Skip to main content

Identity Filters

Identity filters add an extra condition to an authorization rule based on properties of the client's identity resource. They let you create rules that apply only to a subset of users within a role.

How They Work

An identity filter is an optional FHIRPath expression attached to a rule. Before Fire Arrow evaluates the rule's validator, it evaluates the identity filter against the client's resolved FHIR resource. If the expression returns false (or an empty result), the rule is skipped entirely and Fire Arrow moves on to the next matching rule.

Configuration

Add the identity-filter property to any authorization rule:

fire-arrow:
  authorization:
    rules:
      - client-role: Practitioner
        resource: Patient
        operation: read
        validator: Allowed
        identity-filter: "name.family = 'Admin'"

This rule grants Allowed access to Patient reads, but only for practitioners whose family name is "Admin". All other practitioners skip this rule.

Practical Examples

Restrict by Email Domain

Allow full access for practitioners with an admin email domain, and compartment-only access for everyone else:

fire-arrow:
  authorization:
    rules:
      # Admin practitioners: full access
      - client-role: Practitioner
        resource: Patient
        operation: read
        validator: Allowed
        identity-filter: "telecom.where(system = 'email').value.contains('@admin.hospital.org')"

      # All other practitioners: compartment access only
      - client-role: Practitioner
        resource: Patient
        operation: read
        validator: PractitionerCompartment

Restrict by Qualification

Only allow practitioners with a specific qualification to manage MedicationRequest resources:

fire-arrow:
  authorization:
    rules:
      - client-role: Practitioner
        resource: MedicationRequest
        operation: create
        validator: Allowed
        identity-filter: "qualification.code.coding.where(system = 'http://terminology.hl7.org/CodeSystem/v2-0360' and code = 'MD').exists()"

Restrict by Organization

Grant access only to practitioners belonging to a specific organization:

fire-arrow:
  authorization:
    rules:
      - client-role: Practitioner
        resource: Patient
        operation: search
        validator: Allowed
        identity-filter: "meta.tag.where(system = 'http://example.org/org' and code = 'org-123').exists()"

Layered Access with Identity Filters

You can define multiple rules for the same role, resource, and operation but with different identity filters. Fire Arrow evaluates rules in order and uses the first one whose identity filter passes:

fire-arrow:
  authorization:
    rules:
      # Supervisors get full access
      - client-role: Practitioner
        resource: Observation
        operation: search
        validator: Allowed
        identity-filter: "meta.tag.where(system = 'http://example.org/role' and code = 'supervisor').exists()"

      # Regular practitioners get compartment access
      - client-role: Practitioner
        resource: Observation
        operation: search
        validator: PractitionerCompartment

      # Trainees get read-only access within their team
      - client-role: Practitioner
        resource: Observation
        operation: search
        validator:
          type: CareTeam
          max-recursion-depth: 1
        identity-filter: "meta.tag.where(system = 'http://example.org/role' and code = 'trainee').exists()"
tip

A rule without an identity-filter acts as a catch-all for that role/resource/operation combination. Place it after more specific filtered rules so that the specific rules are evaluated first.