This is Snapshot #3 for FHIR R5, released to support Connectathon 32. For a full list of available versions, see the Directory of published versions.
Security Work Group | Maturity Level: N/A | Standards Status: Informative |
Raw XML (canonical form + also see XML Format Specification)
Definition for Code SystemPermissionRuleCombining
<?xml version="1.0" encoding="UTF-8"?> <CodeSystem xmlns="http://hl7.org/fhir"> <id value="permission-rule-combining"/> <meta> <lastUpdated value="2022-12-14T07:12:54.019+11:00"/> <profile value="http://hl7.org/fhir/StructureDefinition/shareablecodesystem"/> </meta> <text> <status value="generated"/> <div xmlns="http://www.w3.org/1999/xhtml"> <p> This code system <code> http://hl7.org/fhir/permission-rule-combining</code> defines the following codes: </p> <table class="codes"> <tr> <td style="white-space:nowrap"> <b> Code</b> </td> <td> <b> Display</b> </td> <td> <b> Definition</b> </td> </tr> <tr> <td style="white-space:nowrap">deny-overrides <a name="permission-rule-combining-deny-overrides"> </a> </td> <td> Deny-overrides</td> <td> The deny overrides combining algorithm is intended for those cases where a deny decision should have priority over a permit decision.</td> </tr> <tr> <td style="white-space:nowrap">permit-overrides <a name="permission-rule-combining-permit-overrides"> </a> </td> <td> Permit-overrides</td> <td> The permit overrides combining algorithm is intended for those cases where a permit decision should have priority over a deny decision.</td> </tr> <tr> <td style="white-space:nowrap">ordered-deny-overrides <a name="permission-rule-combining-ordered-deny-overrides"> </a> </td> <td> Ordered-deny-overrides</td> <td> The behavior of this algorithm is identical to that of the “Deny-overrides” rule-combining algorithm with one exception. The order in which the collection of rules is evaluated SHALL match the order as listed in the permission.</td> </tr> <tr> <td style="white-space:nowrap">ordered-permit-overrides <a name="permission-rule-combining-ordered-permit-overrides"> </a> </td> <td> Ordered-permit-overrides</td> <td> The behavior of this algorithm is identical to that of the “Permit-overrides” rule-combining algorithm with one exception. The order in which the collection of rules is evaluated SHALL match the order as listed in the permission.</td> </tr> <tr> <td style="white-space:nowrap">deny-unless-permit <a name="permission-rule-combining-deny-unless-permit"> </a> </td> <td> Deny-unless-permit</td> <td> The “Deny-unless-permit” combining algorithm is intended for those cases where a permit decision should have priority over a deny decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite “Permit” or “Deny” result.</td> </tr> <tr> <td style="white-space:nowrap">permit-unless-deny <a name="permission-rule-combining-permit-unless-deny"> </a> </td> <td> Permit-unless-deny</td> <td> The “Permit-unless-deny” combining algorithm is intended for those cases where a deny decision should have priority over a permit decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite “Permit” or “Deny” result. This algorithm has the following behavior.</td> </tr> </table> </div> </text> <extension url="http://hl7.org/fhir/StructureDefinition/structuredefinition-wg"> <valueCode value="sec"/> </extension> <extension url="http://hl7.org/fhir/StructureDefinition/structuredefinition-standards-status"> <valueCode value="trial-use"/> </extension> <extension url="http://hl7.org/fhir/StructureDefinition/structuredefinition-fmm"> <valueInteger value="0"/> </extension> <url value="http://hl7.org/fhir/permission-rule-combining"/> <identifier> <system value="urn:ietf:rfc:3986"/> <value value="urn:oid:2.16.840.1.113883.4.642.4.2070"/> </identifier> <version value="5.0.0-snapshot3"/> <name value="PermissionRuleCombining"/> <title value="PermissionRuleCombining"/> <status value="active"/> <experimental value="false"/> <date value="2022-08-05T10:01:24+11:00"/> <publisher value="HL7 (FHIR Project)"/> <contact> <telecom> <system value="url"/> <value value="http://hl7.org/fhir"/> </telecom> <telecom> <system value="email"/> <value value="fhir@lists.hl7.org"/> </telecom> </contact> <description value="Codes identifying the rule combining. See XACML Combining algorithms http://docs.oasis-open. org/xacml/3.0/xacml-3.0-core-spec-cos01-en.html"/> <jurisdiction> <coding> <system value="http://unstats.un.org/unsd/methods/m49/m49.htm"/> <code value="001"/> <display value="World"/> </coding> </jurisdiction> <caseSensitive value="true"/> <content value="complete"/> <concept> <code value="deny-overrides"/> <display value="Deny-overrides"/> <definition value="The deny overrides combining algorithm is intended for those cases where a deny decision should have priority over a permit decision."/> </concept> <concept> <code value="permit-overrides"/> <display value="Permit-overrides"/> <definition value="The permit overrides combining algorithm is intended for those cases where a permit decision should have priority over a deny decision."/> </concept> <concept> <code value="ordered-deny-overrides"/> <display value="Ordered-deny-overrides"/> <definition value="The behavior of this algorithm is identical to that of the “Deny-overrides” rule-combining algorithm with one exception. The order in which the collection of rules is evaluated SHALL match the order as listed in the permission."/> </concept> <concept> <code value="ordered-permit-overrides"/> <display value="Ordered-permit-overrides"/> <definition value="The behavior of this algorithm is identical to that of the “Permit-overrides” rule-combining algorithm with one exception. The order in which the collection of rules is evaluated SHALL match the order as listed in the permission."/> </concept> <concept> <code value="deny-unless-permit"/> <display value="Deny-unless-permit"/> <definition value="The “Deny-unless-permit” combining algorithm is intended for those cases where a permit decision should have priority over a deny decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite “Permit” or “Deny” result."/> </concept> <concept> <code value="permit-unless-deny"/> <display value="Permit-unless-deny"/> <definition value="The “Permit-unless-deny” combining algorithm is intended for those cases where a deny decision should have priority over a permit decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite “Permit” or “Deny” result. This algorithm has the following behavior."/> </concept> </CodeSystem>
Usage note: every effort has been made to ensure that the examples are correct and useful, but they are not a normative part of the specification.
FHIR ®© HL7.org 2011+. FHIR R5 Ballot hl7.fhir.core#5.0.0-snapshot3 generated on Wed, Dec 14, 2022 07:13+1100.
Links: Search |
Version History |
Contents |
Glossary |
QA |
Compare to R4B |
Compare to R5 Draft |
|
Propose a change