Koppeltaal 2.0 Dev Guide
  • Developer Guide
  • POC (Walking Skeleton)
    • Proof Of Concept
      • Koppeltaal Server
      • Domain Management
      • Auth Server
      • Koppeltaal IdP
      • Domain Access Test Suite
      • Koppeltaal Test Tooling
  • Domain access
    • Joining a domain
    • Role-based access control
      • Autorisation model
      • Creating a role
      • Search Narrowing
      • Revoke Permission
  • Technical HOW-TO
    • Koppeltaal Test Tooling
    • Request Koppeltaal server metadata
    • Connecting to Koppeltaal
      • Requirements
        • Create a key pair
        • Signing the JWT
        • JWKS setup
      • Access to Koppeltaal
    • Managing resources
      • Versioning
      • CRUD Operations
        • Retrieve all Resources
        • Retrieve specific Resource
        • Create a Resource
        • Update a Resource
        • Delete a Resource
      • Subscribing to changes
    • Launching
      • HTI Flow
      • SHOF Flow
      • Compose a launch
      • Initiating a launch
      • Receiving a HTI launch
        • Token introspection
      • Receiving a SHOF launch
    • Detailed technical guidance
  • Hackathon Use Cases
    • Requirements
      • Install and configure Yivi
    • Use-Cases
      • Use-Case 1: Create a Task
        • Create an ActivityDefinition
      • Use-Case 2: HTI Launch
      • Use-case 3: SHOF Launch
      • Use-case 4: Subscribing to changes
  • Useful Links
    • Simplifier Profiles
    • FHIR Docs
    • HTI documentation
    • GitHub
    • Koppeltaal 2.0 Specifications & Architecture
    • Koppeltaal 2.0 Implementation Guide
    • Koppeltaal 2.0 OpenAPI Specs
Powered by GitBook
On this page
  • 1. Authenticate
  • 2. Resource ownership
  • 3. Role and permissions
  • Resource
  • Action
  • Scope
  • Topics

Was this helpful?

  1. Domain access
  2. Role-based access control

Autorisation model

Koppeltaal 2.0 has an authorisation model. This means that an application cannot simply see all data in a domain. What can be viewed is determined with the authorisation model.

PreviousRole-based access controlNextCreating a role

Last updated 1 year ago

Was this helpful?

1. Authenticate

When an application has , the application will have been assigned a client_id. This client_id is included in the access_token that is required to communicate with the Koppeltaal server. This way, the Koppeltaal server knows which application is performing a request and therefore the associated permissions.

2. Resource ownership

The Koppeltaal server automatically adds a resource-origin extension to every DomainResource that is created. This extension references to a specific Device resource that has a 1-on-1 relation with the client_id. This way, the origin of a resource can always be found. This is an essential part of the authorisation model.

3. Role and permissions

Every application in a domain is assigned a single role. A role maps to multiple permissions. A permission has the following 3 properties:

Resource

A permission always applies to a single .

Action

A CRUD-level (create, read, update, delete) action.

Scope

The resource-owner scope. The following scopes are supported:

Scope
Description

Own

The permission only applies to resources (selected resource type of the permission) whose resource-origin matches the authenticated application.

All

The permission applies to all resources (selected resource type of the permission) in the domain.

Granted

The permission applies to resources (selected resource type of the permission) whose resource-origin matches the selected application(s).

Topics

joined a domain
FHIR Domain Resource
TOP-KT-005a - Rollen en rechten voor applicatie-instanties