Release 5 Ballot

This page is part of the FHIR Specification (v5.0.0-ballot: R5 Ballot - see ballot notes). The current version which supercedes this version is 5.0.0. For a full list of available versions, see the Directory of published versions

Example CodeSystem/permission-rule-combining (JSON)

Security Work GroupMaturity Level: N/AStandards Status: Informative

Raw JSON (canonical form + also see JSON Format Specification)

Definition for Code SystemPermissionRuleCombining

{
  "resourceType" : "CodeSystem",
  "id" : "permission-rule-combining",
  "meta" : {
    "lastUpdated" : "2022-09-10T05:52:37.223+11:00",
    "profile" : ["http://hl7.org/fhir/StructureDefinition/shareablecodesystem"]
  },
  "text" : {
    "status" : "generated",
    "div" : "<div xmlns=\"http://www.w3.org/1999/xhtml\"><p>This code system <code>http://hl7.org/fhir/permission-rule-combining</code> defines the following codes:</p><table class=\"codes\"><tr><td style=\"white-space:nowrap\"><b>Code</b></td><td><b>Display</b></td><td><b>Definition</b></td></tr><tr><td style=\"white-space:nowrap\">deny-overrides<a name=\"permission-rule-combining-deny-overrides\"> </a></td><td>Deny-overrides</td><td>The deny overrides combining algorithm is intended for those cases where a deny decision should have priority over a permit decision.</td></tr><tr><td style=\"white-space:nowrap\">permit-overrides<a name=\"permission-rule-combining-permit-overrides\"> </a></td><td>Permit-overrides</td><td>The permit overrides combining algorithm is intended for those cases where a permit decision should have priority over a deny decision.</td></tr><tr><td style=\"white-space:nowrap\">ordered-deny-overrides<a name=\"permission-rule-combining-ordered-deny-overrides\"> </a></td><td>Ordered-deny-overrides</td><td>The behavior of this algorithm is identical to that of the “Deny-overrides” rule-combining algorithm with one exception.  The order in which the collection of rules is evaluated SHALL match the order as listed in the permission.</td></tr><tr><td style=\"white-space:nowrap\">ordered-permit-overrides<a name=\"permission-rule-combining-ordered-permit-overrides\"> </a></td><td>Ordered-permit-overrides</td><td>The behavior of this algorithm is identical to that of the “Permit-overrides” rule-combining algorithm with one exception.  The order in which the collection of rules is evaluated SHALL match the order as listed in the permission.</td></tr><tr><td style=\"white-space:nowrap\">deny-unless-permit<a name=\"permission-rule-combining-deny-unless-permit\"> </a></td><td>Deny-unless-permit</td><td>The “Deny-unless-permit” combining algorithm is intended for those cases where a permit decision should have priority over a deny decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite “Permit” or “Deny” result.</td></tr><tr><td style=\"white-space:nowrap\">permit-unless-deny<a name=\"permission-rule-combining-permit-unless-deny\"> </a></td><td>Permit-unless-deny</td><td>The “Permit-unless-deny” combining algorithm is intended for those cases where a deny decision should have priority over a permit decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite “Permit” or “Deny” result. This algorithm has the following behavior.</td></tr></table></div>"
  },
  "extension" : [{
    "url" : "http://hl7.org/fhir/StructureDefinition/structuredefinition-wg",
    "valueCode" : "sec"
  },
  {
    "url" : "http://hl7.org/fhir/StructureDefinition/structuredefinition-standards-status",
    "valueCode" : "trial-use"
  },
  {
    "url" : "http://hl7.org/fhir/StructureDefinition/structuredefinition-fmm",
    "valueInteger" : 0
  }],
  "url" : "http://hl7.org/fhir/permission-rule-combining",
  "identifier" : [{
    "system" : "urn:ietf:rfc:3986",
    "value" : "urn:oid:2.16.840.1.113883.4.642.4.2070"
  }],
  "version" : "5.0.0-ballot",
  "name" : "PermissionRuleCombining",
  "title" : "PermissionRuleCombining",
  "status" : "draft",
  "experimental" : false,
  "date" : "2022-08-05T10:01:24+11:00",
  "publisher" : "HL7 (FHIR Project)",
  "contact" : [{
    "telecom" : [{
      "system" : "url",
      "value" : "http://hl7.org/fhir"
    },
    {
      "system" : "email",
      "value" : "fhir@lists.hl7.org"
    }]
  }],
  "description" : "Codes identifying the rule combining. See XACML Combining algorithms  http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cos01-en.html",
  "caseSensitive" : true,
  "content" : "complete",
  "concept" : [{
    "code" : "deny-overrides",
    "display" : "Deny-overrides",
    "definition" : "The deny overrides combining algorithm is intended for those cases where a deny decision should have priority over a permit decision."
  },
  {
    "code" : "permit-overrides",
    "display" : "Permit-overrides",
    "definition" : "The permit overrides combining algorithm is intended for those cases where a permit decision should have priority over a deny decision."
  },
  {
    "code" : "ordered-deny-overrides",
    "display" : "Ordered-deny-overrides",
    "definition" : "The behavior of this algorithm is identical to that of the “Deny-overrides” rule-combining algorithm with one exception.  The order in which the collection of rules is evaluated SHALL match the order as listed in the permission."
  },
  {
    "code" : "ordered-permit-overrides",
    "display" : "Ordered-permit-overrides",
    "definition" : "The behavior of this algorithm is identical to that of the “Permit-overrides” rule-combining algorithm with one exception.  The order in which the collection of rules is evaluated SHALL match the order as listed in the permission."
  },
  {
    "code" : "deny-unless-permit",
    "display" : "Deny-unless-permit",
    "definition" : "The “Deny-unless-permit” combining algorithm is intended for those cases where a permit decision should have priority over a deny decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite “Permit” or “Deny” result."
  },
  {
    "code" : "permit-unless-deny",
    "display" : "Permit-unless-deny",
    "definition" : "The “Permit-unless-deny” combining algorithm is intended for those cases where a deny decision should have priority over a permit decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite “Permit” or “Deny” result. This algorithm has the following behavior."
  }]
}

Usage note: every effort has been made to ensure that the examples are correct and useful, but they are not a normative part of the specification.