R6 Ballot (2nd Draft)

Publish-box (todo)

Permission.shex

Security Work GroupMaturity Level: N/AStandards Status: InformativeCompartments: No defined compartments

Raw ShEx

ShEx statement for permission

PREFIX fhir: <http://hl7.org/fhir/> 
PREFIX fhirvs: <http://hl7.org/fhir/ValueSet/>
PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> 
PREFIX rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> 

IMPORT <code.shex>
IMPORT <Group.shex>
IMPORT <Period.shex>
IMPORT <Coding.shex>
IMPORT <Device.shex>
IMPORT <Patient.shex>
IMPORT <CareTeam.shex>
IMPORT <dateTime.shex>
IMPORT <Resource.shex>
IMPORT <Reference.shex>
IMPORT <Identifier.shex>
IMPORT <Expression.shex>
IMPORT <Organization.shex>
IMPORT <Practitioner.shex>
IMPORT <RelatedPerson.shex>
IMPORT <DomainResource.shex>
IMPORT <BackboneElement.shex>
IMPORT <CodeableConcept.shex>
IMPORT <PractitionerRole.shex>
IMPORT <HealthcareService.shex>


start=@<Permission> AND {fhir:nodeRole [fhir:treeRoot]}

# Access Rules
<Permission> EXTENDS @<DomainResource> CLOSED {   

    a [fhir:Permission]?;
    fhir:nodeRole [fhir:treeRoot]?;

    fhir:identifier @<OneOrMore_Identifier>?;  # Business Identifier for permission
    fhir:status @<code> AND
    	{fhir:v @fhirvs:permission-status};  # active | entered-in-error | draft 
                                            # | rejected 
    fhir:asserter @<Reference> AND {fhir:link 
    			@<CareTeam> OR 
    			@<HealthcareService> OR 
    			@<Organization> OR 
    			@<Patient> OR 
    			@<Practitioner> OR 
    			@<PractitionerRole> OR 
    			@<RelatedPerson> ? }?;  # The person or entity that asserts 
                                            # the permission 
    fhir:date @<OneOrMore_dateTime>?;       # The date that permission was 
                                            # asserted 
    fhir:validity @<Period>?;               # The period in which the permission 
                                            # is active 
    fhir:justification @<Permission.justification>?;  # The asserted justification for 
                                            # using the data 
    fhir:combining @<code> AND
    	{fhir:v @fhirvs:permission-rule-combining};  # deny-overrides | permit-overrides 
                                            # | ordered-deny-overrides | 
                                            # ordered-permit-overrides | 
                                            # deny-unless-permit | 
                                            # permit-unless-deny 
    fhir:rule @<OneOrMore_Permission.rule>?;  # Constraints to the Permission
}  

# Constraints to the Permission
<Permission.rule> EXTENDS @<BackboneElement> CLOSED {   
    fhir:type @<code> AND
    	{fhir:v @fhirvs:consent-provision-type}?;  # deny | permit
    fhir:data @<OneOrMore_Permission.rule.data>?;  # The selection criteria to identify 
                                            # data that is within scope of this 
                                            # provision 
    fhir:activity @<OneOrMore_Permission.rule.activity>?;  # A description or definition of 
                                            # which activities are allowed to be 
                                            # done on the data 
    fhir:limit @<OneOrMore_CodeableConcept>?;  # What limits apply to the use of 
                                            # the data 
}  

# A description or definition of which activities are allowed to be done on the data
<Permission.rule.activity> EXTENDS @<BackboneElement> CLOSED {   
    fhir:actor @<OneOrMore_Reference_CareTeam_OR_Device_OR_Group_OR_Organization_OR_Patient_OR_Practitioner_OR_PractitionerRole_OR_RelatedPerson>?;  # Authorized actor(s)
    fhir:action @<OneOrMore_CodeableConcept>?;  # Actions controlled by this rule
    fhir:purpose @<OneOrMore_CodeableConcept>?;  # The purpose for which the 
                                            # permission is given 
}  

# The asserted justification for using the data
<Permission.justification> EXTENDS @<BackboneElement> CLOSED {   
    fhir:basis @<OneOrMore_CodeableConcept>?;  # The regulatory grounds upon which 
                                            # this Permission builds 
    fhir:evidence @<OneOrMore_Reference_Resource>?;  # Justifing rational
}  

# The selection criteria to identify data that is within scope of this provision
<Permission.rule.data> EXTENDS @<BackboneElement> CLOSED {   
    fhir:resource @<OneOrMore_Permission.rule.data.resource>?;  # Explicit FHIR Resource references
    fhir:security @<OneOrMore_Coding>?;     # Security tag code on .meta.security
    fhir:period @<Period>?;                 # Timeframe encompasing data 
                                            # create/update 
    fhir:expression @<Expression>?;         # Expression identifying the data
}  

# Explicit FHIR Resource references
<Permission.rule.data.resource> EXTENDS @<BackboneElement> CLOSED {   
    fhir:meaning @<code> AND
    	{fhir:v @fhirvs:consent-data-meaning};  # instance | related | dependents | 
                                            # authoredby 
    fhir:reference @<Reference> AND {fhir:link 
    			@<Resource> ? };  # The actual data reference
}  

#---------------------- Cardinality Types (OneOrMore) -------------------

<OneOrMore_Identifier> CLOSED {
    rdf:first @<Identifier>  ;
    rdf:rest [rdf:nil] OR @<OneOrMore_Identifier> 
}

<OneOrMore_dateTime> CLOSED {
    rdf:first @<dateTime>  ;
    rdf:rest [rdf:nil] OR @<OneOrMore_dateTime> 
}

<OneOrMore_Permission.rule> CLOSED {
    rdf:first @<Permission.rule>  ;
    rdf:rest [rdf:nil] OR @<OneOrMore_Permission.rule> 
}

<OneOrMore_Permission.rule.data> CLOSED {
    rdf:first @<Permission.rule.data>  ;
    rdf:rest [rdf:nil] OR @<OneOrMore_Permission.rule.data> 
}

<OneOrMore_Permission.rule.activity> CLOSED {
    rdf:first @<Permission.rule.activity>  ;
    rdf:rest [rdf:nil] OR @<OneOrMore_Permission.rule.activity> 
}

<OneOrMore_CodeableConcept> CLOSED {
    rdf:first @<CodeableConcept>  ;
    rdf:rest [rdf:nil] OR @<OneOrMore_CodeableConcept> 
}

<OneOrMore_Reference_CareTeam_OR_Device_OR_Group_OR_Organization_OR_Patient_OR_Practitioner_OR_PractitionerRole_OR_RelatedPerson> CLOSED {
    rdf:first @<Reference> AND {fhir:link 
			@<CareTeam> OR 
			@<Device> OR 
			@<Group> OR 
			@<Organization> OR 
			@<Patient> OR 
			@<Practitioner> OR 
			@<PractitionerRole> OR 
			@<RelatedPerson> } ;
    rdf:rest [rdf:nil] OR @<OneOrMore_Reference_CareTeam_OR_Device_OR_Group_OR_Organization_OR_Patient_OR_Practitioner_OR_PractitionerRole_OR_RelatedPerson> 
}

<OneOrMore_Reference_Resource> CLOSED {
    rdf:first @<Reference> AND {fhir:link 
			@<Resource> } ;
    rdf:rest [rdf:nil] OR @<OneOrMore_Reference_Resource> 
}

<OneOrMore_Permission.rule.data.resource> CLOSED {
    rdf:first @<Permission.rule.data.resource>  ;
    rdf:rest [rdf:nil] OR @<OneOrMore_Permission.rule.data.resource> 
}

<OneOrMore_Coding> CLOSED {
    rdf:first @<Coding>  ;
    rdf:rest [rdf:nil] OR @<OneOrMore_Coding> 
}

#---------------------- Value Sets ------------------------

# How a resource reference is interpreted when testing consent restrictions.
fhirvs:consent-data-meaning ["instance" "related" "dependents" "authoredby"]

# How a rule statement is applied, such as adding additional consent or removing consent.
fhirvs:consent-provision-type ["deny" "permit"]

# Codes identifying rule combining algorithm.
fhirvs:permission-rule-combining ["deny-overrides" "permit-overrides" "ordered-deny-overrides" "ordered-permit-overrides" "deny-unless-permit" "permit-unless-deny"]

# Codes identifying the lifecycle stage of a product.
fhirvs:permission-status ["active" "entered-in-error" "draft" "rejected"]


Usage note: every effort has been made to ensure that the ShEx files are correct and useful, but they are not a normative part of the specification.