Authorization Scopes

What are scopes?

In SMART-on-FHIR (and OAuth in general) a 'scope' is a way to limit an app’s access to a user’s data. Rather than granting complete access to a user’s clinical data, it is preferable to give apps a way to request a more limited scope of what data they are they are allowed to access.

Some apps only need to identify the user and retrieve patient demographics, so they only need access to a user ID and basic identifying information. Other apps may need to know more information such as a patient’s vital signs, or they may need broad access to an entire population and the ability to retrieve all medications and lab results.

The idea is that users will be more willing to authorize an application if they know exactly what the application can and cannot do with the data. Scopes are a way to control access and help the user identify the permissions they are granting to the application.

It’s important to remember that scopes are not the same as the internal permissions system of Greenway Intergy, Prime Suite, Patient Portal and SmartHub. Scopes are a way to limit what a SMART-on-FHIR application can do within the context of what a user can do.

For example, if you have a user that is not permitted to view clinical information in the EHR, and the application is requesting the user/Patient.read scope, the Authorization server is not going to permit calls to the /Patient resource to retrieve all Patients in the practice because that user is not allowed to access that data themselves.

Another way to think of this is that 'scopes' are the permissions that the SMART-on-FHIR application requests from the user that wants to use the app.

We support the following scopes:

Greenway FHIR API Scopes

openid - Permission to retrieve information about the current logged-in user. 
fhirUser - Permission to retrieve information about the current logged-in user. 
online_access - Request a refresh_token that can be used to obtain a new access token to replace an expired one, and that will be usable for as long as the end-user remains online. 
offline_access - Request a refresh_token that can be used to obtain a new access token to replace an expired one, even after the end-user no longer is online after the access token expires. 
launch - Permission to obtain launch context when app is launched inside the EHR. 
launch/patient - When launching outside the EHR, ask for a patient to be selected at launch time. 
launch/encounter -  When launching outside the EHR, ask for an encounter to be selected at launch time.               
patient/AllergyIntolerance.read - Permission to read this resource for the current patient 
patient/Appointment.read - Permission to read this resource for the current patient 
patient/Binary.read - Permission to read this resource for the current patient 
patient/CarePlan.read - Permission to read this resource for the current patient 
patient/CareTeam.read - Permission to read this resource for the current patient 
patient/Condition.read - Permission to read this resource for the current patient 
patient/Consent.read - Permission to read this resource for the current patient 
patient/Coverage.read - Permission to read this resource for the current patient 
patient/Device.read - Permission to read this resource for the current patient 
patient/DiagnosticReport.read - Permission to read this resource for the current patient 
patient/DocumentReference.read - Permission to read this resource for the current patient 
patient/Encounter.read - Permission to read this resource for the current patient 
patient/Goal.read - Permission to read this resource for the current patient 
patient/Group.read - Permission to read this resource for the current patient 
patient/Immunization.read - Permission to read this resource for the current patient 
patient/Location.read - Permission to read this resource for the current patient 
patient/Medication.read - Permission to read this resource for the current patient 
patient/MedicationRequest.read - Permission to read this resource for the current patient 
patient/Observation.read - Permission to read this resource for the current patient 
patient/Organization.read - Permission to read this resource for the current patient 
patient/Patient.read - Permission to read this resource for the current patient 
patient/Practitioner.read - Permission to read this resource for the current patient 
patient/PractitionerRole.read - Permission to read this resource for the current patient 
patient/Procedure.read - Permission to read this resource for the current patient 
patient/Provenance.read - Permission to read this resource for the current patient 
patient/RelatedPerson.read - Permission to read this resource for the current patient 
patient/ServiceRequest.read - Permission to read this resource for the current patient 
user/AllergyIntolerance.read - Permission to read any instance of this resource available to the current user 
user/Appointment.read - Permission to read any instance of this resource available to the current user 
user/Binary.read - Permission to read any instance of this resource available to the current user 
user/CarePlan.read - Permission to read any instance of this resource available to the current user 
user/CareTeam.read - Permission to read any instance of this resource available to the current user 
user/Condition.read - Permission to read any instance of this resource available to the current user 
user/Consent.read - Permission to read any instance of this resource available to the current user 
user/Coverage.read - Permission to read any instance of this resource available to the current user 
user/Device.read - Permission to read any instance of this resource available to the current user 
user/DiagnosticReport.read - Permission to read any instance of this resource available to the current user 
user/DocumentReference.read - Permission to read any instance of this resource available to the current user 
user/Encounter.read - Permission to read any instance of this resource available to the current user 
user/Goal.read - Permission to read any instance of this resource available to the current user 
user/Group.read - Permission to read any instance of this resource available to the current user
user/Immunization.read - Permission to read any instance of this resource available to the current user 
user/Location.read - Permission to read any instance of this resource available to the current user 
user/Medication.read - Permission to read any instance of this resource available to the current user 
user/MedicationRequest.read - Permission to read any instance of this resource available to the current user 
user/Observation.read - Permission to read any instance of this resource available to the current user 
user/Organization.read - Permission to read any instance of this resource available to the current user 
user/Patient.read - Permission to read any instance of this resource available to the current user 
user/Practitioner.read - Permission to read any instance of this resource available to the current user 
user/PractitionerRole.read - Permission to read any instance of this resource available to the current user 
user/Procedure.read - Permission to read any instance of this resource available to the current user 
user/Provenance.read - Permission to read any instance of this resource available to the current user 
user/RelatedPerson.read - Permission to read any instance of this resource available to the current user 
user/ServiceRequest.read - Permission to read any instance of this resource available to the current user

See also SMART App Launch: Scopes and Launch Context