Closed feordin closed 3 months ago
Note that there is still another layer of protection before a SMART user could actually initiate an export job. They will need to be a member of the FHIR Export role in RBAC in addition to requesting the "read" SMART clinical scope.
If they still need the RBAC roll what value is the SMART roll? Wouldn't they be able to export without the SMART roll if they had the RBAC roll?
Note that there is still another layer of protection before a SMART user could actually initiate an export job. They will need to be a member of the FHIR Export role in RBAC in addition to requesting the "read" SMART clinical scope.
If they still need the RBAC roll what value is the SMART roll? Wouldn't they be able to export without the SMART roll if they had the RBAC roll?
It is true that once they are members of the Export role they have export permissions, but if that same user is also a member of the SMART role, the actions they take are then limited by the SMART clinical scopes in their token. Right now, we have to grant write permissions in the SMART clinical scope in order for the user to take advantage of their Export privileges.
/azp run
/azp run
Description
This adds an allowed DataAction of Export when a SMART scope of "read" is requested. This change is being made because prior to this it was necessary to grant "write" privileges to a SMART user if they needed export. This was too much privilege for an export request.
Note that there is still another layer of protection before a SMART user could actually initiate an export job. They will need to be a member of the FHIR Export role in RBAC in addition to requesting the "read" SMART clinical scope.
Related issues
Addresses [issue AB#120097].
Testing
Unit tests were updated.
FHIR Team Checklist
Semver Change (docs)
Patch|Skip|Feature|Breaking (reason)