Skip to main content

DeviceCompartment

The DeviceCompartment validator restricts access to resources that belong to the authenticated device's FHIR Device compartment.

How it works

The FHIR Device compartment groups resources where the device is referenced, typically as the source or performer. For example, a lab instrument that creates Observation resources or a monitoring device that generates DeviceMetric readings.

Example configuration

application.yaml
fire-arrow:
  authorization:
    validation-rules:
      - client-role: Device
        resource: Observation
        operation: create
        validator: DeviceCompartment

      - client-role: Device
        resource: Observation
        operation: read
        validator: DeviceCompartment

Real-world scenario

A laboratory blood analyzer authenticates using a device code flow and posts Observation resources containing test results. Using the DeviceCompartment validator, the device can read back its own observations but cannot access observations produced by other devices or entered by practitioners.

Supported client roles

This validator only supports the Device client role. Using it with any other role will result in an error.

note

Authentication of headless devices is supported for devices that use a device code flow in the configured authentication service.

Performance

The DeviceCompartment validator adds negligible overhead to request processing. Compartment membership is evaluated using FHIR's built-in compartment rules, which resolve in constant time. No additional database lookups are needed beyond the request itself.