HL7 FHIR Implementation Guide: Data Access Policies
1.0.0-current -
HL7 FHIR Implementation Guide: Data Access Policies
1.0.0-current -
HL7 FHIR Implementation Guide: Data Access Policies, published by HL7 International / Security. This guide is not an authorized publication; it is the continuous build for version 1.0.0-current built by the FHIR (HL7® FHIR® Standard) CI Build. This version is based on the current content of https://github.com/HL7/data-access-policies/ and changes regularly. See the Directory of published versions
| Page standards status: Trial-use | Maturity Level: 0 |
<CodeSystem xmlns="http://hl7.org/fhir">
<id value="permission-rule-combining"/>
<meta>
<lastUpdated value="2022-08-05T10:01:24.148+11:00"/>
<profile
value="http://hl7.org/fhir/StructureDefinition/shareablecodesystem"/>
</meta>
<language value="en"/>
<text>
<status value="generated"/>
<div xmlns="http://www.w3.org/1999/xhtml"><p class="res-header-id"><b>Generated Narrative: CodeSystem permission-rule-combining</b></p><a name="permission-rule-combining"> </a><a name="hcpermission-rule-combining"> </a><div style="display: inline-block; background-color: #d9e0e7; padding: 6px; margin: 4px; border: 1px solid #8da1b4; border-radius: 5px; line-height: 60%"><p style="margin-bottom: 0px">Last updated: 2022-08-05 10:01:24+1100</p><p style="margin-bottom: 0px">Profile: <a href="http://hl7.org/fhir/R5/shareablecodesystem.html">Shareable CodeSystem</a></p></div><p>This case-sensitive code system <code>http://hl7.org/fhir/permission-rule-combining</code> defines the following codes:</p><table class="codes"><tr><td style="white-space:nowrap"><b>Code</b></td><td><b>Display</b></td><td><b>Definition</b></td></tr><tr><td style="white-space:nowrap">deny-overrides<a name="permission-rule-combining-deny-overrides"> </a></td><td>Deny-overrides</td><td>The deny overrides combining algorithm is intended for those cases where a deny decision should have priority over a permit decision.</td></tr><tr><td style="white-space:nowrap">permit-overrides<a name="permission-rule-combining-permit-overrides"> </a></td><td>Permit-overrides</td><td>The permit overrides combining algorithm is intended for those cases where a permit decision should have priority over a deny decision.</td></tr><tr><td style="white-space:nowrap">ordered-deny-overrides<a name="permission-rule-combining-ordered-deny-overrides"> </a></td><td>Ordered-deny-overrides</td><td>The behavior of this algorithm is identical to that of the “Deny-overrides” rule-combining algorithm with one exception. The order in which the collection of rules is evaluated SHALL match the order as listed in the permission.</td></tr><tr><td style="white-space:nowrap">ordered-permit-overrides<a name="permission-rule-combining-ordered-permit-overrides"> </a></td><td>Ordered-permit-overrides</td><td>The behavior of this algorithm is identical to that of the “Permit-overrides” rule-combining algorithm with one exception. The order in which the collection of rules is evaluated SHALL match the order as listed in the permission.</td></tr><tr><td style="white-space:nowrap">deny-unless-permit<a name="permission-rule-combining-deny-unless-permit"> </a></td><td>Deny-unless-permit</td><td>The “Deny-unless-permit” combining algorithm is intended for those cases where a permit decision should have priority over a deny decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite “Permit” or “Deny” result.</td></tr><tr><td style="white-space:nowrap">permit-unless-deny<a name="permission-rule-combining-permit-unless-deny"> </a></td><td>Permit-unless-deny</td><td>The “Permit-unless-deny” combining algorithm is intended for those cases where a deny decision should have priority over a permit decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite “Permit” or “Deny” result. This algorithm has the following behavior.</td></tr></table></div>
</text>
<extension
url="http://hl7.org/fhir/StructureDefinition/structuredefinition-wg">
<valueCode value="sec"/>
</extension>
<extension
url="http://hl7.org/fhir/StructureDefinition/structuredefinition-standards-status">
<valueCode value="trial-use"/>
</extension>
<extension
url="http://hl7.org/fhir/StructureDefinition/structuredefinition-fmm">
<valueInteger value="0"/>
</extension>
<url value="http://hl7.org/fhir/permission-rule-combining"/>
<identifier>
<system value="urn:ietf:rfc:3986"/>
<value value="urn:oid:2.16.840.1.113883.4.642.4.2070"/>
</identifier>
<version value="1.0.0-current"/>
<name value="PermissionRuleCombining"/>
<title value="Permission Rule Combining"/>
<status value="active"/>
<experimental value="false"/>
<date value="2022-08-05T10:01:24+11:00"/>
<publisher value="HL7 International / Security"/>
<contact>
<name value="HL7 International / Security"/>
<telecom>
<system value="url"/>
<value value="http://www.hl7.org/Special/committees/secure"/>
</telecom>
<telecom>
<system value="email"/>
<value value="security-cc@lists.hl7.org"/>
</telecom>
</contact>
<contact>
<name value="John Moehrke"/>
<telecom>
<system value="email"/>
<value value="johnmoehrke@gmail.com"/>
<use value="work"/>
</telecom>
</contact>
<contact>
<name value="HL7 Security Work Group"/>
<telecom>
<system value="url"/>
<value value="http://www.hl7.org/Special/committees/secure/index.cfm"/>
</telecom>
</contact>
<description
value="Codes identifying the rule combining. See XACML Combining algorithms http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cos01-en.html"/>
<jurisdiction>
<coding>
<system value="http://unstats.un.org/unsd/methods/m49/m49.htm"/>
<code value="001"/>
</coding>
</jurisdiction>
<caseSensitive value="true"/>
<content value="complete"/>
<concept>
<code value="deny-overrides"/>
<display value="Deny-overrides"/>
<definition
value="The deny overrides combining algorithm is intended for those cases where a deny decision should have priority over a permit decision."/>
</concept>
<concept>
<code value="permit-overrides"/>
<display value="Permit-overrides"/>
<definition
value="The permit overrides combining algorithm is intended for those cases where a permit decision should have priority over a deny decision."/>
</concept>
<concept>
<code value="ordered-deny-overrides"/>
<display value="Ordered-deny-overrides"/>
<definition
value="The behavior of this algorithm is identical to that of the “Deny-overrides” rule-combining algorithm with one exception. The order in which the collection of rules is evaluated SHALL match the order as listed in the permission."/>
</concept>
<concept>
<code value="ordered-permit-overrides"/>
<display value="Ordered-permit-overrides"/>
<definition
value="The behavior of this algorithm is identical to that of the “Permit-overrides” rule-combining algorithm with one exception. The order in which the collection of rules is evaluated SHALL match the order as listed in the permission."/>
</concept>
<concept>
<code value="deny-unless-permit"/>
<display value="Deny-unless-permit"/>
<definition
value="The “Deny-unless-permit” combining algorithm is intended for those cases where a permit decision should have priority over a deny decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite “Permit” or “Deny” result."/>
</concept>
<concept>
<code value="permit-unless-deny"/>
<display value="Permit-unless-deny"/>
<definition
value="The “Permit-unless-deny” combining algorithm is intended for those cases where a deny decision should have priority over a permit decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite “Permit” or “Deny” result. This algorithm has the following behavior."/>
</concept>
</CodeSystem>
IG © 2023+ HL7 International / Security.
Package hl7.fhir.uv.dap#1.0.0-current based on FHIR 6.0.0-ballot3.
Generated 2025-11-07
Links: Table of Contents |
QA Report
| Version History |
|
Propose a change