Security Policies implement Attribute-Based Access Control (ABAC) in Welkin. They define rules that determine which patient records, data types, and actions are accessible to users based on their attributes (role, region, care team assignment, etc.). This page covers the initial setup process.
For detailed policy rule configuration, see Security Policy Detail. For an overview of how policies work, see Configuring Security Policies.
Before creating security policies:
Define your user roles in the Admin Portal
Define regions and territories if your organization uses geographic access control (see Defining Regions and Territories)
Understand your organization's data access requirements – which users should see which patients
In the Designer, navigate to Security Policies.
Click + Add Policy.
Enter a Name for the policy (e.g., "Care Manager – Own Patients Only").
Define the access rules:
Select the entity the policy applies to (Patient, CDT, Program, etc.)
Set the conditions that must be true for access to be granted
Set the permitted actions (View, Edit, Delete)
Save the policy.
Go to Roles in the Designer or Admin Portal.
Edit the target role.
Under Security Policies, attach the appropriate policy.
Save and publish.
After publishing, test the policy by logging in as a user with the affected role and verifying:
They can see the records they should have access to
They cannot see records outside their permitted scope
Security policy changes require a draft and publish cycle before taking effect.
Last updated
Was this helpful?
Was this helpful?
