How to enable resource-specific authorization? #4658
-
I have a client that I want to give access to the API that can ONLY Write to Task and DocumentReference resources - they should receive a forbidden when trying to access any other resource types. I I see that inside of the roles.json we can specify various roles and assign them to our user's SCPs, however the one thing I don't see is resource type specific role checks. What scps would I need to give my user to enable only write access for Task and Document reference for my user? Will I need to change the roles.json? Any documentation on this would be helpful! The only documentation I was able to find on this topic was:
I have bits and clues on how this could work, but I am searching for some more implementation specific advice as the current documentation seems vague to me. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
@Kayla-Garaycochea-WellSky - there are two options to consider
|
Beta Was this translation helpful? Give feedback.
@Kayla-Garaycochea-WellSky - there are two options to consider
You can modify the capability statement builder to adjust access. This will allow you to remove write access for all the listed resource types. Keep in mind that this change will affect all users accessing the service.
If you need to provide access to specific users, consider using SMART on FHIR. We do not offer write access with the SMART on FHIR user role today. You can find more information in the documentation: https://learn.microsoft.com/en-us/azure/healthcare-apis/fhir/smart-on-fhir.