Permission Rule Combining - HL7 FHIR Implementation Guide: Data Access Policies v1.0.0-current

HL7 FHIR Implementation Guide: Data Access Policies
1.0.0-current - International flag

HL7 FHIR Implementation Guide: Data Access Policies, published by HL7 International / Security. This guide is not an authorized publication; it is the continuous build for version 1.0.0-current built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/HL7/data-access-policies/ and changes regularly. See the Directory of published versions

CodeSystem: Permission Rule Combining

Official URL: http://hl7.org/fhir/permission-rule-combining		Version: 1.0.0-current
Standards status: Trial-use Active as of 2022-08-05	Maturity Level: 0	Computable Name: PermissionRuleCombining
Other Identifiers: OID:2.16.840.1.113883.4.642.4.2070

Codes identifying the rule combining. See XACML Combining algorithms http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cos01-en.html

This Code system is referenced in the definition of the following value sets:

PermissionRuleCombiningVS

Last updated: 2022-08-05 10:01:24+1100

Profile: Shareable CodeSystem

This case-sensitive code system http://hl7.org/fhir/permission-rule-combining defines the following codes:

Code	Display	Definition
deny-overrides	Deny-overrides	The deny overrides combining algorithm is intended for those cases where a deny decision should have priority over a permit decision.
permit-overrides	Permit-overrides	The permit overrides combining algorithm is intended for those cases where a permit decision should have priority over a deny decision.
ordered-deny-overrides	Ordered-deny-overrides	The behavior of this algorithm is identical to that of the “Deny-overrides” rule-combining algorithm with one exception. The order in which the collection of rules is evaluated SHALL match the order as listed in the permission.
ordered-permit-overrides	Ordered-permit-overrides	The behavior of this algorithm is identical to that of the “Permit-overrides” rule-combining algorithm with one exception. The order in which the collection of rules is evaluated SHALL match the order as listed in the permission.
deny-unless-permit	Deny-unless-permit	The “Deny-unless-permit” combining algorithm is intended for those cases where a permit decision should have priority over a deny decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite “Permit” or “Deny” result.
permit-unless-deny	Permit-unless-deny	The “Permit-unless-deny” combining algorithm is intended for those cases where a deny decision should have priority over a permit decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite “Permit” or “Deny” result. This algorithm has the following behavior.

Description of the above table(s).

< prev

top

next >

IG © 2023+ HL7 International / Security. Package hl7.fhir.uv.dap#1.0.0-current based on FHIR 6.0.0-ballot3. Generated 2025-11-07
Links: Table of Contents | QA Report | Version History | | Propose a change