "resourceType": "Goal",
      "criteria": "Goal?_compartment=Organization/%organization"
    },
When querying a 
CarePlan
using an 
_include
for the Goal resources referenced within it (via REST) the 
_compartment
based policy is applied correctly. However, when attempting the same query via GraphQL (using 
resource...on Goal ...
etc) , the same Goals are not found. Changing the AccessPolicy for 
Goal
(without changing the GraphQL query) to use 
_id
instead of 
_compartment
within the criteria seems to work , as expected. Our assumption is that 
_compartment
is one the advanced-search-parameters (inlcuding 
_filter
) that are not supported in this scenario.
r
We hear you on parity across access policies, graphql and REST API. At a high level, there are performance considerations for these type of request patterns. If you wouldn't mind filing an issue with the Access policy and graphql query in question we can look into the impact. File issues here: https://github.com/medplum/medplum/issues
a
Will do, thanks @reshma 🙌
131 Views
PreviousNext
Powered by