Skip to content

FHIR scopes should influence Smart Form UI access and write-back behaviour #1956

Open
Open
FHIR scopes should influence Smart Form UI access and write-back behaviour#1956
@LandonTroyReilly

Description

@LandonTroyReilly
LandonTroyReilly
opened on Jun 3, 2026

Summary
FHIR scopes passed to the CSIRO Smart Form may provide a useful way to align the form experience with the user’s authorised access in a PMS, including which clinical sections are shown and which resource types can be written back.

Issue
The Smart Form should ideally reflect the permissions represented in the token. For example:

If the token does not include access to Condition, condition-related sections should not be available in the form.

If the token only allows read access for a resource, the user should not be able to create or update that resource during write-back.

If the token does not include create/update permissions, the related write-back action should not be available.

If a user has reduced permissions, those restrictions should be reflected in the Smart Form experience where possible.

This is important because practices expect permissions and access limitations to be respected throughout the Smart Form workflow, including during clinical write-back.

Expected behaviour
The Smart Form should honour the FHIR scopes in the token and only display, render, or write back clinical data that the user is authorised to access.

Category Access level Actual result Scope included in token
Immunisations No access Category is still available when Smart Forms loads. patient/AllergyIntolerance.cus patient/Condition.cus patient/Encounter.r patient/MedicationStatement.cus patient/Observation.cs patient/Patient.r patient/QuestionnaireResponse.crus user/Practitioner.r
Immunisations View Only User can still add new records to the Smart Form. patient/AllergyIntolerance.cus patient/Condition.cus patient/Encounter.r patient/Immunization.s patient/MedicationStatement.cus patient/Observation.cs patient/Patient.r patient/QuestionnaireResponse.crus user/Practitioner.r
Immunisations Add / Edit / Delete Smart Forms loads successfully and the user can access the category. patient/AllergyIntolerance.cus patient/Condition.cus patient/Encounter.r patient/Immunization.cs patient/MedicationStatement.cus patient/Observation.cs patient/Patient.r patient/QuestionnaireResponse.crus user/Practitioner.r
Prescriptions No access Smart Forms does not load successfully and remains stuck on the loading screen. patient/AllergyIntolerance.cus patient/Condition.cus patient/Encounter.r patient/Immunization.cs patient/Observation.cs patient/Patient.r patient/QuestionnaireResponse.crus user/Practitioner.r
Prescriptions View Only Smart Forms does not load successfully and remains stuck on the loading screen. patient/AllergyIntolerance.cus patient/Condition.cus patient/Encounter.r patient/Immunization.cs patient/MedicationStatement.s patient/Observation.cs patient/Patient.r patient/QuestionnaireResponse.crus user/Practitioner.r
Prescriptions Add / Edit / Delete Smart Forms loads successfully and the user can access the category. patient/AllergyIntolerance.cus patient/Condition.cus patient/Encounter.r patient/Immunization.cs patient/MedicationStatement.cus patient/Observation.cs patient/Patient.r patient/QuestionnaireResponse.crus user/Practitioner.r
Observations No access Smart Forms does not load successfully and remains stuck on the loading screen. patient/AllergyIntolerance.cus patient/Condition.cus patient/Encounter.r patient/Immunization.cs patient/MedicationStatement.cus patient/Patient.r patient/QuestionnaireResponse.crus user/Practitioner.r
Observations View Only User can still add new observation records to the form. patient/AllergyIntolerance.cus patient/Condition.cus patient/Encounter.r patient/Immunization.cs patient/MedicationStatement.cus patient/Observation.s patient/Patient.r patient/QuestionnaireResponse.crus user/Practitioner.r
Observations Add / Edit / Delete Smart Forms loads successfully and the user can access the category. patient/AllergyIntolerance.cus patient/Condition.cus patient/Encounter.r patient/Immunization.cs patient/MedicationStatement.cus patient/Observation.cs patient/Patient.r patient/QuestionnaireResponse.crus user/Practitioner.r
Past history No access Category is still available when Smart Forms loads and the user can add data. patient/AllergyIntolerance.cus patient/Encounter.r patient/Immunization.cs patient/MedicationStatement.cus patient/Observation.cs patient/Patient.r patient/QuestionnaireResponse.crus user/Practitioner.r
Past history View Only Smart Forms does not load successfully and remains stuck on the loading screen. patient/AllergyIntolerance.cus patient/Condition.s patient/Encounter.r patient/Immunization.cs patient/MedicationStatement.cus patient/Observation.cs patient/Patient.r patient/QuestionnaireResponse.crus user/Practitioner.r
Past history Add / Edit / Delete Smart Forms loads successfully and the user can access the category. patient/AllergyIntolerance.cus patient/Condition.cus patient/Encounter.r patient/Immunization.cs patient/MedicationStatement.cus patient/Observation.cs patient/Patient.r patient/QuestionnaireResponse.crus user/Practitioner.r
Reactions Deny access (Clinical record access) User cannot access the clinical record in Bp Premier and cannot launch the form. NA
Reactions Allow access (Clinical record access) Smart Forms loads successfully and the user can access the reactions category. NA

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions