|
| 1 | +--- |
| 2 | +title: Configure Azure RBAC for FHIR service - Azure Healthcare APIs |
| 3 | +description: This article describes how to configure Azure RBAC for FHIR. |
| 4 | +author: SteveWohl |
| 5 | +ms.service: healthcare-apis |
| 6 | +ms.topic: tutorial |
| 7 | +ms.date: 11/17/2021 |
| 8 | +ms.author: zxue |
| 9 | +--- |
| 10 | + |
| 11 | +# Configure Azure RBAC for Healthcare APIs |
| 12 | + |
| 13 | +> [!IMPORTANT] |
| 14 | +> Azure Healthcare APIs is currently in PREVIEW. The [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. |
| 15 | +
|
| 16 | +In this article, you'll learn how to use [Azure role-based access control (Azure RBAC)](../role-based-access-control/index.yml) to assign access to the Healthcare APIs data plane. Azure RBAC is the preferred methods for assigning data plane access when data plane users are managed in the Azure Active Directory tenant associated with your Azure subscription. |
| 17 | + |
| 18 | +You can complete role assignments through the Azure portal. Note that the FHIR service and the DICOM service have defined different application roles. Add or remove one or more roles to manage user access controls. |
| 19 | + |
| 20 | +## Assign roles for the FHIR service |
| 21 | + |
| 22 | +To grant users, service principals, or groups access to the FHIR data plane, select the FHIR service from the Azure portal. Select **Access control (IAM)**, and then select the **Role assignments** tab. Select **+Add**, and then select **Add role assignment**. |
| 23 | + |
| 24 | +If the role assignment option is grayed out, ask your Azure subscription administrator to grant you with the permissions to the subscription or the resource group, for example, “User Access Administrator”. For more information about the Azure built-in roles, see [Azure built-in roles](../role-based-access-control/built-in-roles.md). |
| 25 | + |
| 26 | +[  ](fhir/media/rbac/role-assignment.png#lightbox) |
| 27 | + |
| 28 | +In the Role selection, search for one of the built-in roles for the FHIR data plane, for example, “FHIR Data Contributor”. You can choose other roles below. |
| 29 | + |
| 30 | +* **FHIR Data Reader**: Can read (and search) FHIR data. |
| 31 | +* **FHIR Data Writer**: Can read, write, and soft delete FHIR data. |
| 32 | +* **FHIR Data Exporter**: Can read and export ($export operator) data. |
| 33 | +* **FHIR Data Contributor**: Can perform all data plane operations. |
| 34 | +* **FHIR Data Converter**: Can use the converter to perform data conversion |
| 35 | + |
| 36 | +In the **Select** section, type the client application registration name. If the name is found, the application name is listed. Select the application name, and then select **Save**. |
| 37 | + |
| 38 | +If the client application is not found, check your application registration, to ensure that the name is correct. Ensure that the client application is created in the same tenant where the FHIR service in the Azure Healthcare APIs (hereby called the FHIR service) is deployed in. |
| 39 | + |
| 40 | + |
| 41 | +[  ](fhir/media/rbac/select-role-assignment.png#lightbox) |
| 42 | + |
| 43 | +You can verify the role assignment by selecting the **Role assignments** tab from the **Access control (IAM)** menu option. |
| 44 | + |
| 45 | +## Assign roles for the DICOM service |
| 46 | + |
| 47 | +To grant users, service principals, or groups access to the DICOM data plane, select the **Access control (IAM)** blade. Select the**Role assignments** tab, and select **+ Add**. |
| 48 | + |
| 49 | +[  ](dicom/media/dicom-access-control.png#lightbox) |
| 50 | + |
| 51 | +In the **Role** selection, search for one of the built-in roles for the DICOM data plane: |
| 52 | + |
| 53 | +[  ](dicom/media/rbac-add-role-assignment.png#lightbox) |
| 54 | + |
| 55 | +You can choose between: |
| 56 | + |
| 57 | +* DICOM Data Owner: Full access to DICOM data. |
| 58 | +* DICOM Data Reader: Read and search DICOM data. |
| 59 | + |
| 60 | +If these roles are not sufficient for your need, you can use PowerShell to create custom roles. For information about creating custom roles, see [Create a custom role using Azure PowerShell](../role-based-access-control/custom-roles-powershell.md). |
| 61 | + |
| 62 | +In the **Select** box, search for a user, service principal, or group that you want to assign the role to. |
| 63 | + |
| 64 | +> [!NOTE] |
| 65 | +> If you can't access the FHIR or DICOM service in your application or other tools, you might need to wait a few more minutes for the role assignment to finish propagating in the system. |
| 66 | +
|
| 67 | +## Next steps |
| 68 | + |
| 69 | +In this article, you've learned how to assign Azure roles for the FHIR service and DICOM service. To learn how to access the Healthcare APIs using Postman, see |
| 70 | + |
| 71 | +- [Access using Postman](use-postman.md) |
| 72 | +- [Access using the REST Client](using-rest-client.md) |
| 73 | +- [Access using cURL](using-curl.md) |
0 commit comments