Using fine-grained authorization with a SMART on FHIR enabled HealthLake data store
Scopes alone do not provide you with the
necessary specificity about what data a requester is authorized to access in a data store.
Using fine-grained authorization enables a higher level of specificity when granting access
to a SMART on FHIR enabled HealthLake data store. To use fine-grained authorization, set
FineGrainedAuthorizationEnabled equal to True in the
IdentityProviderConfiguration parameter of your CreateFHIRDatastore
request.
If you enabled fine-grained authorization, your authorization server returns a
fhirUser scope in the id_token along with the access token.
This permits information about the User to be retrieved by client application. The client
application should treat the fhirUser claim as the URI of a FHIR resource
representing the current user. This can be Patient, Practitioner,
or RelatedPerson. The authorization server's response also includes a
user/ scope that defines what data the user can access. This uses the
syntax defined for scopes related to FHIR resource specific scopes:
user/(fhir-resource | '*').('read' | 'write' | '*')
The following are examples of how fine-grained authorization can be used to further specify data access related FHIR resource types.
-
When
fhirUseris aPractitioner, fine-grained authorization determines the collection of patients that the user can access. Access tofhirUseris allowed for only those patients where the Patient has reference to thefhirUseras a General Practitioner.Patient.generalPractitioner : [{Reference(Practitioner)}] -
When
fhirUseris aPatientorRelatedPersonand the patient referenced in the request is different from thefhirUser, fine-grained authorization determines access tofhirUserfor the requested patient. Access is allowed when there is a relationship specified in requestedPatientresource.Patient.link.other : {Reference(Patient|RelatedPerson)}
