# Security Policy Detail

## Overview

This page provides a detailed reference for the rules and conditions available when configuring Security Policies in the Designer. Security policies use Attribute-Based Access Control (ABAC) to grant or restrict access to patient data based on defined attributes.

For setup instructions, see [Setup Security Policies](/designer/security/setup-security-policies.md).

***

## Policy Structure

Each security policy consists of:

* **Entity** – the type of record the policy applies to (Patient, CDT record, Program, Encounter, etc.)
* **Conditions** – the rules that must evaluate to true for access to be granted
* **Actions** – what the user can do with matching records (View, Create, Edit, Delete)

***

## Condition Attributes

Conditions reference attributes of the patient, the user, or the relationship between them:

| Attribute              | Description                                               |
| ---------------------- | --------------------------------------------------------- |
| **Care Team Member**   | User is on the patient's care team                        |
| **Primary Contact**    | User is set as the patient's primary contact              |
| **Region**             | Patient's region matches the user's assigned region       |
| **Territory**          | Patient's territory matches the user's assigned territory |
| **Program Enrollment** | Patient is enrolled in a specific program                 |
| **Assigned To**        | Patient is directly assigned to the user                  |

***

## Combining Conditions

Conditions can be combined with:

* **AND** – all conditions must be true
* **OR** – at least one condition must be true

Example – "Own patients in my region":

* Care Team Member = true **AND** Region = User's Region

***

## Permitted Actions

For each entity, you can grant:

* **View** – read access to the record
* **Create** – ability to create new records of this type
* **Edit** – ability to modify existing records
* **Delete** – ability to delete records (requires patient delete to be enabled)

***

## Policy Precedence

When a user has multiple policies (via multiple roles), the most permissive policy applies for each action. Welkin does not use deny-override logic.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.welkinhealth.com/designer/security/security-policy-detail.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.