Roles and Permissions

Zus uses a role-based access control (RBAC) model to manage user and app client permissions. When you set up a user or app client, Zus guides you to assign them a role. This role controls which services and endpoints a user can access, and what operations they can execute against those endpoints.

Zus provides you with three roles out of the box: Builder Admin, Care Team User, and Patient. Builder Admin and Care Team User roles have access to all data within a Builder account for resource types that they are allowed to read or edit. Patient users have access to select FHIR resource types associated with themselves only.

Builder Admin

This role has full admin permissions within a Builder account to:

  • Read, create, update, and delete all FHIR resource types (aside from certain Conformance, Terminology, and Security resource types managed by Zus)
  • Read, create, update, and delete users and app clients
  • Access other Builders' data via Cross-Builder Grants if their Builder has these in place

Care Team User

This role allows users to participate in care teams and interact with patient data but withholds administrative and configuration permissions for the Builder account. Within a Builder account, care team users can:

  • Read all FHIR resource types (aside from certain Conformance, Terminology, and Security resource types managed by Zus)
  • Create, update, and delete select resource types (e.g., Patient, CarePlan, CareTeam, Goal)

Patient

This role allows patient users to interact with only their own patient data, withholds administrative and configuration permissions for their Builder, and limits operations on some FHIR resource types. Within a Builder account, patients can:

  • Read select FHIR resource types associated with themselves only (e.g., Patient, Condition)
  • Create or update select resource types (e.g., QuestionnaireResponse, MedicationStatement)

Notes:

  • A user with the Patient role must also have their userType set to "individual," which ensures that this user can see only data about themselves.
  • Patients cannot delete any resources in Zus.