Validators

Validators are the core of Fire Arrow's authorization system. When a rule matches a request, the rule's validator decides whether access is actually granted. Each validator implements a different access control strategy.

Simple Validators

Allowed

Grants access unconditionally. Use for resources that should be accessible to anyone with the matching role.

- client-role: Practitioner
  resource: CodeSystem
  operation: read
  validator: Allowed

Forbidden

Denies access unconditionally. Primarily used as the default-validator to ensure that anything not explicitly permitted is denied:

fire-arrow:
  authorization:
    default-validator: Forbidden

Compartment Validators

Compartment validators restrict access based on the FHIR compartment relationship between the client's identity resource and the target resource.

PatientCompartment

Grants access only if the target resource is in the patient compartment of the authenticated Patient. For example, a Patient can read an Observation only if that Observation references them as the subject.

- client-role: Patient
  resource: Observation
  operation: read
  validator: PatientCompartment

- client-role: Patient
  resource: Condition
  operation: search
  validator: PatientCompartment

PractitionerCompartment

Grants access only if the target resource is in the practitioner compartment of the authenticated Practitioner. This typically means the Practitioner is referenced as the performer, author, or responsible party.

- client-role: Practitioner
  resource: Encounter
  operation: read
  validator: PractitionerCompartment

- client-role: Practitioner
  resource: DiagnosticReport
  operation: search
  validator: PractitionerCompartment

RelatedPersonCompartment

Grants access only if the target resource is in the compartment of the authenticated RelatedPerson.

- client-role: RelatedPerson
  resource: Patient
  operation: read
  validator: RelatedPersonCompartment

DeviceCompartment

Grants access only if the target resource is in the compartment of the authenticated Device.

- client-role: Device
  resource: Observation
  operation: create
  validator: DeviceCompartment

Organization-Based Validators

OrganizationCompartment

Grants access if the target resource belongs to the same organization as the client's identity resource. Fire Arrow checks the managingOrganization or organization reference on both the client's identity and the target resource.

- client-role: Practitioner
  resource: Patient
  operation: search
  validator: OrganizationCompartment

GeneralPractitioner

Grants access if the authenticated Practitioner is listed as the generalPractitioner on the target Patient resource. This is useful for primary care scenarios where each patient has an assigned GP.

- client-role: Practitioner
  resource: Patient
  operation: read
  validator: GeneralPractitioner

- client-role: Practitioner
  resource: Patient
  operation: search
  validator: GeneralPractitioner

Advanced Validators

LegitimateInterest

Grants access based on organizational hierarchy. A practitioner has a legitimate interest in a resource if their organization is the same as, or a parent of, the organization that owns the resource.

The role-inheritance-levels parameter controls how many levels up the organization hierarchy to traverse:

- client-role: Practitioner
  resource: Patient
  operation: read
  validator:
    type: LegitimateInterest
    role-inheritance-levels: 2

With role-inheritance-levels: 2, a practitioner in a department gains access to resources owned by that department, its parent organization, and one level above that. Set to 0 to restrict to the exact organization only.

This is particularly useful in multi-tenant deployments with hierarchical organization structures (e.g., hospital -> department -> ward).

CareTeam

Grants access based on CareTeam membership. If the authenticated user is a member of a CareTeam that references the target resource's subject, access is granted.

- client-role: Practitioner
  resource: Observation
  operation: read
  validator:
    type: CareTeam
    max-recursion-depth: 3

The max-recursion-depth parameter controls how deeply Fire Arrow follows CareTeam references. CareTeams can reference other CareTeams, forming a chain. A depth of 3 means Fire Arrow follows up to three levels of CareTeam-to-CareTeam references when checking membership.

- client-role: Practitioner
  resource: CarePlan
  operation: search
  validator:
    type: CareTeam
    max-recursion-depth: 1

- client-role: Practitioner
  resource: Patient
  operation: read
  validator:
    type: CareTeam
    max-recursion-depth: 2

Server-exclusive

The CareTeam validator is available only in Fire Arrow Server. It is not available in Fire Arrow Core.

Choosing a Validator

Scenario	Recommended Validator
Patients accessing their own data	`PatientCompartment`
Practitioners accessing their assigned work	`PractitionerCompartment`
Any role accessing public/reference data (CodeSystem, ValueSet)	`Allowed`
Organization-scoped access	`OrganizationCompartment`
Primary care GP-patient relationship	`GeneralPractitioner`
Multi-tenant with org hierarchies	`LegitimateInterest`
Care coordination across teams	`CareTeam`
Deny everything else	`Forbidden` (as default-validator)

Simple Validators​

Allowed​

Forbidden​

Compartment Validators​

PatientCompartment​

PractitionerCompartment​

RelatedPersonCompartment​

DeviceCompartment​

Organization-Based Validators​

OrganizationCompartment​

GeneralPractitioner​

Advanced Validators​

LegitimateInterest​

CareTeam​

Choosing a Validator​