Configure Azure RBAC for FHIR
In this article, you will learn how to use Azure role-based access control (Azure RBAC) to assign access to the Azure API for FHIR data plane. Azure RBAC is the preferred methods for assigning data plane access when data plane users are managed in the Azure Active Directory tenant associated with your Azure subscription. If you are using an external Azure Active Directory tenant, refer to the local RBAC assignment reference.
Confirm Azure RBAC mode
To use Azure RBAC, your Azure API for FHIR must be configured to use your Azure subscription tenant for data plane and there should be no assigned identity object IDs. You can verify your settings by inspecting the Authentication blade of your Azure API for FHIR:
The Authority should be set to the Azure Active directory tenant associated with your subscription and there should be no GUIDs in the box labeled Allowed object IDs. You will also notice that the box is disabled and a label indicates that Azure RBAC should be used to assign data plane roles.
To grant users, service principals or groups access to the FHIR data plane, click Access control (IAM), then click Role assignments and click + Add:
In the Role selection, search for one of the built-in roles for the FHIR data plane:
You can choose between:
- FHIR Data Reader: Can read (and search) FHIR data.
- FHIR Data Writer: Can read, write, and soft delete FHIR data.
- FHIR Data Exporter: Can read and export (
- FHIR Data Contributor: Can perform all data plane operations.
If these roles are not sufficient for your need, you can also create custom roles.
In the Select box, search for a user, service principal, or group that you wish to assign the role to.
The Azure API for FHIR will cache decisions for up to 5 minutes. If you grant a user access to the FHIR server by adding them to the list of allowed object IDs, or you remove them from the list, you should expect it to take up to five minutes for changes in permissions to propagate.
In this article, you learned how to assign Azure roles for the FHIR data plane. To learn about additional settings for the Azure API for FHIR: