On this page:
   35.86    OAuth2/OIDC Federation
  • Configuration Categories
  • 35.0 Web Admin Console Settings
  • 35.1 App Management Tools
  • 35.2 Initial App Management Tools Seeding
  • 35.3 App Management Tools Email Server
  • 35.4 App Management Tools Payer Configuration
  • 35.5 Authentication Callback Scripts
  • 35.6 Auth: General for APIs
  • 35.7 User Authentication
  • 35.8 Auth: HTTP Basic
  • 35.9 Auth: OpenID Connect
  • 35.10 Browser Syntax Highlighting
  • 35.11 Capability Statement (metadata)
  • 35.12 CDA Generation
  • 35.13 CDS Hooks
  • 35.14 Channel Import
  • 35.15 Channel Retry
  • 35.16 Cluster Manager Maintenance
  • 35.17 Cluster Manager Message Broker
  • 35.18 Cluster Manager Kafka
  • 35.19 Credentials
  • 35.20 Cross-Origin Resource Sharing (CORS)
  • 35.21 Database
  • 35.22 ETL Import: CSV Properties
  • 35.23 ETL Import: Source
  • 35.24 FHIR Binary Storage
  • 35.25 FHIR Bulk Operations
  • 35.26 FHIR Configuration
  • 35.27 FHIR Capability Statement
  • 35.28 FHIR Consent Service
  • 35.29 FHIR Endpoint Terminology
  • 35.30 FHIR LiveBundle Service
  • 35.31 FHIR Endpoint Conversion
  • 35.32 FHIR Endpoint Security
  • 35.33 Interceptors
  • 35.34 FHIR Endpoint Partitioning and Multitenancy
  • 35.35 FHIR Gateway Config
  • 35.36 FHIR MDM Server
  • 35.37 FHIR Storage Partitioning and Multitenancy
  • 35.38 FHIR Storage Package Registry
  • 35.39 Versioned References
  • 35.40 FHIR Performance
  • 35.41 FHIR Performance Tracing
  • 35.42 FHIR Storage Scheduled Tasks
  • 35.43 FHIR Realtime Export
  • 35.44 FHIR Resource Types
  • 35.45 FHIR REST Endpoint
  • 35.46 FHIR Search
  • 35.47 FHIR Interceptors
  • 35.48 FHIR Repository Validation
  • 35.49 FHIR Subscription Persistence
  • 35.50 FHIR Subscription Delivery
  • 35.51 FHIR Validation Services
  • 35.52 HL7 v2.x to FHIR Mapper - Forced Namespace Mode
  • 35.53 HL7 v2.x to FHIR Mapper - General
  • 35.54 HL7 v2.x Mapper - Medications
  • 35.55 HL7 v2.x Mapper - Contained Resource
  • 35.56 HL7 v2.x to FHIR Mapper - OBR
  • 35.57 HL7 v2.x to FHIR Mapper - OBSERVATION Group
  • 35.58 HL7 v2.x to FHIR Mapper - ORDER_OBSERVATION Group
  • 35.59 HL7 v2.x to FHIR Mapper - PV1
  • 35.60 HL7 v2.x to FHIR Mapper - PID
  • 35.61 HL7 v2.x Listener Script
  • 35.62 HL7 v2.x MLLP Listener
  • 35.63 FHIR to HL7 v2.x Mapper Script
  • 35.64 HL7 v2.x Outbound Mapping
  • 35.65 HL7 v2.x MLLP Sender
  • 35.66 HTTP Access Log
  • 35.67 HTTP Listener
  • 35.68 HTTP Request Pool
  • 35.69 HTTP Security
  • 35.70 Hybrid Providers Definitions
  • 35.71 Initial User Seeding
  • 35.72 JSON Web KeySet (JWKS)
  • 35.73 LDAP Authentication
  • 35.74 Lucene FullText Indexing
  • 35.75 Narrative Generator
  • 35.76 Master Data Management
  • 35.77 OpenID Connect (OIDC)
  • 35.78 Realtime Export
  • 35.79 Request Validating
  • 35.80 Search Parameter Seeding
  • 35.81 Security Inbound Script
  • 35.82 Inbound SMART on FHIR Authentication
  • 35.83 Inbound SMART on FHIR Endpoints
  • 35.84 OpenID Connect Token Validation
  • 35.85 SAML Provider
  • 35.86 OAuth2/OIDC Federation
  • 35.87 SMART Authorization
  • 35.88 SMART Definitions Seeding
  • 35.89 Sessions
  • 35.90 SMART Outbound Security: Callback Script
  • 35.91 SMART Outbound Security: CODAP
  • 35.92 SMART Outbound Security: Login Skin
  • 35.93 SMART Outbound Security: Terms of Service
  • 35.94 Two Factor Authentication
  • 35.95 TLS / SSL (Encryption)
  • 35.96 Trusted Client
  • 35.97 Transaction Log
  • 35.98 User Self Registration
    • 35.88    SMART Definitions Seeding   
       Table of Contents

    SMART Authorization

    35.87SMART Authorization

     

    The SMART Authorization configuration category includes the following configurable options:

    • Enforce Approved Scopes to Restrict Permissions

    • Scopes Supported

    35.87.1Property: Enforce Approved Scopes to Restrict Permissions

     
    Property Name Enforce Approved Scopes to Restrict Permissions
    Property Key
    Property Type BOOLEAN
    Description When enabled, permission will be stripped from a user's session if they are not supported by an approved SMART on FHIR scope. For example, any FHIR write permissions will be removed from a session if the user has not approved (or a client is set to auto-approve) a scope such as Patient/*.write.
    Applies to Modules
    • SMART Inbound Security
    • SMART Outbound Security
    Default Value true
    Example Property 
    module.[MODULE_ID].config.enforce_approved_scopes_to_restrict_permissions = true

    35.87.2Property: Scopes Supported

     
    Property Name Scopes Supported
    Property Key
    Property Type STRING
    Description A space separated list of scopes to advertise as supported in the .well-known/smart-configuration
    Applies to Modules
    • SMART Inbound Security
    • SMART Outbound Security
    Default Value openid fhirUser
    Example Property 
    module.[MODULE_ID].config.smart_configuration.scopes_supported = openid fhirUser
       35.86    OAuth2/OIDC Federation
  • Configuration Categories
  • 35.0 Web Admin Console Settings
  • 35.1 App Management Tools
  • 35.2 Initial App Management Tools Seeding
  • 35.3 App Management Tools Email Server
  • 35.4 App Management Tools Payer Configuration
  • 35.5 Authentication Callback Scripts
  • 35.6 Auth: General for APIs
  • 35.7 User Authentication
  • 35.8 Auth: HTTP Basic
  • 35.9 Auth: OpenID Connect
  • 35.10 Browser Syntax Highlighting
  • 35.11 Capability Statement (metadata)
  • 35.12 CDA Generation
  • 35.13 CDS Hooks
  • 35.14 Channel Import
  • 35.15 Channel Retry
  • 35.16 Cluster Manager Maintenance
  • 35.17 Cluster Manager Message Broker
  • 35.18 Cluster Manager Kafka
  • 35.19 Credentials
  • 35.20 Cross-Origin Resource Sharing (CORS)
  • 35.21 Database
  • 35.22 ETL Import: CSV Properties
  • 35.23 ETL Import: Source
  • 35.24 FHIR Binary Storage
  • 35.25 FHIR Bulk Operations
  • 35.26 FHIR Configuration
  • 35.27 FHIR Capability Statement
  • 35.28 FHIR Consent Service
  • 35.29 FHIR Endpoint Terminology
  • 35.30 FHIR LiveBundle Service
  • 35.31 FHIR Endpoint Conversion
  • 35.32 FHIR Endpoint Security
  • 35.33 Interceptors
  • 35.34 FHIR Endpoint Partitioning and Multitenancy
  • 35.35 FHIR Gateway Config
  • 35.36 FHIR MDM Server
  • 35.37 FHIR Storage Partitioning and Multitenancy
  • 35.38 FHIR Storage Package Registry
  • 35.39 Versioned References
  • 35.40 FHIR Performance
  • 35.41 FHIR Performance Tracing
  • 35.42 FHIR Storage Scheduled Tasks
  • 35.43 FHIR Realtime Export
  • 35.44 FHIR Resource Types
  • 35.45 FHIR REST Endpoint
  • 35.46 FHIR Search
  • 35.47 FHIR Interceptors
  • 35.48 FHIR Repository Validation
  • 35.49 FHIR Subscription Persistence
  • 35.50 FHIR Subscription Delivery
  • 35.51 FHIR Validation Services
  • 35.52 HL7 v2.x to FHIR Mapper - Forced Namespace Mode
  • 35.53 HL7 v2.x to FHIR Mapper - General
  • 35.54 HL7 v2.x Mapper - Medications
  • 35.55 HL7 v2.x Mapper - Contained Resource
  • 35.56 HL7 v2.x to FHIR Mapper - OBR
  • 35.57 HL7 v2.x to FHIR Mapper - OBSERVATION Group
  • 35.58 HL7 v2.x to FHIR Mapper - ORDER_OBSERVATION Group
  • 35.59 HL7 v2.x to FHIR Mapper - PV1
  • 35.60 HL7 v2.x to FHIR Mapper - PID
  • 35.61 HL7 v2.x Listener Script
  • 35.62 HL7 v2.x MLLP Listener
  • 35.63 FHIR to HL7 v2.x Mapper Script
  • 35.64 HL7 v2.x Outbound Mapping
  • 35.65 HL7 v2.x MLLP Sender
  • 35.66 HTTP Access Log
  • 35.67 HTTP Listener
  • 35.68 HTTP Request Pool
  • 35.69 HTTP Security
  • 35.70 Hybrid Providers Definitions
  • 35.71 Initial User Seeding
  • 35.72 JSON Web KeySet (JWKS)
  • 35.73 LDAP Authentication
  • 35.74 Lucene FullText Indexing
  • 35.75 Narrative Generator
  • 35.76 Master Data Management
  • 35.77 OpenID Connect (OIDC)
  • 35.78 Realtime Export
  • 35.79 Request Validating
  • 35.80 Search Parameter Seeding
  • 35.81 Security Inbound Script
  • 35.82 Inbound SMART on FHIR Authentication
  • 35.83 Inbound SMART on FHIR Endpoints
  • 35.84 OpenID Connect Token Validation
  • 35.85 SAML Provider
  • 35.86 OAuth2/OIDC Federation
  • 35.87 SMART Authorization
  • 35.88 SMART Definitions Seeding
  • 35.89 Sessions
  • 35.90 SMART Outbound Security: Callback Script
  • 35.91 SMART Outbound Security: CODAP
  • 35.92 SMART Outbound Security: Login Skin
  • 35.93 SMART Outbound Security: Terms of Service
  • 35.94 Two Factor Authentication
  • 35.95 TLS / SSL (Encryption)
  • 35.96 Trusted Client
  • 35.97 Transaction Log
  • 35.98 User Self Registration
    • 35.88    SMART Definitions Seeding