FHIR Server responds with status 403 - Reason?

Question

Question

Sebastian Thiele · Dec 13, 2023

#FHIR #Security #InterSystems IRIS for Health

Hi community,

I´ve setup a local FHIR server via the framework functionality und set a service config name for the created endpoint since I plan to use a production based FHIR server. I´ve created an additional ressource "FhirClientRessource" and role "FhirClientRole" as well as a user named "FhirClient". The Role resource "FhirClientRessource" ist set as "required resource" in the FHIR server configuration page. The user "FhirClient" is member of the Role "FhirClientRole" which in turn holds RWU priveliges on the "FhirClientRessources".

The user itself does not have the %All Permission. The web app of the endpoint is set to password access and required ressource is "FhirClientRessource".

Now wehn querying the FHIR server (simple GET on a entity e.g. Practitioner) the request in fact gets routet to my FHIR Server Interop Operation in my production but the response indicates a status 403 (forbidden) for this. Audit Protocoll shows nothing special about the login (wich is successfull) of user "FhirClient".

Can anyone tell wichadditional ressources should be assigned to "FhirClientRole" to allow for use of the endpoint by users of this role?

My goal is to allow usage of the local FHIR server only for users which hold certain priveliges - in my case users of role "FhirClientRole".

Best regards,
Sebastian

Product version: IRIS 2022.1

$ZV: IRIS for Windows (x86-64) 2022.1.3 (Build 670_1U) Tue Jul 18 2023 14:29:49 EDT [Health:3.5.0-1.m1]

Discussion (4)3

Log in or sign up to continue

score 0 · Answer 1 · 2023-12-13T17:52:02-05:00

My guess is that the user does not have enough privilege (role/resource permissions) to access your FHIR server, maybe the database resource?

If so, you have two options:

1) add to the user the required role(s) with proper access to the required resource(s)
2) add to the Web Application the required role(s) with proper access to the required resource(s)

Personally I would prefer option 2.
Just for testing, try to temporary %All role to the Web Application and see if it works.

Enrico

score 0 · Answer 2 · 2023-12-14T02:46:45-05:00

When assigning %All to the user "FhirClient" the Fhir Server does not respond with status 403. Revoking %All from the user shows the old behaviour. Since the WebApplication was created from creating the FHIR server I thought at least the required permissions would be set sufficiently.

I´ll post some screens for this today.

score 0 · Answer 3 · 2023-12-14T03:03:53-05:00

Permissions must not be assigned automatically to the users when you create the FHIR server, it doesn't make sense to allow any user to access and modify the data from the server. You can create an specific role for FHIR access and assign it to the specific users.

score 0 · Answer 4 · 2023-12-14T08:00:33-05:00

Personally I usually prefer to assign permissions to Web Applications and assign to the users only the role necessary to use the application.

Often I don't need/want the user itself to have direct access to resources (i.e. database, tables//classes etc.), what I want is the ability for the user to access/use the Web Application (the FHIR server in this case), then the application itself has the required privilege.

In short, I don't what the user to be authorized to mess with the "internal" stuff...just use the application.

Of course this is a matter of preferences and use case scenario.

Enrico