Autorisation model
Koppeltaal 2.0 has an authorisation model. This means that an application cannot simply see all data in a domain. What can be viewed is determined with the authorisation model.
1. Authenticate
When an application has joined a domain, the application will have been assigned a client_id. This client_id is included in the access_token that is required to communicate with the Koppeltaal server. This way, the Koppeltaal server knows which application is performing a request and therefore the associated permissions.
2. Resource ownership
The Koppeltaal server automatically adds a resource-origin extension to every DomainResource that is created. This extension references to a specific Device resource that has a 1-on-1 relation with the client_id. This way, the origin of a resource can always be found. This is an essential part of the authorisation model.
3. Role and permissions
Every application in a domain is assigned a single role. A role maps to multiple permissions. A permission has the following 3 properties:
Resource
A permission always applies to a single FHIR Domain Resource.
Action
A CRUD-level (create, read, update, delete) action.
Scope
The resource-owner scope. The following scopes are supported:
| Scope | Description |
|---|---|
Own | The permission only applies to resources (selected resource type of the permission) whose |
All | The permission applies to all resources (selected resource type of the permission) in the domain. |
Granted | The permission applies to resources (selected resource type of the permission) whose |
Topics
Last updated