Configuring Authorization Interceptor?

[al...@tyde.com]

Hi all

I am trying to configure the Authorization Interceptor to use in HAPI and encounter an interesting problem to solve. Currently it is very easy to add an Authorization interceptor that would check for any resources that belong to a particular Patient by using `inCompartment("Patient", patientId)`. The question is, how do we Authorize read/write actions on resources that do not belong to any compartments such as ExplanationOfBenefit but still have a patient reference in it.

Cheers

A

[James Agnew]

Hi Alvin,

I guess the bottom line is that the AuthorizationInterceptor doesn't support this today, but it sounds like a very useful thing to support.

When we originally wrote the AuthInterceptor, I kind of envisioned we'd add the types of rules initially that we needed and see what else people thought might be useful. Sounds like you've got one such idea. :)

Feel free to file a bug, and if you're interested in trying to add support for this please feel free to reach out to bounce ideas.

Cheers,

James

--
You received this message because you are subscribed to the Google Groups "HAPI FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hapi-fhir+unsubscribe@googlegroups.com.
To post to this group, send email to hapi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/hapi-fhir/249a6286-0472-49b5-8732-a5666d3aa06a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[al...@tyde.com]

Hi James

Cool. Will raise a ticket on Github. I was thinking if `.allow().read().resourcesOfType(ExplanationOfBenefit.class).withParameterValue("patient", patientId)` would solve the problem? This way it would be a generic Rule that would restrict the user of the API against a particular parameter, i.e. `patient`.

Ta

On Wednesday, February 8, 2017 at 11:23:51 AM UTC+11, James Agnew wrote:

Hi Alvin,

I guess the bottom line is that the AuthorizationInterceptor doesn't support this today, but it sounds like a very useful thing to support.

When we originally wrote the AuthInterceptor, I kind of envisioned we'd add the types of rules initially that we needed and see what else people thought might be useful. Sounds like you've got one such idea. :)

Feel free to file a bug, and if you're interested in trying to add support for this please feel free to reach out to bounce ideas.

Cheers,

James

On Tue, Feb 7, 2017 at 6:15 PM, <al...@tyde.com> wrote:

Hi all

I am trying to configure the Authorization Interceptor to use in HAPI and encounter an interesting problem to solve. Currently it is very easy to add an Authorization interceptor that would check for any resources that belong to a particular Patient by using `inCompartment("Patient", patientId)`. The question is, how do we Authorize read/write actions on resources that do not belong to any compartments such as ExplanationOfBenefit but still have a patient reference in it.

Cheers

A

--
You received this message because you are subscribed to the Google Groups "HAPI FHIR" group.

To unsubscribe from this group and stop receiving emails from it, send an email to hapi-fhir+...@googlegroups.com.