Roles and Permissions
Zus uses a role-based access control (RBAC) model to manage user and app client permissions. When you set up a user or app client, Zus guides you to assign them a role. This role controls which services and endpoints a user can access, and what operations they can execute against those endpoints.
Zus provides you with two roles out of the box: Builder Admin and Care Team User. Builder Admin and Care Team User roles have access to all data within a Builder account for resource types that they are allowed to read or edit.
Builder Admin
This role has full admin permissions within a Builder account to:
- Read, create, update, and delete all FHIR resource types (aside from certain Conformance, Terminology, and Security resource types managed by Zus)
- Read, create, update, and delete users and app clients
- Access other Builders' data via Cross-Builder Grants if their Builder has these in place
Care Team User
This role allows users to participate in care teams and interact with patient data but withholds administrative and configuration permissions for the Builder account. Within a Builder account, care team users can:
- Read all FHIR resource types (aside from certain Conformance, Terminology, and Security resource types managed by Zus)
- Create, update, and delete select resource types (e.g., Patient, CarePlan, CareTeam, Goal)
Updated about 1 month ago