Extended FHIR server user role config #366
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* FHIR server roles (CREATE, READ, UPDATE, DELETE, SEARCH, HISTORY, PERMANENT_DELETE, WEBSOCKET) can now be specified for specific FHIR resources. For example `- CREATE: [Organization, OrganizationAffiliation, Endpoint]` other examples see test setup docker-compose files. * Roles SEARCH, HISTORY and WEBSOCKET require users to have the READ role as well, if the User has no READ role for a specific resource, SEARCH, HISTORY and WEBSOCKET operations will filter out the resource type. * Removed identity parameter from ReferenceResolver methods. Implementation no longer uses identity filters when searching for resources in DB, user may not have role to search or read referenced resource but reference should be checked anyways. For example: Update role for QuestionnaireResponse but no search or read for Organization. * Some code cleanup.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
...fhir/dsf-fhir-server/src/main/java/dev/dsf/fhir/authorization/AbstractAuthorizationRule.java
Dismissed
Show dismissed
Hide dismissed
...f-fhir-server/src/main/java/dev/dsf/fhir/authorization/AbstractMetaTagAuthorizationRule.java
Fixed
Show fixed
Hide fixed
Member
|
Can we extend this to include profiles for different resources? This would allow access to be granted to specific users only for selected processes. An extension for specific FHIRPath expressions that evaluate certain values within those paths could even more improve the options for user access management. For example identifiers that start with a certain prefix. |
Member
Author
schwzr
requested changes
Oct 13, 2025
dsf-fhir/dsf-fhir-server/src/main/java/dev/dsf/fhir/authentication/FhirServerRoleImpl.java
Outdated
Show resolved
Hide resolved
schwzr
approved these changes
Oct 15, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
- CREATE: [Organization, OrganizationAffiliation, Endpoint]other examples see test setup docker-compose files.closes #365