search

tewhatuora / api-standards

Health New Zealand | Te Whatu Ora API Development and Security Standards
https://apistandards.digital.health.nz
Other
9 stars 1 forks source link

SMART scopes for custom operations #154

Closed pat-ryan-health closed 3 months ago

pat-ryan-health commented 4 months ago

Summary

Use a "__" prefix before the custom operation name when it is necessary to assign a specific scope to a custom operation

From SMART

“If a SMART on FHIR server supports a custom behavior like allowing users to choose their own profile photos through a custom non-FHIR API, it can designate a custom scope using a full URL (e.g., https://ehr.example.org/scopes/profilePhoto.manage) or by using a "" prefix (e.g., profilePhoto.manage)”

example - if we wanted to assign a specific scope to permit access to the NHIPatient custom operation set-preferred-name

we could define a scope called Patient.__set-preferred-name

Drawbacks

none identified

Which area of the standards does this apply to?

ChrisSquats commented 4 months ago

I've actually raised this in the FHIR community chat. This was the recommendation: image As such, I'll add this to the standard.