Roles and Permissions

Zus uses a role-based access control (RBAC) model to manage user and app client permissions. When you set up a user or app client, Zus guides you to assign them a role. This role controls which services and endpoints a user can access, and what operations they can execute against those endpoints.

Zus provides you with three roles out of the box: Builder Admin , Care Team User, and Permissionless. Builder Admin and Care Team User roles have access to all data within a Builder account for resource types that they are allowed to read or edit.

Builder Admin

This role has full admin permissions within a Builder account to:

• Read, create, update, and delete all FHIR resource types (aside from certain Conformance, Terminology, and Security resource types managed by Zus)
• Read, create, update, and delete users and app clients
• Access other Builders' data via Cross-Builder Grants if their Builder has these in place

Care Team User

This role allows users to participate in care teams and interact with patient data but withholds administrative and configuration permissions for the Builder account. Within a Builder account, care team users can:

• Read all FHIR resource types (aside from certain Conformance, Terminology, and Security resource types managed by Zus)
• Create, update, and delete select resource types (e.g., Patient, CarePlan, CareTeam, Goal)

Permissionless

This role has no permissions and will prevent a user from being able to access Zus UIs or APIs to read or write data.

Note: Users with this permission can still access Zus-hosted Snowflake reader accounts. Therefore, to remove a user's access to Snowflake, please submit a ticket to [email protected] to have the user removed from Snowflake as well.