Terminology
This
page
is
part
of
the
Continuous
Integration
Build
of
FHIR
Specification
(v5.0.0:
R5
-
STU
).
This
is
the
current
published
version
in
it's
permanent
home
(it
will
always
(will
be
available
incorrect/inconsistent
at
this
URL).
For
a
full
list
of
available
versions,
see
times).
See
the
Directory
of
published
versions
| Responsible Owner: Security Work Group | Standards Status : Informative |
Raw XML ( canonical form + also see XML Format Specification )
Definition for Code SystemPermissionRuleCombining
<?xml version="1.0" encoding="UTF-8"?>This code system defines the following codes: deny-overrides<CodeSystem xmlns="http://hl7.org/fhir"> <id value="permission-rule-combining"/> <meta> <lastUpdated value="2025-11-21T10:56:49.898+11:00"/> </meta> <text> <status value="generated"/> <div xmlns="http://www.w3.org/1999/xhtml"> <p class="res-header-id"> <b> Generated Narrative: CodeSystem permission-rule-combining</b> </p> <a name="permission-rule-combining"> </a> <a name="hcpermission-rule-combining"> </a> <div style="display: inline-block; background-color: #d9e0e7; padding: 6px; margin: 4px; border: 1px solid #8da1b4; border-radius: 5px; line-height: 60%"> <p style="margin-bottom: 0px">Last updated: 2022-08-05T10:01:24.148+11:00</p> </div> <p> This case-sensitive code system <code> http://hl7.org/fhir/permission-rule-combining</code> defines the following codes: </p> <table class="codes"> <tr> <td style="white-space:nowrap"> <b> Code</b> </td> <td> <b> Display</b> </td> <td> <b> Definition</b> </td> </tr> <tr> <td style="white-space:nowrap">deny-overrides <a name="permission-rule-combining-deny-overrides"> </a> </td> <td> Deny-overrides</td> <td> The deny overrides combining algorithm is intended for those cases where a denydecision should have priority over a permit decision. permit-overridesdecision should have priority over a permit decision.</td> </tr> <tr> <td style="white-space:nowrap">permit-overrides <a name="permission-rule-combining-permit-overrides"> </a> </td> <td> Permit-overrides</td> <td> The permit overrides combining algorithm is intended for those cases where a permitdecision should have priority over a deny decision. ordered-deny-overridesdecision should have priority over a deny decision.</td> </tr> <tr> <td style="white-space:nowrap">ordered-deny-overrides <a name="permission-rule-combining-ordered-deny-overrides"> </a> </td> <td> Ordered-deny-overrides</td> <td> The behavior of this algorithm is identical to that of the “Deny-overrides” rule-combining algorithm with one exception. The order in which the collection of rules is evaluatedSHALL match the order as listed in the permission. ordered-permit-overridesSHALL match the order as listed in the permission.</td> </tr> <tr> <td style="white-space:nowrap">ordered-permit-overrides <a name="permission-rule-combining-ordered-permit-overrides"> </a> </td> <td> Ordered-permit-overrides</td> <td> The behavior of this algorithm is identical to that of the “Permit-overrides” rule-combining algorithm with one exception. The order in which the collection of rules is evaluatedSHALL match the order as listed in the permission. deny-unless-permitSHALL match the order as listed in the permission.</td> </tr> <tr> <td style="white-space:nowrap">deny-unless-permit <a name="permission-rule-combining-deny-unless-permit"> </a> </td> <td> Deny-unless-permit</td> <td> The “Deny-unless-permit” combining algorithm is intended for those cases where a permit decision should have priority over a deny decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite“Permit” or “Deny” result. permit-unless-deny“Permit” or “Deny” result.</td> </tr> <tr> <td style="white-space:nowrap">permit-unless-deny <a name="permission-rule-combining-permit-unless-deny"> </a> </td> <td> Permit-unless-deny</td> <td> The “Permit-unless-deny” combining algorithm is intended for those cases where a deny decision should have priority over a permit decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite“Permit” or “Deny” result. This algorithm has the following behavior.“Permit” or “Deny” result. This algorithm has the following behavior.</td> </tr> </table> </div> </text> <extension url="http://hl7.org/fhir/StructureDefinition/structuredefinition-wg"> <valueCode value="sec"/> </extension> <extension url="http://hl7.org/fhir/StructureDefinition/structuredefinition-standards-status"> <valueCode value="normative"/> </extension> <extension url="http://hl7.org/fhir/StructureDefinition/structuredefinition-fmm"> <valueInteger value="1"/> </extension> <url value="http://hl7.org/fhir/permission-rule-combining"/> <identifier> <system value="urn:ietf:rfc:3986"/> <value value="urn:oid:2.16.840.1.113883.4.642.4.2070"/> </identifier> <version value="6.0.0-ballot3"/> <name value="PermissionRuleCombining"/> <title value="Permission Rule Combining"/> <status value="active"/> <experimental value="false"/> <date value="2022-08-05T10:01:24+11:00"/> <publisher value="HL7 (FHIR Project)"/> <contact> <telecom> <system value="url"/> <value value="http://hl7.org/fhir"/> </telecom> <telecom> <system value="email"/> <value value="fhir@lists.hl7.org"/> </telecom> </contact> <description value="Codes identifying the rule combining. See XACML Combining algorithms http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cos01-en.htmlorg/xacml/3.0/xacml-3.0-core-spec-cos01-en.html"/> <jurisdiction> <coding> <system value="http://unstats.un.org/unsd/methods/m49/m49.htm"/> <code value="001"/> <display value="World"/> </coding> </jurisdiction> <caseSensitive value="true"/> <content value="complete"/> <concept> <code value="deny-overrides"/> <display value="Deny-overrides"/> <definition value="The deny overrides combining algorithm is intended for those cases where a denydecision should have priority over a permit decision.decision should have priority over a permit decision."/> </concept> <concept> <code value="permit-overrides"/> <display value="Permit-overrides"/> <definition value="The permit overrides combining algorithm is intended for those cases where a permitdecision should have priority over a deny decision.decision should have priority over a deny decision."/> </concept> <concept> <code value="ordered-deny-overrides"/> <display value="Ordered-deny-overrides"/> <definition value="The behavior of this algorithm is identical to that of the “Deny-overrides” rule-combining algorithm with one exception. The order in which the collection of rules is evaluatedSHALL match the order as listed in the permission.SHALL match the order as listed in the permission."/> </concept> <concept> <code value="ordered-permit-overrides"/> <display value="Ordered-permit-overrides"/> <definition value="The behavior of this algorithm is identical to that of the “Permit-overrides” rule-combining algorithm with one exception. The order in which the collection of rules is evaluatedSHALL match the order as listed in the permission.SHALL match the order as listed in the permission."/> </concept> <concept> <code value="deny-unless-permit"/> <display value="Deny-unless-permit"/> <definition value="The “Deny-unless-permit” combining algorithm is intended for those cases where a permit decision should have priority over a deny decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite“Permit” or “Deny” result.“Permit” or “Deny” result."/> </concept> <concept> <code value="permit-unless-deny"/> <display value="Permit-unless-deny"/> <definition value="The “Permit-unless-deny” combining algorithm is intended for those cases where a deny decision should have priority over a permit decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite“Permit” or “Deny” result. This algorithm has the following behavior.“Permit” or “Deny” result. This algorithm has the following behavior."/> </concept> </ CodeSystem >
Usage note: every effort has been made to ensure that the examples are correct and useful, but they are not a normative part of the specification.
FHIR
®©
HL7.org
2011+.
FHIR
R5
hl7.fhir.core#5.0.0
R6
hl7.fhir.core#6.0.0-ballot3
generated
on
Sun,
Mar
26,
2023
15:22+1100.
Thu,
Nov
20,
2025
23:59+0000.
Links:
Search
|
Version
History
|
Contents
|
Glossary
|
QA
|
Compare
to
R4
|
Compare
to
R4B
R5
|
Compare
to
Last
Ballot
|
|
Propose
a
change