Core Documentation


Actions in Oystehr are linked to specific resource types. Each action in a rule must be applicable to all resources in the rule. For example the action App:CreateUser can only be applied to the resource App:Application.


Minimum Scope

"Minimum scope" refers to the narrowest scope at which an action can be applied to the resource it acts on. By enforcing minimum scope during access policy validation, Oystehr helps to ensure that the access policies crafted by users form a logical pairing of actions and resources.

Wildcard ("*") Minimum Scope

Some actions may only be applied to the wildcard scope of the resource(s) they act on and are said to have a minimum scope of "*". To extend the previous example, the resource type for the action App:CreateUser must be App:Application:*; a user with a specific ID must already exist and therefore can't be "created" again. Actions that it would not make sense to take on a particular instance of a resource type — "List All", "Search", etc. — tend to come with this restriction as well.


Some actions can have no effect unless another action is granted in the same access policy over the same scope. Such actions are said to "depend" on a different action. For example, FHIR:History requires that the FHIR:Read action be granted over the same resource and scope. A user with a policy granting FHIR:History access over, say, the FHIR:Patient:* resource, but lacking FHIR:Read over FHIR:Patient:* will not be able to access the history data pertaining to any Patient resource; the omission of the prerequisite FHIR:Read permission effectively negates the granting of the dependent FHIR:History permission.

Action Library

ServiceActionResource TypeDescriptionMinimum ScopeDependency
AppCreateApplicationApplicationGrants permission to create a new application on the principal project
AppGetApplicationApplicationGrants permission to view details of an application
AppUpdateApplicationApplicationGrants permission to update the properties of an application
AppDeleteApplicationApplicationGrants permission to delete an application from the principal project
AppListAllApplicationsApplicationGrants permission to list all applications on the principal project*
AppCreateUserUserGrants permission to create an invitation to join the principal project as a project user*
AppGetUserUserGrants permission to view details of a project user within the principal project
AppListAllUsersUserGrants permission to list all project users within the principal project*
AppDeleteUserUserGrants permission to delete a user from the project
AppUpdateUserUserGrants permission to update a user in the project.
FHIRCreate{FhirResource}Grants permission to create new instances of FHIR resources*
FHIRRead{FhirResource}Grants permission to view the properties of a FHIR resource
FHIRUpdate{FhirResource}Grants permission to update the properties of a FHIR resource
FHIRDelete{FhirResource}Grants permission to delete a FHIR resource
FHIRHistory{FhirResource}Grants permission to read the history table for a FHIR resourceFHIR:Read
FHIRSearch{FhirResource}Grants permission to search on a given fhir type*
FHIRExportGroupGrants permission to export resources which a members of a Group*
IAMCreateM2MClientM2MClientGrants permission to create a new M2M user within the principal project*
IAMGetM2MClientM2MClientGrants permission to view details of an M2M user
IAMUpdateM2MClientM2MClientGrants permission to update an M2M user
IAMDeleteM2MClientM2MClientGrants permission to delete an M2M user from the principal project
IAMListAllM2MClientsM2MClientGrants permission to retrieve a list of M2M users within the principal project*
IAMRotateM2MClientSecretM2MClientGrants permission to rotate the auth secret associated with an M2M user
IAMInviteDeveloperDeveloperGrants permission to create an invitation to join the principal project as a developer user
IAMUpdateDeveloperDeveloperGrants permission to update a developer in the project.
IAMGetDeveloperDeveloperGrants permission to view details of a dev user within the principal project
IAMListAllDevelopersDeveloperGrants permission to list all users within the principal project*
IAMRemoveDeveloperDeveloperGrants permission to remove a developer from the project.
IAMListAllRolesRoleGrants permission to view the full list of role ids and names on a project*
IAMGetRoleRoleGrants permission to read the full details of a role
IAMCreateRoleRoleGrants permission to create a new role*
IAMUpdateRoleRoleGrants permission to update a role
IAMDeleteRoleRoleGrants permission to delete a role
MessagingSendTransactionalSMSTransactionalSMSGrants permission to send Transactional SMS message*
MessagingGetConversationTokenConversationGrants permission to get a Conversation Token used to interact with a Conversation using the chat channel*
MessagingCreateConversationConversationGrants permission to create a Conversation*
MessagingConversationAddParticipantConversationGrants permission to add participants to a Conversation
MessagingConversationRemoveParticipantConversationGrants permission to remove participants from a Conversation
MessagingConversationSendMessageConversationGrants permission to send a message to a Conversation with the API.*
ProjectGetProjectInfoSettingsGrants permission to view details about the principal project*
ProjectUpdateProjectInfoSettingsGrants permission to update details of the principal project*
RCMValidateProfessionalClaimClaimGrants permission to validate a professional insurance claim
RCMSubmitProfessionalClaimClaimGrants permission to submit a professional insurance claim
RCMGetClaimResponseClaimGrants permission to request a response for a claim
RCMCheckInsuranceEligibilityInsuranceEligibilityGrants permission to invoke the Check Eligibility endpoint
TelemedGetRoomTokenRoomGrants permission to get a Room Token used to join a Telemed Video Call Room*
TelemedCreateRoomRoomGrants permission to create a Telemed Video Call Room*
Z3CreateBucketPathGrants permission to create Z3 bucket within the principal projectservice-root
Z3DeleteBucketPathGrants permission to delete Z3 bucket from the principal project
Z3ListBucketsPathGrants permission to list all Z3 buckets within the principal projectservice-root
Z3GetObjectPathGrants permission to read Z3 object
Z3DeleteObjectPathGrants permission to delete Z3 object
Z3PutObjectPathGrants permission to create Z3 object
Z3ListObjectsPathGrants permission to list Z3 objects within Z3 bucketssubfolder
ZambdaCreateFunctionFunctionGrants permission to create a new zambda function within the principal project*
ZambdaGetFunctionFunctionGrants permission to view details about a zambda function
ZambdaUpdateFunctionFunction"Grants permission to update the code, configuration, or invocation method of a zambda function"
ZambdaDeleteFunctionFunctionGrants permission to delete a zambda function from the principal project
ZambdaListAllFunctionsFunctionGrants permission to retrieve a list of zambda functions within the principal project with the version-specific configuration of each function*
ZambdaInvokeFunctionFunctionGrants permission to invoke a zambda function
ZambdaReadLogsFunctionGrants permission to view all log groups and logs for a zambda function
ZambdaCreateSecretSecretGrants permission to create a secret*
ZambdaListAllSecretsSecretGrants permission to list all secrets*
ZambdaUpdateSecretSecretGrants permission to update a secret
ZambdaDeleteSecretSecretGrants permission to delete a secret
ZambdaGetSecretSecretGrants permission to read a secret