Secure a resource for a community

By default when you upload a FHIR Resource to Ontoserver it is available to everyone to read (and update it if they also have the author role). If you want to limit who can read and update a resource, you can limit access to the resource by assigning rights to a community. For more information about security strategies, refer to Resource community permission strategies.

We now look at how to apply FHIR security labels for a commuity to a resource.  All security labels are of the form ???.read or ???.write where ‘???‘ is the community label (see https://ontoserver.csiro.au/docs/6/security-model.html for additional detail).

A community must exist before you can secure a FHIR Resource to it.

For details on how to set up a Community in Ontocloak, see Community management.

Any Snapper user with the “Author” role will be able to add a security label to a Resource and upload it.

1. Start Snapper and log in with a user that has the “Author” role.

2. Open an existing FHIR resource or create a new one.

3. Click on the “Additional Metadata” tab.

4. Click on the “+ Security” button” to add security label.

5. When you click or tab into the “Security Label” field, a drop-down list will appear with a list of all available community/permission labels. Scroll the page if you can’t see all list items.

6. In this example, we have created a CodeSystem that we want members of a community the Wonderland Community to be able to find and view, but not be able to update. The FHIR security label associated with this community in the authorisation server is “wonderland”. From the screenshot above, you can see that we can choose from “wonderland.read” and “wonderland.write”.  Since we only want the community members to read this resource, we select “wonderland.read”. Do not change the value in “Security System”.

This action may be used to grant read access to a community that the author is not a member of, allowing the author to extend access to another community to review and use the resource.

If you want to grant authoring rights to a resource for a community, you would assign both “read” and “write” labels. Multiple communities can have the same level of access concurrently.

WARNING: You should always assign the “write” security label to at least one community. Otherwise no one will have rights to edit the resource in the future.

WARNING: You should always assign the “read” security label to every community that you assign the “write” security label to. Otherwise the resource can’t be found and viewed in order to edit it. Note that Snapper will automatically add the corresponding “read” label when a “write” label is added, however it can be removed if only “write” is required for an edge case scenario.

7. The CodeSystem’s security labels are only stored locally right now.  The next step is to upload the new (or updated CodeSystem) so the security labels come into effect. Click on the “Upload to FHIR server” tab and then click “Upload CodeSystem”. 

8. Now users who have group membership of “The Wonderland Community consumers” community are able to search for, and download a local copy of this resource. Note: If the author of the resource does not have group membership of Wonderland consumers community, they will lose access to this resource on the server when the security labels are applied. The resource will not appear in any searches they do, and if they remove the resource from their local computer, they will not be able to get it back unless they are assigned rights to the community. See Resource community permission strategies for more information.