User Authorization and Access control in HSLynk
Access control in HSLynk is determined at various layers/levels. Access to HMIS data is determined based on the access to the APIs.
To summarize, one must call HSLynk APIs from a "Trusted App", which has an approval process; not just from any app on the web. A Profile determines all the APIs that a user can access and a Role determines the extent of data that the user can access. We have a standard set of Profiles like "Customer Admin Profile", "Case Manager Profile" etc., and we add more Profiles as customers need them. Permission Sets are for temporary, fine-grained user access to certain specific APIs , if the user's Profile access is not sufficient.
Any application (Mobile of app or web application or a stand alone app) that access HMIS APIs is called a Trusted App. Each Trusted app should be registered with HMIS system (go through an approval process) before it can access any of the HMIS APIs.
When a call is made to an HSLynk API from a trusted app, HSLynk Authorization interceptor validates Trusted app's access to that specific API and rejects the request if either the Trusted app is not authorized or if access to specific API is not granted to the Trusted App.
Once the trusted app access is determined, the next level of access control is at the profile level. When the call is made to the HSLynk API from an authorized trusted app, Authorization interceptor will determine with the Profile that the user belongs to, has access to the specific API for which the request is made. If the Profile doesn't have access, the interceptor will proceed with the next check (Permission sets) before rejecting the user's request.
Access to specific API can be determined based on Profile and then based on the permission sets assigned to the user. If the Profile does not have access to specific API, Authorization interceptor looks at the permission sets for the user to see if the API is granted access for the user. If there are no permission sets that are assigned to the user that provides the access to that API to the user, the request / call will be rejected.
In HSLynk role level access is used to provide access at Record / entity rules. While profiles/permission sets deal with object level access (via POST / GET / DELETE / PUT API) - Record level access can be set up using roles. A set of records (for instance enrollments) can be shared from organization to another organization (to a specific role using Sharing Rule API).
