This page is part of the FHIR Specification (v5.0.0-ballot: R5 Ballot - see ballot notes). The current version which supercedes this version is 5.0.0. For a full list of available versions, see the Directory of published versions
Security Work Group | Maturity Level: N/A | Standards Status: Informative |
Raw JSON (canonical form + also see JSON Format Specification)
Definition for Code SystemPermissionRuleCombining
{ "resourceType" : "CodeSystem", "id" : "permission-rule-combining", "meta" : { "lastUpdated" : "2022-09-10T05:52:37.223+11:00", "profile" : ["http://hl7.org/fhir/StructureDefinition/shareablecodesystem"] }, "text" : { "status" : "generated", "div" : "<div xmlns=\"http://www.w3.org/1999/xhtml\"><p>This code system <code>http://hl7.org/fhir/permission-rule-combining</code> defines the following codes:</p><table class=\"codes\"><tr><td style=\"white-space:nowrap\"><b>Code</b></td><td><b>Display</b></td><td><b>Definition</b></td></tr><tr><td style=\"white-space:nowrap\">deny-overrides<a name=\"permission-rule-combining-deny-overrides\"> </a></td><td>Deny-overrides</td><td>The deny overrides combining algorithm is intended for those cases where a deny decision should have priority over a permit decision.</td></tr><tr><td style=\"white-space:nowrap\">permit-overrides<a name=\"permission-rule-combining-permit-overrides\"> </a></td><td>Permit-overrides</td><td>The permit overrides combining algorithm is intended for those cases where a permit decision should have priority over a deny decision.</td></tr><tr><td style=\"white-space:nowrap\">ordered-deny-overrides<a name=\"permission-rule-combining-ordered-deny-overrides\"> </a></td><td>Ordered-deny-overrides</td><td>The behavior of this algorithm is identical to that of the “Deny-overrides” rule-combining algorithm with one exception. The order in which the collection of rules is evaluated SHALL match the order as listed in the permission.</td></tr><tr><td style=\"white-space:nowrap\">ordered-permit-overrides<a name=\"permission-rule-combining-ordered-permit-overrides\"> </a></td><td>Ordered-permit-overrides</td><td>The behavior of this algorithm is identical to that of the “Permit-overrides” rule-combining algorithm with one exception. The order in which the collection of rules is evaluated SHALL match the order as listed in the permission.</td></tr><tr><td style=\"white-space:nowrap\">deny-unless-permit<a name=\"permission-rule-combining-deny-unless-permit\"> </a></td><td>Deny-unless-permit</td><td>The “Deny-unless-permit” combining algorithm is intended for those cases where a permit decision should have priority over a deny decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite “Permit” or “Deny” result.</td></tr><tr><td style=\"white-space:nowrap\">permit-unless-deny<a name=\"permission-rule-combining-permit-unless-deny\"> </a></td><td>Permit-unless-deny</td><td>The “Permit-unless-deny” combining algorithm is intended for those cases where a deny decision should have priority over a permit decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite “Permit” or “Deny” result. This algorithm has the following behavior.</td></tr></table></div>" }, "extension" : [{ "url" : "http://hl7.org/fhir/StructureDefinition/structuredefinition-wg", "valueCode" : "sec" }, { "url" : "http://hl7.org/fhir/StructureDefinition/structuredefinition-standards-status", "valueCode" : "trial-use" }, { "url" : "http://hl7.org/fhir/StructureDefinition/structuredefinition-fmm", "valueInteger" : 0 }], "url" : "http://hl7.org/fhir/permission-rule-combining", "identifier" : [{ "system" : "urn:ietf:rfc:3986", "value" : "urn:oid:2.16.840.1.113883.4.642.4.2070" }], "version" : "5.0.0-ballot", "name" : "PermissionRuleCombining", "title" : "PermissionRuleCombining", "status" : "draft", "experimental" : false, "date" : "2022-08-05T10:01:24+11:00", "publisher" : "HL7 (FHIR Project)", "contact" : [{ "telecom" : [{ "system" : "url", "value" : "http://hl7.org/fhir" }, { "system" : "email", "value" : "fhir@lists.hl7.org" }] }], "description" : "Codes identifying the rule combining. See XACML Combining algorithms http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cos01-en.html", "caseSensitive" : true, "content" : "complete", "concept" : [{ "code" : "deny-overrides", "display" : "Deny-overrides", "definition" : "The deny overrides combining algorithm is intended for those cases where a deny decision should have priority over a permit decision." }, { "code" : "permit-overrides", "display" : "Permit-overrides", "definition" : "The permit overrides combining algorithm is intended for those cases where a permit decision should have priority over a deny decision." }, { "code" : "ordered-deny-overrides", "display" : "Ordered-deny-overrides", "definition" : "The behavior of this algorithm is identical to that of the “Deny-overrides” rule-combining algorithm with one exception. The order in which the collection of rules is evaluated SHALL match the order as listed in the permission." }, { "code" : "ordered-permit-overrides", "display" : "Ordered-permit-overrides", "definition" : "The behavior of this algorithm is identical to that of the “Permit-overrides” rule-combining algorithm with one exception. The order in which the collection of rules is evaluated SHALL match the order as listed in the permission." }, { "code" : "deny-unless-permit", "display" : "Deny-unless-permit", "definition" : "The “Deny-unless-permit” combining algorithm is intended for those cases where a permit decision should have priority over a deny decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite “Permit” or “Deny” result." }, { "code" : "permit-unless-deny", "display" : "Permit-unless-deny", "definition" : "The “Permit-unless-deny” combining algorithm is intended for those cases where a deny decision should have priority over a permit decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite “Permit” or “Deny” result. This algorithm has the following behavior." }] }
Usage note: every effort has been made to ensure that the examples are correct and useful, but they are not a normative part of the specification.
FHIR ®© HL7.org 2011+. FHIR R5 Ballot hl7.fhir.core#5.0.0-ballot generated on Sat, Sep 10, 2022 04:55+1000.
Links: Search |
Version History |
Contents |
Glossary |
QA |
Compare to R4B |
Compare to R5 Draft |
|
Propose a change