---
description: Implement consent-based access control allowing practitioners to view patient encounters based on FHIR Consent resources.
---

# How to implement consent-based access control using FHIR Search and Aidbox Access Policy

## Objectives

* Allow the Practitioner to view the Encounters for the Patients who have given Consent.

## Before you begin

* Set up the local Aidbox instance using the getting-started [guide](../../getting-started/run-aidbox-locally.md)

## Consent-based Access Control using FHIR Search and Aidbox Access Policy

### Set up the data

Navigate to the AIdbox REST Console.

Create two Practitioners by executing the following requests.

```http
POST /fhir/Practitioner
content-type: application/json
accept: application/json

{
  "id": "pr-1",
  "name": [
    {
      "given": [
        "TestPractitioner"
      ]
    }
  ],
  "resourceType": "Practitioner"
}
```

```http
POST /fhir/Practitioner
content-type: application/json
accept: application/json

{
  "id": "pr-2",
  "name": [
    {
      "given": [
        "TestPractitioner1"
      ]
    }
  ],
  "resourceType": "Practitioner"
}
```

Create the Patient resource.

```http
POST /fhir/Patient
content-type: application/json
accept: application/json

{
  "id": "pt-1",
  "name": [
    {
      "given": [
        "John"
      ],
      "family": "Smith"
    }
  ],
  "resourceType": "Patient"
}
```

Create the Observation and Encounter for the Patient.

```http
POST /fhir/Observation
content-type: application/json
accept: application/json

{
  "resourceType": "Observation",
  "status": "final",
  "subject": {
    "reference": "Patient/pt-1"
  },
  "code": {
    "coding": [
      {
        "code": "test-code"
      }
    ]
  }
}
```

```http
POST /fhir/Encounter
content-type: application/json
accept: application/json

{
  "resourceType": "Encounter",
  "status": "finished",
  "subject": {
    "reference": "Patient/pt-1"
  },
  "class": {
    "code": "test-code"
  }
}
```

To model the Patient's consent, we will use the FHIR [Consent](https://hl7.org/fhir/R4/consent.html) resource.

To model the grantee of the consent, we will use the `provision.actor` element:

```json
{
        "role": {
          "coding": [
            {
              "code": "GRANTEE"
            }
          ]
        },
        "reference": {
          "reference": "Practitioner/pr-1"
        }
      }
```

To model the scope of the consent, we will use `scope` element.

For example, the consent for accessing the Observations is modeled as follows:

```json
"scope": {
    "coding": [
      {
        "code": "Observation"
      }
    ]
  }
```

Create the Consent resource that models the permission for the Practitioner `pr-1` to access Observations.

```http
POST /fhir/Consent
content-type: application/json
accept: application/json

{
  "category": [
    {
      "coding": [
        {
          "code": "test category"
        }
      ]
    }
  ],
  "patient": {
    "reference": "Patient/pt-1"
  },
  "policyRule": {
    "coding": [
      {
        "code": "cric"
      }
    ]
  },
  "provision": {
    "actor": [
      {
        "role": {
          "coding": [
            {
              "code": "GRANTEE"
            }
          ]
        },
        "reference": {
          "reference": "Practitioner/pr-1"
        }
      }
    ]
  },
  "resourceType": "Consent",
  "scope": {
    "coding": [
      {
        "code": "Observation"
      }
    ]
  },
  "status": "active"
}
```

Create the Consent resource that models the permission for the Practitioner `pr-2` to access Encounters.

```http
POST /fhir/Consent
content-type: application/json
accept: application/json

{
  "category": [
    {
      "coding": [
        {
          "code": "test category"
        }
      ]
    }
  ],
  "patient": {
    "reference": "Patient/pt-1"
  },
  "policyRule": {
    "coding": [
      {
        "code": "cric"
      }
    ]
  },
  "provision": {
    "actor": [
      {
        "role": {
          "coding": [
            {
              "code": "GRANTEE"
            }
          ]
        },
        "reference": {
          "reference": "Practitioner/pr-2"
        }
      }
    ]
  },
  "resourceType": "Consent",
  "scope": {
    "coding": [
      {
        "code": "Encounter"
      }
    ]
  },
  "status": "active"
}
```

### Construct the FHIR Search

The FHIR Search that, for the given practitioner, will get all the Observations that have consent from the patients is:

```http
GET /fhir/Consent?actor=pr-1&scope=Observation&_include=Consent:patient&_revinclude:iterate=Observation:subject
content-type: application/json
accept: application/json
```

You can also try to search the Observations and Encounters for the practitioner `pr-2`

You can learn more about FHIR Search here: [FHIR Search](../../api/rest-api/fhir-search/).

### Create the AccessPolicy

Assuming that the authentication is configured to have a real end-user session, and we have linked the Aidbox User resource to the Practitioner resource with `User.fhirUser` element, the following will be the access policy that allows the FHIR Search above:

```http
PUT /fhir/AccessPolicy/practitioner-consent-based-observation
content-type: application/json
accept: application/json

{
  "engine": "matcho",
  "id": "practitioner-consent-based-observation",
  "link": [
    {
      "reference": "Operation/FhirSearch"
    }
  ],
  "matcho": {
    "user": "present?",
    "params": {
      "actor": ".user.fhirUser.id",
      "scope": "Observation",
      "_include": "Consent:patient",
      "_revinclude:iterate": "Observation:subject"
    }
  },
  "resourceType": "AccessPolicy"
}
```

You can learn more about different authentication methods here: [Authentication](../../access-control/authentication/).