Hi. I'm trying to define a parameterized access policy to give a practitioner access only to some users. My access policy looks like this: "resourceType": "AccessPolicy", "name": "Parameterized Patient Access Policy ", "resource": [ { "resourceType": "Patient", "criteria": "Patient?_id=%user_id" } I've also modified the project membership: "access": [ { "policy": { "reference": "AccessPolicy/d777cbc1-5994-42da-a2f4-09f5e763497f" }, "parameter": [ { "name": "user_id", "valueReference": { "reference": "3e58c06e-c2da-447c-a6b7-f42014b339f3" } } ] } ] However, with that practitioner I can list other patients and resources. Is there something wrong with my access policy? Am I missing any other steps?

HI @tinho_14 , thank you for your patience. So I see a couple issues in the format here: - When using

valueReference.reference

needs to contain the resource type to be a valid reference.

[
    {
      "name": "user_id",
      "valueReference": {
        "reference": "Patient/3e58c06e-c2da-447c-a6b7-f42014b339f3"
      }
    }
  ]

- Rather than using

_id

, it might be more scalable to use the

_compartment

search parameter. That way you can access other resources scoped to the patient, like Encounters and Observations> This example is illustrative: https://www.medplum.com/docs/access/access-policies#patient-access

thanks @rahul1