Actions
Actions in ZapEHR are linked to specific resource types. Each action in a rule must be applicable to all resources in the rule. For example the action App:CreateUser can only be applied to the resource App:Application.
Concepts
Minimum Scope
"Minimum scope" refers to the narrowest scope at which an action can be applied to the resource it acts on. By enforcing minimum scope during access policy validation, ZapEHR helps to ensure that the access policies crafted by users form a logical pairing of actions and resources.
Wildcard ("*") Minimum Scope
Some actions may only be applied to the wildcard scope of the resource(s) they act on and are said to have a minimum scope of "*". To extend the previous example, the resource type for the action App:CreateUser must be App:Application:*; a user with a specific ID must already exist and therefore can't be "created" again. Actions that it would not make sense to take on a particular instance of a resource type — "List All", "Search", etc. — tend to come with this restriction as well.
Dependencies
Some actions can have no effect unless another action is granted in the same access policy over the same scope. Such actions are said to "depend" on a different action. For example, FHIR:History requires that the FHIR:Read action be granted over the same resource and scope. A user with a policy granting FHIR:History access over, say, the FHIR:Patient:* resource, but lacking FHIR:Read over FHIR:Patient:* will not be able to access the history data pertaining to any Patient resource; the omission of the prerequisite FHIR:Read permission effectively negates the granting of the dependent FHIR:History permission.
Action Library
| Service | Action | Resource Type | Description | Minimum Scope | Dependency |
|---|---|---|---|---|---|
| App | CreateApplication | Application | Grants permission to create a new application on the principal project | ||
| App | GetApplication | Application | Grants permission to view details of an application | ||
| App | UpdateApplication | Application | Grants permission to update the properties of an application | ||
| App | DeleteApplication | Application | Grants permission to delete an application from the principal project | ||
| App | ListAllApplications | Application | Grants permission to list all applications on the principal project | * | |
| App | CreateUser | User | Grants permission to create an invitation to join the principal project as a project user | * | |
| App | GetUser | User | Grants permission to view details of a project user within the principal project | ||
| App | ListAllUsers | User | Grants permission to list all project users within the principal project | * | |
| App | DeleteUser | User | Grants permission to delete a user from the project | ||
| App | UpdateUser | User | Grants permission to update a user in the project. | ||
| FHIR | Create | {FhirResource} | Grants permission to create new instances of FHIR resources | * | |
| FHIR | Read | {FhirResource} | Grants permission to view the properties of a FHIR resource | ||
| FHIR | Update | {FhirResource} | Grants permission to update the properties of a FHIR resource | ||
| FHIR | Delete | {FhirResource} | Grants permission to delete a FHIR resource | ||
| FHIR | History | {FhirResource} | Grants permission to read the history table for a FHIR resource | FHIR:Read | |
| FHIR | Search | {FhirResource} | Grants permission to search on a given fhir type | * | |
| FHIR | Export | Group | Grants permission to export resources which a members of a Group | * | |
| IAM | CreateM2MClient | M2MClient | Grants permission to create a new M2M user within the principal project | * | |
| IAM | GetM2MClient | M2MClient | Grants permission to view details of an M2M user | ||
| IAM | UpdateM2MClient | M2MClient | Grants permission to update an M2M user | ||
| IAM | DeleteM2MClient | M2MClient | Grants permission to delete an M2M user from the principal project | ||
| IAM | ListAllM2MClients | M2MClient | Grants permission to retrieve a list of M2M users within the principal project | * | |
| IAM | RotateM2MClientSecret | M2MClient | Grants permission to rotate the auth secret associated with an M2M user | ||
| IAM | InviteDeveloper | Developer | Grants permission to create an invitation to join the principal project as a developer user | ||
| IAM | UpdateDeveloper | Developer | Grants permission to update a developer in the project. | ||
| IAM | GetDeveloper | Developer | Grants permission to view details of a dev user within the principal project | ||
| IAM | ListAllDevelopers | Developer | Grants permission to list all users within the principal project | * | |
| IAM | RemoveDeveloper | Developer | Grants permission to remove a developer from the project. | ||
| IAM | ListAllRoles | Role | Grants permission to view the full list of role ids and names on a project | * | |
| IAM | GetRole | Role | Grants permission to read the full details of a role | ||
| IAM | CreateRole | Role | Grants permission to create a new role | * | |
| IAM | UpdateRole | Role | Grants permission to update a role | ||
| IAM | DeleteRole | Role | Grants permission to delete a role | ||
| Messaging | SendTransactionalSMS | TransactionalSMS | Grants permission to send Transactional SMS message | * | |
| Messaging | GetConversationToken | Conversation | Grants permission to get a Conversation Token used to interact with a Conversation using the chat channel | * | |
| Messaging | CreateConversation | Conversation | Grants permission to create a Conversation | * | |
| Messaging | ConversationAddParticipant | Conversation | Grants permission to add participants to a Conversation | ||
| Messaging | ConversationRemoveParticipant | Conversation | Grants permission to remove participants from a Conversation | ||
| Messaging | ConversationSendMessage | Conversation | Grants permission to send a message to a Conversation with the API. | * | |
| Project | GetProjectInfo | Settings | Grants permission to view details about the principal project | * | |
| Project | UpdateProjectInfo | Settings | Grants permission to update details of the principal project | * | |
| RCM | ValidateProfessionalClaim | Claim | Grants permission to validate a professional insurance claim | ||
| RCM | SubmitProfessionalClaim | Claim | Grants permission to submit a professional insurance claim | ||
| RCM | GetClaimResponse | Claim | Grants permission to request a response for a claim | ||
| RCM | CheckInsuranceEligibility | InsuranceEligibility | Grants permission to invoke the Check Eligibility endpoint | ||
| Telemed | GetRoomToken | Room | Grants permission to get a Room Token used to join a Telemed Video Call Room | * | |
| Telemed | CreateRoom | Room | Grants permission to create a Telemed Video Call Room | * | |
| Z3 | CreateBucket | Path | Grants permission to create Z3 bucket within the principal project | service-root | |
| Z3 | DeleteBucket | Path | Grants permission to delete Z3 bucket from the principal project | ||
| Z3 | ListBuckets | Path | Grants permission to list all Z3 buckets within the principal project | service-root | |
| Z3 | GetObject | Path | Grants permission to read Z3 object | ||
| Z3 | DeleteObject | Path | Grants permission to delete Z3 object | ||
| Z3 | PutObject | Path | Grants permission to create Z3 object | ||
| Z3 | ListObjects | Path | Grants permission to list Z3 objects within Z3 buckets | subfolder | |
| Zambda | CreateFunction | Function | Grants permission to create a new zambda function within the principal project | * | |
| Zambda | GetFunction | Function | Grants permission to view details about a zambda function | ||
| Zambda | UpdateFunction | Function | "Grants permission to update the code, configuration, or invocation method of a zambda function" | ||
| Zambda | DeleteFunction | Function | Grants permission to delete a zambda function from the principal project | ||
| Zambda | ListAllFunctions | Function | Grants permission to retrieve a list of zambda functions within the principal project with the version-specific configuration of each function | * | |
| Zambda | InvokeFunction | Function | Grants permission to invoke a zambda function | ||
| Zambda | ReadLogs | Function | Grants permission to view all log groups and logs for a zambda function | ||
| Zambda | CreateSecret | Secret | Grants permission to create a secret | * | |
| Zambda | ListAllSecrets | Secret | Grants permission to list all secrets | * | |
| Zambda | UpdateSecret | Secret | Grants permission to update a secret | ||
| Zambda | DeleteSecret | Secret | Grants permission to delete a secret | ||
| Zambda | GetSecret | Secret | Grants permission to read a secret |