Resource community permission strategies

By default when you upload a FHIR Resource to Ontoserver it is available to everyone to read (and update it if they also have the author role). If you want to limit who can read and update a resource, you can limit access to the resource by assigning rights to a community. Only members of that community will be able to access the resource. This is done by adding FHIR Security Labels to a resources, which Snapper has user interface features to support.

There are two rights that you can assign to a community – read and write. Read permission to a resource allows members of a community with author or consumer access to search for, view, and validate that resource. Write permission to a resource allows members of a community with consumer access to read the resource, and members with author access to update the resource. Within a community, members will be designated as a community consumer or a community author so what a user can do with a FHIR Resource is determined by a combination of the rights you assign to the community, and a user’s role within a community.

If a Resource has multiple Security Labels attached, then a user need only be a member of any of the communities for the associated permission to apply. Consider a resource with security labels: admin.read, admin.write, pathology.read and imaging.read, then a user in any of the admin, pathology, or imaging communities with consumer or author permissions would be able to read such a resource, but only users in the admin community with author permissions would be able to update it.

Assigning rights to communities you aren’t a member of

You do not need to be a member of a community to assign rights to a resource. For instance, you may want to allow members of a particular community to “read” your resource even though you aren’t a member of that community – for example you may want to extend a resource for review to a community that you are not a member of. 

NOTE Be aware that if you assign rights to a community that you aren’t a member of for a resource that has no other FHIR security labels set, you will also lose read and write access to the resource. Before assigning rights to a community you are not a member of, ensure you have set up rights (read and/or write) for the resource in one of your own communities.

Fixing permission problems

The base installation includes a Community Content Administrator user who has the power to fix community permission issues if you run into permission problems. They are a super user who have access to all resources, regardless of community permissions, and can remove or add security tags to restore access if a resource becomes inaccessible to normal uses by mistake. By default this right is granted to members of the Service Desk group.