Skip to main content

forbidden

forbidden Validator Documentation
Unconditional Denial of Access for FHIR Resources

Intent

The forbidden validator acts as a strict denial rule, rejecting all requests for a specified resource and operation. It enforces a "deny-by-default" security model to prevent accidental data exposure.

Key Use Cases:

  • Blocking public access to sensitive resources (e.g., genetic data).
  • Disabling unsafe operations (e.g., Patient deleting MedicationRequest records).
  • Serving as a fallback rule when no other validators apply.

Key Features

  1. No Validation Logic: Always returns is_valid = False.
  2. Role Agnostic: Applies to all roles unless overridden by explicit Allowed rules.
  3. Performance: Zero computational overhead (instant denial).

Configuration Examples

1. Default Deny-All Strategy

{
  "rbac": {
    "default_access": "Forbidden",
    "validation_rules": [
      {
        "client_role": "Practitioner",
        "entity_name": "Patient",
        "operation": "read",
        "validator": "forbidden"
      }
    ]
  }
}

Explanation:

  • All requests are denied by default.
  • Explicitly allows Practitioner users to read Patient records.

2. Block Patient Access to MedicationRequests

{
  "client_role": "Patient",
  "entity_name": "MedicationRequest",
  "operation": "read",
  "validator": "forbidden"
}

Outcome: Patients receive 403 Forbidden when attempting to view medication orders.

Best Practices

  1. Default Security Posture: 
    "default_access": "forbidden"
    Combine with granular allowed rules for least-privilege access.
  2. Override Carefully: Use allowed only for verified safe operations.
  3. Audit Logs: Monitor requests blocked by this validator to identify misuse.

FHIR Security Considerations

  • Aligns with FHIR’s Security principles for access control.
  • Use with Provenance resources to track access attempts.

Use Case: Research Database Lockdown

A genomics study uses forbidden to:

  1. Block all access to MolecularSequence resources by default.
  2. Allow access only to researchers with explicit allowed rules tied to IRB approval.

Configuration:

{
  "client_role": "Researcher",
  "entity_name": "MolecularSequence",
  "operation": "read",
  "validator": "allowed",
}