How do I do authorization/access control in FHIR store?

Question

Is it possible to do authorization / access control in FHIR store? Let me show one example:

The insurance company receive clinical information from 3 different partners, but the company need to create a different role for each one.

1. So, the first partner can GET any patients and POST only encounter resource.
2. Second partner can GET several patients and POST encounters and conditions resources.
3. Third partner can GET some patients and PUT some elements in conditions resource

Answer 1

Each partner would be responsible for authenticating the insurance company. This might be through mutual TLS certificate verification, OAuth or some other means. Once the insurance company has authenticated, the clinical system would determine what 'authorization' the company had. Every data source has full control over determining what a given requester has authorization to receive. Ideally, the server will expose a distinct CapabilityStatement to the requester after they've authenticated that reflects what they are allowed to do. Any requests that are not permitted will result in an appropriate error or will result in the data returned being appropriately filtered. The determination of what sort of filtering happens is managed by internal business rules and is not defined by FHIR, though in some cases, FHIR resources such as Contract or Consent may include terms that will influence the filtering.