1. Payer User Guide
  2. Prerequisites
  3. Define Payer User Policies

Define Payer User Policies

This topic provides information on defining payer user policies for Oracle Health Clinical Data Exchange.

To access the Oracle Health Clinical Data Exchange resources, the below policies must be defined for your site. These policies can be defined for specific users or for user groups.
Run the below policy statements to grant user groups access to Oracle Health Clinical Data Exchange resources and to allow users to perform the following tasks:
  • View the list of providers in the Oracle network.
  • View and update payer profiles for your organization.
  • Manage the document query endpoints and notification delivery endpoints.
  • View certificate and Certificate Authority (CA) bundles.
Complete the following steps to define the payer user policies:
  1. Create the applicable user group in your OCI tenancy.
  2. Add the following identity policies at the tenancy level where xxxxx is the user group name:
    1. Add the below policy to allow users to read and update payer profiles and directory entries.
    Allow group xxxxx to use cdexhub-payer-family in tenancy
    1. Add the below policy to allow users to read provider data-sharing for clinical event notifications and clinical documents.
    Allow group xxxxx to read cdexhub-data-sharing-family in tenancy
    1. Add the below policy to allow users to tag namespaces for filtering notification delivery and document query endpoints.
    Allow group xxxxx to read tag-namespaces in tenancy
  3. Add the following identity policies at the compartment level where xxxxx is the user group name and yyyyy is the compartment name:
    1. Add the below policy to allow users to view a list all providers in the Oracle Provider Directory.
    Allow group xxxxx to read cdexhub-provider-directory-entry in compartment yyyyy
    1. Add the below policy to allow users to fully manage notification delivery and document query endpoints.
    Allow group xxxxx to manage cdexhub-endpoint-family in compartment yyyyy
    1. Add the below policy to allow users to read certificate, certificate authority bundles, and secrets that are used with notification delivery endpoints in your compartment.
    Allow group xxxxx to manage certificate-authority-family in compartment yyyyy
ALLOW any-user to read cabundle in TENANCY where ALL {request.principal.type = 'cdexhubpayer', request.principal.compartment.id='yyyyy'}
ALLOW any-user to read secret-bundles in TENANCY where ALL {request.principal.type = 'cdexhubpayer', request.principal.compartment.id='yyyyy'}
    1. Add the below policy to allow users to manage identify domains and client applications.
    Allow group xxxxx to manage domains in compartment yyyyy
    1. Add the below policy to allow users to read metrics for notification delivery and document query endpoints in their compartment.
    Allow group xxxxx to use metrics in compartment yyyyy
  4. Add the below identity policy at the compartment level to allow users to access Object Storage for bulk document retrieval where zzzzz is the bulk data export bucket in Object Storage.
    ALLOW any-user to {BUCKET_INSPECT, BUCKET_READ, OBJECT_WRITE} in TENANCY where ALL { request.principal.type = 'cdexhubpayer', request.principal.compartment.id=target.compartment.id, target.bucket.name='zzzzz', any {request.permission='BUCKET_INSPECT', request.permission='BUCKET_READ', request.permission='OBJECT_WRITE'} }

Parent topic: Prerequisites