National role-based access control (RBAC) for developers

Some of our APIs require you to implement national role-based access control (RBAC) in your software.

This page explains what national RBAC is and how to implement it.

Role-based access control (RBAC) is a way of ensuring that users are suitably authorised.

Here's how it works:

1. users are assigned pre-defined roles - for example, Sarah is a general practitioner
2. roles are linked to pre-defined activities - for example, general practitioners can view patients' demographic details
3. users can have multiple roles - for example, Sarah might be both a general practitioner and a privacy officer
4. roles can be linked to multiple activities - for example, a general practitioner might be able to both view and amend patients' demographic details

Overview

We own and maintain a national database of roles and permissions for healthcare workers called the national RBAC database.

The database consists of:

• Job Roles (‘R’ codes) - the set of roles that can be assigned to users, for example Clinical Practitioner (R8000)

• Activities (‘B’ codes) - the set of activities that users can perform, for example Amend Patient Demographics (B0825)

• Baseline Policy - the default mapping of roles to activities, for example a Clinical Practitioner can perform the Amend Patient Demographics activity

Included activities

Activities can include other activities. For example, Amend Patient Demographics (B0825) includes View Patient Demographics (B0820). When checking activities, you must also consider any included activities.

Accessing the national RBAC database

To access the national RBAC database, you can:

• access it directly in the Spine Directory Service (SDS) using the Spine Directory Service LDAP API

• download a snapshot of it as a spreadsheet from Registration authorities and smartcards

The database doesn’t change that often, so using a snapshot is fine in most cases.

User accounts and roles

To use national RBAC, users must:

• be registered with an account in the Care Identity Service (CIS)

• be assigned an appropriate role or roles from the national RBAC database

This is done by their Registration Authority (RA). The RA then issues the user with a form of identification - a smartcard and PIN or a modern alternative.

Directly assigned activities

Normally, users are assigned roles, and roles are associated with activities. Everyone with a given role can perform all the activities for that role.

However, it is also possible to assign activities directly to users.

In particular, this approach must be used for the e-Referral Service (e-RS), which has activities but no associated roles.

If an API requires you to implement national RBAC, you must:

1. allow the user to authenticate

2. allow the user to select a role for the current session - if they have multiple roles

3. check that the user is authorised for the activity by checking the national RBAC database

4. include the user’s role profile ID when calling the API

Exactly how you do this depends on the API. For more details, see the API catalogue.