· Dec 13, 2023

FHIR Server responds with status 403 - Reason?

Hi community,

I´ve setup a local FHIR server via the framework functionality und set a service config name for the created endpoint since I plan to use a production based FHIR server. I´ve created an additional ressource "FhirClientRessource" and role "FhirClientRole" as well as a user named "FhirClient". The Role resource "FhirClientRessource" ist set as "required resource" in the FHIR server configuration page. The user "FhirClient" is member of the Role "FhirClientRole" which in turn holds RWU priveliges on the "FhirClientRessources".

The user itself does not have the %All Permission. The web app of the endpoint is set to password access and required ressource is "FhirClientRessource".

Now wehn querying the FHIR server (simple GET on a entity e.g. Practitioner) the request in fact gets routet to my FHIR Server Interop Operation in my production but the response indicates a status 403 (forbidden) for this. Audit Protocoll shows nothing special about the login (wich is successfull) of user "FhirClient".

Can anyone tell wichadditional ressources should be assigned to "FhirClientRole" to allow for use of the endpoint by users of this role?

My goal is to allow usage of the local FHIR server only for users which hold certain priveliges - in my case users of role "FhirClientRole".

Best regards,

Product version: IRIS 2022.1
$ZV: IRIS for Windows (x86-64) 2022.1.3 (Build 670_1U) Tue Jul 18 2023 14:29:49 EDT [Health:3.5.0-1.m1]
Discussion (4)3
Log in or sign up to continue

My guess is that the user does not have enough privilege (role/resource permissions) to access your FHIR server, maybe the database resource?

If so, you have two options:

1) add to the user the required role(s) with proper access to the required resource(s)
2) add to the Web Application the required role(s) with proper access to the required resource(s)

Personally I would prefer option 2.
Just for testing, try to temporary %All role to the Web Application and see if it works.


Personally I usually prefer to assign permissions to Web Applications and assign to the users only the role necessary to use the application.

Often I don't need/want the user itself to have direct access to resources (i.e. database, tables//classes etc.), what I want is the ability for the user to access/use the Web Application (the FHIR server in this case), then the application itself has the required privilege.

In short, I don't what the user to be authorized to mess with the "internal" stuff...just use the application.

Of course this is a matter of preferences and use case scenario.