R6 Ballot (1st Draft)

This page is part of the FHIR Specification v6.0.0-ballot1: Release 6 Ballot (1st Draft) (see Ballot Notes). The current version is 5.0.0. For a full list of available versions, see the Directory of published versions

Example CodeSystem/permission-rule-combining (XML)

Security Work GroupMaturity Level: N/AStandards Status: Informative

Raw XML (canonical form + also see XML Format Specification)

Definition for Code SystemPermissionRuleCombining

<?xml version="1.0" encoding="UTF-8"?>

<CodeSystem xmlns="http://hl7.org/fhir">
  <id value="permission-rule-combining"/> 
  <meta> 
    <lastUpdated value="2023-12-18T15:12:07.602+11:00"/> 
    <profile value="http://hl7.org/fhir/StructureDefinition/shareablecodesystem"/> 
  </meta> 
  <text> 
    <status value="generated"/> 
    <div xmlns="http://www.w3.org/1999/xhtml">
      <p> This case-sensitive code system 
        <code> http://hl7.org/fhir/permission-rule-combining</code>  defines the following codes:
      </p> 
      <table class="codes">
        <tr> 
          <td style="white-space:nowrap">
            <b> Code</b> 
          </td> 
          <td> 
            <b> Display</b> 
          </td> 
          <td> 
            <b> Definition</b> 
          </td> 
        </tr> 
        <tr> 
          <td style="white-space:nowrap">deny-overrides
            <a name="permission-rule-combining-deny-overrides"> </a> 
          </td> 
          <td> Deny-overrides</td> 
          <td> The deny overrides combining algorithm is intended for those cases where a deny
             decision should have priority over a permit decision.</td> 
        </tr> 
        <tr> 
          <td style="white-space:nowrap">permit-overrides
            <a name="permission-rule-combining-permit-overrides"> </a> 
          </td> 
          <td> Permit-overrides</td> 
          <td> The permit overrides combining algorithm is intended for those cases where a permit
             decision should have priority over a deny decision.</td> 
        </tr> 
        <tr> 
          <td style="white-space:nowrap">ordered-deny-overrides
            <a name="permission-rule-combining-ordered-deny-overrides"> </a> 
          </td> 
          <td> Ordered-deny-overrides</td> 
          <td> The behavior of this algorithm is identical to that of the “Deny-overrides” rule-combining
             algorithm with one exception.  The order in which the collection of rules is evaluated
             SHALL match the order as listed in the permission.</td> 
        </tr> 
        <tr> 
          <td style="white-space:nowrap">ordered-permit-overrides
            <a name="permission-rule-combining-ordered-permit-overrides"> </a> 
          </td> 
          <td> Ordered-permit-overrides</td> 
          <td> The behavior of this algorithm is identical to that of the “Permit-overrides” rule-combining
             algorithm with one exception.  The order in which the collection of rules is evaluated
             SHALL match the order as listed in the permission.</td> 
        </tr> 
        <tr> 
          <td style="white-space:nowrap">deny-unless-permit
            <a name="permission-rule-combining-deny-unless-permit"> </a> 
          </td> 
          <td> Deny-unless-permit</td> 
          <td> The “Deny-unless-permit” combining algorithm is intended for those cases where
             a permit decision should have priority over a deny decision, and an “Indeterminate”
             or “NotApplicable” must never be the result. It is particularly useful at the top
             level in a policy structure to ensure that a PDP will always return a definite
             “Permit” or “Deny” result.</td> 
        </tr> 
        <tr> 
          <td style="white-space:nowrap">permit-unless-deny
            <a name="permission-rule-combining-permit-unless-deny"> </a> 
          </td> 
          <td> Permit-unless-deny</td> 
          <td> The “Permit-unless-deny” combining algorithm is intended for those cases where
             a deny decision should have priority over a permit decision, and an “Indeterminate”
             or “NotApplicable” must never be the result. It is particularly useful at the top
             level in a policy structure to ensure that a PDP will always return a definite
             “Permit” or “Deny” result. This algorithm has the following behavior.</td> 
        </tr> 
      </table> 
    </div> 
  </text> 
  <extension url="http://hl7.org/fhir/StructureDefinition/structuredefinition-wg">
    <valueCode value="sec"/> 
  </extension> 
  <extension url="http://hl7.org/fhir/StructureDefinition/structuredefinition-standards-status">
    <valueCode value="trial-use"/> 
  </extension> 
  <extension url="http://hl7.org/fhir/StructureDefinition/structuredefinition-fmm">
    <valueInteger value="0"/> 
  </extension> 
  <url value="http://hl7.org/fhir/permission-rule-combining"/> 
  <identifier> 
    <system value="urn:ietf:rfc:3986"/> 
    <value value="urn:oid:2.16.840.1.113883.4.642.4.2070"/> 
  </identifier> 
  <version value="6.0.0-ballot1"/> 
  <name value="PermissionRuleCombining"/> 
  <title value="Permission Rule Combining"/> 
  <status value="active"/> 
  <experimental value="false"/> 
  <date value="2022-08-05T10:01:24+11:00"/> 
  <publisher value="HL7 (FHIR Project)"/> 
  <contact> 
    <telecom> 
      <system value="url"/> 
      <value value="http://hl7.org/fhir"/> 
    </telecom> 
    <telecom> 
      <system value="email"/> 
      <value value="fhir@lists.hl7.org"/> 
    </telecom> 
  </contact> 
  <description value="Codes identifying the rule combining. See XACML Combining algorithms  http://docs.oasis-open.
  org/xacml/3.0/xacml-3.0-core-spec-cos01-en.html"/> 
  <jurisdiction> 
    <coding> 
      <system value="http://unstats.un.org/unsd/methods/m49/m49.htm"/> 
      <code value="001"/> 
      <display value="World"/> 
    </coding> 
  </jurisdiction> 
  <caseSensitive value="true"/> 
  <content value="complete"/> 
  <concept> 
    <code value="deny-overrides"/> 
    <display value="Deny-overrides"/> 
    <definition value="The deny overrides combining algorithm is intended for those cases where a deny
     decision should have priority over a permit decision."/> 
  </concept> 
  <concept> 
    <code value="permit-overrides"/> 
    <display value="Permit-overrides"/> 
    <definition value="The permit overrides combining algorithm is intended for those cases where a permit
     decision should have priority over a deny decision."/> 
  </concept> 
  <concept> 
    <code value="ordered-deny-overrides"/> 
    <display value="Ordered-deny-overrides"/> 
    <definition value="The behavior of this algorithm is identical to that of the “Deny-overrides” rule-combining
     algorithm with one exception.  The order in which the collection of rules is evaluated
     SHALL match the order as listed in the permission."/> 
  </concept> 
  <concept> 
    <code value="ordered-permit-overrides"/> 
    <display value="Ordered-permit-overrides"/> 
    <definition value="The behavior of this algorithm is identical to that of the “Permit-overrides” rule-combining
     algorithm with one exception.  The order in which the collection of rules is evaluated
     SHALL match the order as listed in the permission."/> 
  </concept> 
  <concept> 
    <code value="deny-unless-permit"/> 
    <display value="Deny-unless-permit"/> 
    <definition value="The “Deny-unless-permit” combining algorithm is intended for those cases where
     a permit decision should have priority over a deny decision, and an “Indeterminate”
     or “NotApplicable” must never be the result. It is particularly useful at the top
     level in a policy structure to ensure that a PDP will always return a definite
     “Permit” or “Deny” result."/> 
  </concept> 
  <concept> 
    <code value="permit-unless-deny"/> 
    <display value="Permit-unless-deny"/> 
    <definition value="The “Permit-unless-deny” combining algorithm is intended for those cases where
     a deny decision should have priority over a permit decision, and an “Indeterminate”
     or “NotApplicable” must never be the result. It is particularly useful at the top
     level in a policy structure to ensure that a PDP will always return a definite
     “Permit” or “Deny” result. This algorithm has the following behavior."/> 
  </concept> 
</CodeSystem> 

Usage note: every effort has been made to ensure that the examples are correct and useful, but they are not a normative part of the specification.