Can we add parameterized access policy for an arbitrary reference that's not in Search Parameters? medplum #support

Can we add parameterized access policy for an arbi...

s_w_abc

02/16/2024, 6:26 PM

For example, I'd like to restrict certain Location to be accessed by one specific Practitioner, can I add a reference to the Practitioner in the extension field and set with a parameterized access policy? Thank you 🙏

s_w_abc

02/16/2024, 10:58 PM

ah there's no direct

extension

field in

Location

. what's the recommended way to add access policy so that only a certain

Practitioner

(not

PractitionerRole

) can access a certain

Location

? Do we need to implement that on our own API server by checking the reference chain?

s_w_abc

02/16/2024, 11:14 PM

can you do through adding a

tag

? and setting the criteria on

tag

in the parameterized access policy?

rahul1

02/18/2024, 12:17 AM

@s_w_abc you're right that we don't allow searches / access policy criteria over extensions. As noted here, we follow a subset of the FHIR search spec (https://www.medplum.com/docs/access/access-policies#criteria-based-access-control)

rahul1

02/18/2024, 12:17 AM

Tags could be an option, though we generally get nervous when starting to use tags as it is another "unstructured" data field that can quickly get unweildy

rahul1

02/18/2024, 12:19 AM

Do you mind describing the clinical use case you have in mind? There might be a cleaner way to approach the overall problem

s_w_abc

02/20/2024, 6:57 PM

Thanks for replying, @rahul1 ! happy to walk through our use case. We have multiple practitioners that restricted from accessing other practitioners' resources. e.g. one practitioner maintains a certain group of patients, and this practitioner is not allowed to see other patients' data. How do we add access policy to Location, Observation resources etc. that doesn't have direct reference to the practitioner?

s_w_abc

02/22/2024, 8:35 PM

Hi @rahul1 . following up on this thread to see if there's a way to achieve that?

rahul1

02/23/2024, 11:21 PM

Hi @s_w_abc , in general the right way to go would be to use parameterized access policies and use the patient compartment, as described in this example: https://www.medplum.com/docs/access/access-policies#patient-access

rahul1

02/23/2024, 11:22 PM

The specifics really depend on the topology of which Practitioners have access to which Patients. If it's a true any-to-any relationship, then I think using the

Caregiver Access

model would make sense: https://www.medplum.com/docs/access/access-policies#caregiver-access

rahul1

02/23/2024, 11:23 PM

If there's an organizational structure, the healthcare partnerhsips might make more sense: https://www.medplum.com/docs/access/access-policies#healthcare-partnerships

Previous Next