Permission Rule Combining

active

ContentcompleteURL

http://hl7.org/fhir/permission-rule-combining

Version

5.0.0

Date2022-08-05T10:01:24+11:00PublisherHL7 (FHIR Project)Description

Codes identifying the rule combining. See XACML Combining algorithms http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cos01-en.html

Concepts

Select a concept to view details

This code system http://hl7.org/fhir/permission-rule-combining defines the following codes:

Code	Display	Definition
deny-overrides	Deny-overrides	The deny overrides combining algorithm is intended for those cases where a deny decision should have priority over a permit decision.
permit-overrides	Permit-overrides	The permit overrides combining algorithm is intended for those cases where a permit decision should have priority over a deny decision.
ordered-deny-overrides	Ordered-deny-overrides	The behavior of this algorithm is identical to that of the “Deny-overrides” rule-combining algorithm with one exception. The order in which the collection of rules is evaluated SHALL match the order as listed in the permission.
ordered-permit-overrides	Ordered-permit-overrides	The behavior of this algorithm is identical to that of the “Permit-overrides” rule-combining algorithm with one exception. The order in which the collection of rules is evaluated SHALL match the order as listed in the permission.
deny-unless-permit	Deny-unless-permit	The “Deny-unless-permit” combining algorithm is intended for those cases where a permit decision should have priority over a deny decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite “Permit” or “Deny” result.
permit-unless-deny	Permit-unless-deny	The “Permit-unless-deny” combining algorithm is intended for those cases where a deny decision should have priority over a permit decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite “Permit” or “Deny” result. This algorithm has the following behavior.

{
  "description" : "Codes identifying the rule combining. See XACML Combining algorithms  http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-cos01-en.html",
  "date" : "2022-08-05T10:01:24+11:00",
  "meta" : {
    "lastUpdated" : "2023-03-26T15:21:02.749+11:00",
    "profile" : [ "http://hl7.org/fhir/StructureDefinition/shareablecodesystem" ]
  },
  "publisher" : "HL7 (FHIR Project)",
  "jurisdiction" : [ {
    "coding" : [ {
      "system" : "http://unstats.un.org/unsd/methods/m49/m49.htm",
      "code" : "001",
      "display" : "World"
    } ]
  } ],
  "content" : "complete",
  "property" : null,
  "name" : "PermissionRuleCombining",
  "experimental" : false,
  "resourceType" : "CodeSystem",
  "title" : "Permission Rule Combining",
  "extension" : [ {
    "valueCode" : "sec",
    "url" : "http://hl7.org/fhir/StructureDefinition/structuredefinition-wg"
  }, {
    "valueCode" : "trial-use",
    "url" : "http://hl7.org/fhir/StructureDefinition/structuredefinition-standards-status"
  }, {
    "url" : "http://hl7.org/fhir/StructureDefinition/structuredefinition-fmm",
    "valueInteger" : 0
  }, {
    "extension" : [ {
      "valueString" : "concept",
      "url" : "path"
    }, {
      "url" : "count",
      "valueInteger" : 6
    } ],
    "url" : "http://health-samurai.io/extensions/excised-data"
  }, {
    "url" : "http://health-samurai.io/extensions/source",
    "valueCode" : "db"
  } ],
  "status" : "active",
  "id" : "permission-rule-combining",
  "url" : "http://hl7.org/fhir/permission-rule-combining",
  "identifier" : [ {
    "system" : "urn:ietf:rfc:3986",
    "value" : "urn:oid:2.16.840.1.113883.4.642.4.2070"
  } ],
  "caseSensitive" : true,
  "version" : "5.0.0",
  "contact" : [ {
    "telecom" : [ {
      "system" : "url",
      "value" : "http://hl7.org/fhir"
    }, {
      "system" : "email",
      "value" : "fhir@lists.hl7.org"
    } ]
  } ],
  "text" : {
    "div" : "<div xmlns=\"http://www.w3.org/1999/xhtml\">\n            <p>This code system \n              <code>http://hl7.org/fhir/permission-rule-combining</code> defines the following codes:\n            </p>\n            <table class=\"codes\">\n              <tr>\n                <td style=\"white-space:nowrap\">\n                  <b>Code</b>\n                </td>\n                <td>\n                  <b>Display</b>\n                </td>\n                <td>\n                  <b>Definition</b>\n                </td>\n              </tr>\n              <tr>\n                <td style=\"white-space:nowrap\">deny-overrides\n                  <a name=\"permission-rule-combining-deny-overrides\"> </a>\n                </td>\n                <td>Deny-overrides</td>\n                <td>The deny overrides combining algorithm is intended for those cases where a deny decision should have priority over a permit decision.</td>\n              </tr>\n              <tr>\n                <td style=\"white-space:nowrap\">permit-overrides\n                  <a name=\"permission-rule-combining-permit-overrides\"> </a>\n                </td>\n                <td>Permit-overrides</td>\n                <td>The permit overrides combining algorithm is intended for those cases where a permit decision should have priority over a deny decision.</td>\n              </tr>\n              <tr>\n                <td style=\"white-space:nowrap\">ordered-deny-overrides\n                  <a name=\"permission-rule-combining-ordered-deny-overrides\"> </a>\n                </td>\n                <td>Ordered-deny-overrides</td>\n                <td>The behavior of this algorithm is identical to that of the “Deny-overrides” rule-combining algorithm with one exception.  The order in which the collection of rules is evaluated SHALL match the order as listed in the permission.</td>\n              </tr>\n              <tr>\n                <td style=\"white-space:nowrap\">ordered-permit-overrides\n                  <a name=\"permission-rule-combining-ordered-permit-overrides\"> </a>\n                </td>\n                <td>Ordered-permit-overrides</td>\n                <td>The behavior of this algorithm is identical to that of the “Permit-overrides” rule-combining algorithm with one exception.  The order in which the collection of rules is evaluated SHALL match the order as listed in the permission.</td>\n              </tr>\n              <tr>\n                <td style=\"white-space:nowrap\">deny-unless-permit\n                  <a name=\"permission-rule-combining-deny-unless-permit\"> </a>\n                </td>\n                <td>Deny-unless-permit</td>\n                <td>The “Deny-unless-permit” combining algorithm is intended for those cases where a permit decision should have priority over a deny decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite “Permit” or “Deny” result.</td>\n              </tr>\n              <tr>\n                <td style=\"white-space:nowrap\">permit-unless-deny\n                  <a name=\"permission-rule-combining-permit-unless-deny\"> </a>\n                </td>\n                <td>Permit-unless-deny</td>\n                <td>The “Permit-unless-deny” combining algorithm is intended for those cases where a deny decision should have priority over a permit decision, and an “Indeterminate” or “NotApplicable” must never be the result. It is particularly useful at the top level in a policy structure to ensure that a PDP will always return a definite “Permit” or “Deny” result. This algorithm has the following behavior.</td>\n              </tr>\n            </table>\n          </div>",
    "status" : "generated"
  }
}