Foundation
Publish-box
(todo)
This
is
the
Continuous
Integration
Build
of
FHIR
(will
be
incorrect/inconsistent
at
times).
See
the
Directory
of
published
versions
| Responsible Owner: Security Work Group | Standards Status : Informative | Compartments : No defined compartments |
ShEx statement for permission
PREFIX fhir: <http://hl7.org/fhir/> PREFIX fhirvs: <http://hl7.org/fhir/ValueSet/> PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> PREFIX rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>IMPORT <code.shex># ShEx Version 2.2 IMPORT <Code.shex> IMPORT <Group.shex> IMPORT <Period.shex>IMPORT <Device.shex>IMPORT <Coding.shex>IMPORT <string.shex>IMPORT <String.shex> IMPORT <Device.shex> IMPORT <Patient.shex> IMPORT <CareTeam.shex>IMPORT <dateTime.shex>IMPORT <DateTime.shex> IMPORT <Resource.shex> IMPORT <Reference.shex> IMPORT <Identifier.shex> IMPORT <Expression.shex> IMPORT <Organization.shex> IMPORT <Practitioner.shex> IMPORT <RelatedPerson.shex> IMPORT <DomainResource.shex> IMPORT <BackboneElement.shex> IMPORT <CodeableConcept.shex> IMPORT <PractitionerRole.shex> IMPORT <DeviceDefinition.shex> IMPORT <HealthcareService.shex> start=@<Permission> AND {fhir:nodeRole [fhir:treeRoot]} # Access Rules <Permission> EXTENDS @<DomainResource> CLOSED { a [fhir:Permission]?;fhir:nodeRole [fhir:treeRoot]?; fhir:identifier @<OneOrMore_Identifier>?; # Business Identifier for permissionfhir:status @<code> ANDfhir:status @<Code> AND {fhir:v @fhirvs:permission-status}; # active | entered-in-error | draft # | rejectedfhir:asserter @<Reference> AND {fhir:linkfhir:asserter @<Reference> AND {fhir:l @<CareTeam> OR @<HealthcareService> OR @<Organization> OR @<Patient> OR @<Practitioner> OR @<PractitionerRole> OR @<RelatedPerson> ? }?; # The person or entity that asserts # the permissionfhir:date @<OneOrMore_dateTime>?; # The date that permission wasfhir:date @<OneOrMore_DateTime>?; # The date that permission was # asserted fhir:validity @<Period>?; # The period in which the permission # is active fhir:justification @<Permission.justification>?; # The asserted justification for # using the datafhir:combining @<code> ANDfhir:combining @<Code> AND {fhir:v @fhirvs:permission-rule-combining}; # deny-overrides | permit-overrides # | ordered-deny-overrides | # ordered-permit-overrides | # deny-unless-permit | # permit-unless-deny fhir:rule @<OneOrMore_Permission.rule>?; # Constraints to the Permission } # What limits apply to the use of the data <Permission.rule.limit> EXTENDS @<BackboneElement> CLOSED { fhir:control @<OneOrMore_CodeableConcept>?; # What coded limits apply to the use # of the data fhir:tag @<OneOrMore_Coding>?; # The sensitivity codes that must be # removed from the data fhir:element @<OneOrMore_String>?; # What data elements that must be # removed from the data } # The selection criteria to identify data that is within scope of this provision <Permission.rule.data> EXTENDS @<BackboneElement> CLOSED { fhir:resource @<OneOrMore_Permission.rule.data.resource>?; # Explicit FHIR Resource references fhir:resourceType @<OneOrMore_Coding>?; # e.g. Resource Type, Profile, etc fhir:security @<OneOrMore_Coding>?; # Security tag code on .meta.security fhir:period @<Period>?; # Timeframe encompasing data # create/update fhir:expression @<Expression>?; # Expression identifying the data } # The asserted justification for using the data <Permission.justification> EXTENDS @<BackboneElement> CLOSED { fhir:basis @<OneOrMore_CodeableConcept>?; # The regulatory grounds upon which # this Permission builds fhir:evidence @<OneOrMore_Reference_Resource>?; # Justifing rational } # Explicit FHIR Resource references <Permission.rule.data.resource> EXTENDS @<BackboneElement> CLOSED { fhir:meaning @<Code> AND {fhir:v @fhirvs:consent-data-meaning}; # instance | related | dependents | # authoredby fhir:reference @<Reference> AND {fhir:l @<Resource> ? }; # The actual data reference } # Who|what is controlled by this rule <Permission.rule.activity.actor> EXTENDS @<BackboneElement> CLOSED { fhir:role @<CodeableConcept>?; # How the actor is involvedfhir:reference @<Reference> AND {fhir:linkfhir:reference @<Reference> AND {fhir:l @<CareTeam> OR @<Device> OR @<DeviceDefinition> OR @<Group> OR@<Group> OR@<HealthcareService> OR @<Organization> OR @<Patient> OR @<Practitioner> OR @<PractitionerRole> OR @<RelatedPerson> ? }?; # Authorized actor(s) } # A description or definition of which activities are allowed to be done on the data <Permission.rule.activity> EXTENDS @<BackboneElement> CLOSED { fhir:actor @<OneOrMore_Permission.rule.activity.actor>?; # Who|what is controlled by this rule fhir:action @<OneOrMore_CodeableConcept>?; # Actions controlled by this rule fhir:purpose @<OneOrMore_CodeableConcept>?; # The purpose for which the # permission is given } # Constraints to the Permission <Permission.rule> EXTENDS @<BackboneElement> CLOSED {fhir:import @<Reference> AND {fhir:linkfhir:import @<Reference> AND {fhir:l @<Permission> ? }?; # Reference to a Permissionfhir:type @<code> ANDfhir:type @<Code> AND {fhir:v @fhirvs:consent-provision-type}?; # deny | permit fhir:data @<OneOrMore_Permission.rule.data>?; # The selection criteria to identify # data that is within scope of this # provision fhir:activity @<OneOrMore_Permission.rule.activity>?; # A description or definition of # which activities are allowed to be # done on the data fhir:limit @<OneOrMore_Permission.rule.limit>?; # What limits apply to the use of # the data }# A description or definition of which activities are allowed to be done on the data <Permission.rule.activity> EXTENDS @<BackboneElement> CLOSED { fhir:actor @<OneOrMore_Permission.rule.activity.actor>?; # Who|what is controlled by this rule fhir:action @<OneOrMore_CodeableConcept>?; # Actions controlled by this rule fhir:purpose @<OneOrMore_CodeableConcept>?; # The purpose for which the # permission is given } # The asserted justification for using the data <Permission.justification> EXTENDS @<BackboneElement> CLOSED { fhir:basis @<OneOrMore_CodeableConcept>?; # The regulatory grounds upon which # this Permission builds fhir:evidence @<OneOrMore_Reference_Resource>?; # Justifing rational } # What limits apply to the use of the data <Permission.rule.limit> EXTENDS @<BackboneElement> CLOSED { fhir:control @<OneOrMore_CodeableConcept>?; # What coded limits apply to the use # of the data fhir:tag @<OneOrMore_Coding>?; # The sensitivity codes that must be # removed from the data fhir:element @<OneOrMore_string>?; # What data elements that must be # removed from the data } # The selection criteria to identify data that is within scope of this provision <Permission.rule.data> EXTENDS @<BackboneElement> CLOSED { fhir:resource @<OneOrMore_Permission.rule.data.resource>?; # Explicit FHIR Resource references fhir:security @<OneOrMore_Coding>?; # Security tag code on .meta.security fhir:period @<Period>?; # Timeframe encompasing data # create/update fhir:expression @<Expression>?; # Expression identifying the data } # Explicit FHIR Resource references <Permission.rule.data.resource> EXTENDS @<BackboneElement> CLOSED { fhir:meaning @<code> AND {fhir:v @fhirvs:consent-data-meaning}; # instance | related | dependents | # authoredby fhir:reference @<Reference> AND {fhir:link @<Resource> ? }; # The actual data reference }#---------------------- Cardinality Types (OneOrMore) ------------------- <OneOrMore_Identifier> CLOSED { rdf:first @<Identifier> ; rdf:rest [rdf:nil] OR @<OneOrMore_Identifier> }<OneOrMore_dateTime> CLOSED { rdf:first @<dateTime> ; rdf:rest [rdf:nil] OR @<OneOrMore_dateTime><OneOrMore_DateTime> CLOSED { rdf:first @<DateTime> ; rdf:rest [rdf:nil] OR @<OneOrMore_DateTime> } <OneOrMore_Permission.rule> CLOSED { rdf:first @<Permission.rule> ; rdf:rest [rdf:nil] OR @<OneOrMore_Permission.rule> }<OneOrMore_Permission.rule.data> CLOSED { rdf:first @<Permission.rule.data> ; rdf:rest [rdf:nil] OR @<OneOrMore_Permission.rule.data> } <OneOrMore_Permission.rule.activity> CLOSED { rdf:first @<Permission.rule.activity> ; rdf:rest [rdf:nil] OR @<OneOrMore_Permission.rule.activity> } <OneOrMore_Permission.rule.limit> CLOSED { rdf:first @<Permission.rule.limit> ; rdf:rest [rdf:nil] OR @<OneOrMore_Permission.rule.limit> } <OneOrMore_Permission.rule.activity.actor> CLOSED { rdf:first @<Permission.rule.activity.actor> ; rdf:rest [rdf:nil] OR @<OneOrMore_Permission.rule.activity.actor> }<OneOrMore_CodeableConcept> CLOSED { rdf:first @<CodeableConcept> ; rdf:rest [rdf:nil] OR @<OneOrMore_CodeableConcept> }<OneOrMore_Reference_Resource> CLOSED { rdf:first @<Reference> AND {fhir:link @<Resource> } ; rdf:rest [rdf:nil] OR @<OneOrMore_Reference_Resource> }<OneOrMore_Coding> CLOSED { rdf:first @<Coding> ; rdf:rest [rdf:nil] OR @<OneOrMore_Coding> }<OneOrMore_string> CLOSED { rdf:first @<string> ; rdf:rest [rdf:nil] OR @<OneOrMore_string><OneOrMore_String> CLOSED { rdf:first @<String> ; rdf:rest [rdf:nil] OR @<OneOrMore_String> } <OneOrMore_Permission.rule.data.resource> CLOSED { rdf:first @<Permission.rule.data.resource> ; rdf:rest [rdf:nil] OR @<OneOrMore_Permission.rule.data.resource> } <OneOrMore_Reference_Resource> CLOSED { rdf:first @<Reference> AND {fhir:l @<Resource> } ; rdf:rest [rdf:nil] OR @<OneOrMore_Reference_Resource> } <OneOrMore_Permission.rule.activity.actor> CLOSED { rdf:first @<Permission.rule.activity.actor> ; rdf:rest [rdf:nil] OR @<OneOrMore_Permission.rule.activity.actor> } <OneOrMore_Permission.rule.data> CLOSED { rdf:first @<Permission.rule.data> ; rdf:rest [rdf:nil] OR @<OneOrMore_Permission.rule.data> } <OneOrMore_Permission.rule.activity> CLOSED { rdf:first @<Permission.rule.activity> ; rdf:rest [rdf:nil] OR @<OneOrMore_Permission.rule.activity> } <OneOrMore_Permission.rule.limit> CLOSED { rdf:first @<Permission.rule.limit> ; rdf:rest [rdf:nil] OR @<OneOrMore_Permission.rule.limit> } #---------------------- Value Sets ------------------------ # How a resource reference is interpreted when testing consent restrictions. fhirvs:consent-data-meaning ["instance" "related" "dependents" "authoredby"] # How a rule statement is applied, such as adding additional consent or removing consent. fhirvs:consent-provision-type ["deny" "permit"] # Codes identifying rule combining algorithm. fhirvs:permission-rule-combining ["deny-overrides" "permit-overrides" "ordered-deny-overrides" "ordered-permit-overrides" "deny-unless-permit" "permit-unless-deny"] # Codes identifying the lifecycle stage of a product. fhirvs:permission-status ["active" "entered-in-error" "draft" "rejected"]
Usage note: every effort has been made to ensure that the ShEx files are correct and useful, but they are not a normative part of the specification.
FHIR
®©
HL7.org
2011+.
FHIR
R6
hl7.fhir.core#6.0.0-ballot3
generated
on
Tue,
Apr
1,
Mon,
Nov
10,
2025
12:26+1100.
15:23+0000.
Links:
Search
|
Version
History
|
Contents
|
Glossary
|
QA
|
Compare
to
R4
|
Compare
to
R5
|
Compare
to
Last
Ballot
|
|
Propose
a
change