This page provides a detailed reference for the rules and conditions available when configuring Security Policies in the Designer. Security policies use Attribute-Based Access Control (ABAC) to grant or restrict access to patient data based on defined attributes.
For setup instructions, see Setup Security Policies.
Each security policy consists of:
Entity – the type of record the policy applies to (Patient, CDT record, Program, Encounter, etc.)
Conditions – the rules that must evaluate to true for access to be granted
Actions – what the user can do with matching records (View, Create, Edit, Delete)
Conditions reference attributes of the patient, the user, or the relationship between them:
Care Team Member
User is on the patient's care team
Primary Contact
User is set as the patient's primary contact
Region
Patient's region matches the user's assigned region
Territory
Patient's territory matches the user's assigned territory
Program Enrollment
Patient is enrolled in a specific program
Assigned To
Patient is directly assigned to the user
Conditions can be combined with:
AND – all conditions must be true
OR – at least one condition must be true
Example – "Own patients in my region":
Care Team Member = true AND Region = User's Region
For each entity, you can grant:
View – read access to the record
Create – ability to create new records of this type
Edit – ability to modify existing records
Delete – ability to delete records (requires patient delete to be enabled)
When a user has multiple policies (via multiple roles), the most permissive policy applies for each action. Welkin does not use deny-override logic.
Last updated
Was this helpful?
Was this helpful?
