Replies: 4 comments 1 reply
-
Thanks @rahul1 for putting this together! Overall, I think the broad strokes make a lot of sense. With regards to the questions about multiple inheritance... My preference would be to keep it as simple as possible unless we see hard limitations. I was thinking about how we could potentially minimize the migration cost, and here's a slightly tweaked proposal:
So for example: Primary Caretaker Policy - read/write access to the patient and select resources {
"resourceType": "AccessPolicy",
"name": "Primary Caretaker Policy",
"resource": [
{
"resourceType": "Patient",
"compartment": "%patient",
},
// ...
]
} Guest Caretaker Policy - read-only access to the patient and select resources {
"resourceType": "AccessPolicy",
"name": "Guest Caretaker Policy",
"resource": [
{
"resourceType": "Patient",
"readonly": true,
"compartment": "%patient",
},
// ...
]
} ProjectMembership could introduce combination of the above: {
"resourceType": "ProjectMembership",
"access": [
{
"policy": { "reference": "AccessPolicy/abc", "display": "Primary Caretaker Policy" },
"paramer": [
{ "name": "patient", "valueReference": { "reference": "Patient/123" },
]
},
{
"policy": { "reference": "AccessPolicy/def", "display": "Guest Caretaker Policy" },
"paramer": [
{ "name": "patient", "valueReference": { "reference": "Patient/456" },
]
}
]
} This would simplify the number of resources and setup process. |
Beta Was this translation helpful? Give feedback.
-
Wanted to follow up on this, @rahul1 - did we get the feedback we needed on this? |
Beta Was this translation helpful? Give feedback.
-
Just to sanity check, I'm going to run through all the examples listed above to see how we would implement them Example 1: PediatricsAccess Policies (caretaker)
Project Membership
Example 2a: Many-to-ManyAccess policy (physician)
Project Membership
Example 2b: Care TeamThis is the trickiest one. The FHIR community explicitly decided that compartments based on indirect messages are not allowed. So I think we'd have to use bots to add/remove access policies when a practitioner enrollsl / unenrolls from a care team. @codyebberson this probably requires some new endpoints to get/set APs on ProjectMemberships. After that we can use the same model as in 2a. Example 2c: Cross organizational ModelAccess policyPatient
Physician
Project MembershipPatient
Physician
Example 3: Asynchronous EncounterSee the example data model here: https://www.medplum.com/docs/communications/async-encounters The main challenge is representing the encounter for the For the primary caregiver, we could use the special Access PolicyPrimary Caregiver
Guest Caregiver
ProjectMembershipPrimary Caregiver
Guest Caregiver
|
Beta Was this translation helpful? Give feedback.
-
Completed in #1520 |
Beta Was this translation helpful? Give feedback.
-
The Problem
We've encountered a few access policy scenarios that don't fit neatly into our
meta.account
framework for defining access compartments. The two settings where this comes up are:In both these cases the access model resembles a bi-partite graph structure, and breaks the key assumption of
meta.account
- that a user will only be part of a single compartment at a time.Example 1: Pediatrics
The first example is pediatrics where one parent has access to multiple childrens' compartments, but others parents only have access to one child's compartment. This can happen, for instance, in families with divorced parents. In this case, parents are logging into Medplum, but the children are not
In this case, there is no clear way to draw organize the resources with a Group resource, and we can't use the Patient id as the
meta.account
value, since Parent 1 needs access to both children.Another nuance is that different parents might have different access levels. One of our customers has a 2-tier system. "Primary users" can read and write data to Patient records. "Secondary" users only have read access. They
might also have access to fewer resource types than the primary user.
The other nuance this customer would like to support is account promotion. In this case, when an parent's account is "promoted" to a primary account, it should maintain read-only access to its previous child, but have read/write access to a new child that they enroll.
Example 2: Virtual Clinic
A similar model occurs in the "virtual clinic" setting, where providers might only have access to a subset of patients "assigned" to them. In this setting, there often aren't different tiers of access, but there are different organizational groupings.
CareTeam
assigned to them. Physicians are added and removed to theCareTeam
as needed, and everyone in the CareTeamExample 2a
Example 2b
Example 2c
Proposal
@codyebberson and I had a discussion offline about revisiting the conversation about access policy inheritance. The high level picture is that you would define an Access Policy "template", that would specify the access rules for a patient's compartment. This template could then be instantiated for each (patient, user) pair.
We could potentially create a new resourceType,
AccessPolicyDefinition
, to represent the template.And the corresponding access policy could perform some kind of variable replacement like this (@codyebberson - please sanity check me on this)
Open Questions
AccessPolicy
be able to instantiate multipleAccessPolicyDefinitions
(as show above), or should we create multipleAccessPolicy
resources, one for each (patient, user) pair. Keeping 1 AP per user seems easier to manage, but 1 AP per pair seems like it would be a more incremental change.ProjectMembership
is created? Or is this a client responsibility? Or both?AccessPolicyDefinitions
be able to inherit from otherAccessPolicyDefinitions
to created deeper hierarchies?Beta Was this translation helpful? Give feedback.
All reactions