add permission import attribute, example, constraint, and narrative..

HL7 · Dec 20, 2024 · 58df95d · 58df95d
1 parent 20f5307
commit 58df95d
Show file tree

Hide file tree

Showing 5 changed files with 147 additions and 0 deletions.
diff --git a/source/permission/list-Permission-examples.xml b/source/permission/list-Permission-examples.xml
@@ -40,4 +40,29 @@
       <display value="VhDir permision example"/>
     </item>
   </entry>
+  <entry>
+    <extension url="http://hl7.org/fhir/build/StructureDefinition/description">
+      <valueString value="Example of a Base Permisison Imported in another Permission"/>
+    </extension>
+    <extension url="http://hl7.org/fhir/build/StructureDefinition/title">
+      <valueString value="permission-example-base"/>
+    </extension>
+    <item>
+      <reference value="Permission/example-base"/>
+      <display value="A base permision example."/>
+    </item>
+  </entry>
+  <entry>
+    <extension url="http://hl7.org/fhir/build/StructureDefinition/description">
+      <valueString value="Example of a Composite Permisison that Imports Another Permission"/>
+    </extension>
+    <extension url="http://hl7.org/fhir/build/StructureDefinition/title">
+      <valueString value="permission-example-composite"/>
+    </extension>
+    <item>
+      <reference value="Permission/example-composite"/>
+      <display value="A composite permision example that imports another permission as one of the rules."/>
+    </item>
+  </entry>
+
 </List>
diff --git a/source/permission/permission-example-base.xml b/source/permission/permission-example-base.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Permission xmlns="http://hl7.org/fhir" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://hl7.org/fhir ../../schema/[name].xsd">
+  <id value="example-base" />
+  <status value="active" />
+
+  <asserter>
+    <reference value="Organization/f203" />
+  </asserter>
+  <date value="2018-12-24" />
+  <combining value="deny-overrides"/>
+  <rule>
+    <type value="deny" />
+    <data>
+      <security>
+          <system value="http://terminology.hl7.org/CodeSystem/v3-ActCode"/>
+          <code value="SUD"/>
+      </security>
+    </data>
+    <activity>
+      <action>
+        <coding>
+          <system value="http://terminology.hl7.org/CodeSystem/consentaction" />
+          <code value="access" />
+        </coding>
+      </action>
+    </activity>
+  </rule>
+</Permission>
diff --git a/source/permission/permission-example-composite.xml b/source/permission/permission-example-composite.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Permission xmlns="http://hl7.org/fhir" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://hl7.org/fhir ../../schema/[name].xsd">
+  <id value="example-composite" />
+  <status value="active" />
+  <asserter>
+    <reference value="Organization/f203" />
+  </asserter>
+  <date value="2018-12-24" />
+  <combining value="permit-overrides"/>
+  <rule>
+    <import>
+      <reference value="Permission/example-base" />
+    </import>
+  </rule>
+  <rule>
+    <type value="permit" />
+    <data>
+      <security>
+          <system value="http://terminology.hl7.org/CodeSystem/v3-ActCode"/>
+          <code value="SUD"/>
+      </security>
+    </data>
+    <activity>
+      <actor>
+        <reference value="Organization/f203" />
+      </actor>
+      <action>
+        <coding>
+          <system value="http://terminology.hl7.org/CodeSystem/consentaction" />
+          <code value="access" />
+        </coding>
+      </action>
+      <purpose>
+        <coding>
+          <system value="http://terminology.hl7.org/CodeSystem/v3-ActReason" />
+          <code value="TREAT" />
+        </coding>
+      </purpose>
+    </activity>
+  </rule>
+</Permission>
diff --git a/source/permission/permission-notes.xml b/source/permission/permission-notes.xml
@@ -2,6 +2,33 @@
 
 <!-- insert xhtml content here -->
 <a name="Logic"> </a>
+<h3>Composite Permissions</h3>
+<p>
+In some cases, there are common components across different <code>Permission</code> rules and repeating those common rules could lead 
+to redundancy which in turn could lead to the risk on inconsistency, if the common components are not formulated precisely in the same manner. 
+Therefore, it is desirable to have a mechanism to define a common set of rules and refer to them in a single <code>Permission</code> resources.
+The <code>import</code> attribute enables pointing to such common rules by referencing the <code>Permission</code> resource.
+</p>
+<p>
+If the <code>import</code> attribute is used in rule, the <code>rule</code> element shall not contain any other elements. 
+The result of evluating a rule with an <code>import</code> is defined to be the result of evaluating the referenced <code>Permission</code> resource.
+The decision from that evaluation will then be combined with the decision from the other rues based on the combining algorithm 
+specified in the <code>combining</code> element.
+</p>
+<p>
+If the referenced <code>Permission</code> is not active or expired, this should be interpreted as returning a <code>not-applicable</code> decision 
+because the referenced permission is silent about whether access should be permitted or denied in the given context.
+</p>
+<p>
+A circular reference in processing linked Permissions should be treated as an error, leading to a <code>not-applicable</code> 
+decision bubbling up from the <code>Permission</code> resource in which the circular reference was encountered.
+</p>
+
+<p>
+Implementers shoud rely on pragmatic limits on the length of the chain of linked <code>Permission</code> and put in place
+reasonable guardrails against (maliciously or erroneously) large chains that could lead to draining of resources at the time of processing.
+</p>
+
 <h3>Rules Processing Logic</h3>
 <!-- These rules are repeated on the comment element within the StructureDefinition -->
 <p>

diff --git a/source/permission/structuredefinition-Permission.xml b/source/permission/structuredefinition-Permission.xml
@@ -70,6 +70,13 @@
       <definition value="Permission resource holds access rules for a given data and context."/>
       <min value="0"/>
       <max value="*"/>
+      <constraint>
+        <key value="per-1"/>
+        <severity value="error"/>
+        <human value="rules with import should not have any other attributes"/>
+        <expression value="rule.all($this.import.exists() xor ($this.type.exists() or $this.data.exists() or $this.activity.exists() or $this.limit.exists()))"/>
+        <source value="http://hl7.org/fhir/StructureDefinition/Permission"/>
+      </constraint>
       <mapping>
         <identity value="w5"/>
         <map value="infrastructure.information"/>
@@ -256,18 +263,34 @@
       <comment value="Each `.rule` is evaulated within the combining rule identified in the `.combining` element."/>
       <min value="0"/>
       <max value="*"/>
+      <condition value="per-1" />
       <type>
         <code value="BackboneElement"/>
       </type>
       <orderMeaning value="The order of the rules processing is defined in rule combining selected in .combining element."/>
       <isSummary value="true"/>
     </element>
+    <element id="Permission.rule.import">
+      <path value="Permission.rule.import"/>
+      <short value="Reference to a Permission"/>
+      <definition value="This rule is expressed in another Permission resource."/>
+      <min value="0"/>
+      <max value="1"/>
+      <condition value="per-1" />
+      <type>
+        <code value="Reference"/>
+        <targetProfile value="http://hl7.org/fhir/StructureDefinition/Permission"/>
+      </type>
+      <isModifier value="false"/>
+      <isSummary value="true"/>
+    </element>
     <element id="Permission.rule.type">
       <path value="Permission.rule.type"/>
       <short value="deny | permit"/>
       <definition value="deny | permit."/>
       <min value="0"/>
       <max value="1"/>
+      <condition value="per-1" />
       <type>
         <code value="code"/>
       </type>
@@ -299,6 +322,7 @@
       Within the `.data` element, all elements and all repetitions of elements, are in an AND relationship. Thus to select data that has both `STD` and `HIV` one puts both into one `.rule`. To have different rules for `STD` from `HIV`, one would need to have two `.rule` elements. To have a rule that applies to both, those that have just `STD` and just `HIV`, this repitition may also be done at the data level as described above."/>
       <min value="0"/>
       <max value="*"/>
+      <condition value="per-1" />
       <type>
         <code value="BackboneElement"/>
       </type>
@@ -411,6 +435,7 @@
       Within the `.activity` element, all elements and all repetitions of elements, are in an AND relationship. Thus to control an actity that is covering purpose of both `TREAT` and `HOPERAT`, one rule with an `.activity` `.purpose` holding both `TREAT` and `HOPERAT` can define that rule. However this will not cover activities covering only `TREAT`, for that repeat at the `.activity` with just a `.purpose` of `TREAT`."/>
       <min value="0"/>
       <max value="*"/>
+      <condition value="per-1" />
       <type>
         <code value="BackboneElement"/>
       </type>
@@ -493,6 +518,7 @@
       <comment value="Within a `.rule` all repititions of the `.limit` all apply to the rule. That is to say if there are multiple limits, and the rule permits the activity, then all the identified limits are applied to that authorized activity."/>
       <min value="0"/>
       <max value="*"/>
+      <condition value="per-1" />
       <type>
         <code value="CodeableConcept"/>
       </type>