Manage communities

Communities are a way of managing and granting access to collections of FHIR resources, either for read or write access.

Community privileges and FHIR security labels are cumulative with the underlying API level security. That is, a user must first have READ or WRITE permissions at a system/API level for community read or write privileges to enable anything.For example granting community write access to user that only has read access to the FHIR API will not enable them to write to the community’s resources.

Each community has a base FHIR security label associated with it, which is an arbitrary string of characters created when the community is created. FHIR resources can have this base label plus “.read” or “.write” added to them to grant read or write level access to that FHIR resource to members of that community.

Each community also has 3 groups automatically created in the authorisation server. Adding and removing users to/from these groups grants and revokes community privileges.

  • owner – members of the community owner group can add and remove users to/from the community groups
  • author – members of the community author group are granted read and write privileges to resources labelled with the community’s “.read” and “.write” labels respectively
  • consumer – members of the consumer group are granted read only privileges to resources labelled with the community’s “.read” label

For example given the following community

Community name Label
National data dictionary NDD

A FHIR resource can have the labels “NDD.read” and “NDD.write” added to them.

Resources with the NDD.read label will be readable by users in the National data dictionary consumers and authors groups.

Resources with the NDD.write label will be modifiable by users in the National data dictionary authors groups.

Resources can be labelled with more than one label, and in this case a user must have a community privilege matching at least one of the security labels to be granted the permission associated with that label. For example, a resource labelled with NDD.read and XXX.read will be readable by a user who is an author or consumer in either the associated NDD or XXX communities (they don’t need both). This can be used to control authorship of a collection of resources by a group of users by adding their community read and write labels, while extending read access to other communities by adding only the read labels for those communities

All users with system level author access are able to create communities and are immediately the owner of any community they create, and can appoint other owners, authors, and consumers.