Scheduling Service — Security Model
Status: populated Owner: TBD Last updated: 2026-04-17 Companion: Service Template · 13 security
1. RBAC/ABAC Matrix
| Role | Book Appointment | Cancel | Reschedule | Manage Schedules | Manage Slots | View Waitlist | Double-booking Override |
|---|---|---|---|---|---|---|---|
FRONT_DESK | ✓ | ✓ | ✓ | — | — | ✓ | — |
SCHEDULER | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
NURSE | ✓ | ✓ | — | — | — | ✓ | — |
PHYSICIAN | ✓ | ✓ | ✓ | — | — | ✓ | — |
ADMIN | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
patient | Self-book | Own cancel | — | — | — | — | — |
VIEWER | — | — | — | — | — | ✓ (read) | — |
ABAC additions:
- Double-booking override (
allowDoubleBooking=true) requiresSCHEDULERorADMINrole; audit records override actor. - Patient self-book (
POST /appointments/self) requires JWTpatientIdclaim;PATIENT_ID_CLAIM_REQUIREDerror if missing.
2. Encryption Classes
| Data | Classification | Encryption |
|---|---|---|
| Appointment records (patientId, reason, providerId) | PHI Class II | AES-256-GCM at rest (PG encrypted volume) |
| Reminder message content | PHI Class II | TLS in transit; no PHI in reminder body by default |
| NATS event payloads | PHI Class II | TLS in transit; minimal PII (IDs only) |
| Audit events | PHI Class II | Append-only; encrypted in audit-service |
3. Audit Events
| Action | Audit code |
|---|---|
| Appointment created | APPOINTMENT_CREATED |
| Appointment cancelled | APPOINTMENT_CANCELLED |
| Appointment rescheduled | APPOINTMENT_RESCHEDULED |
| Check-in | APPOINTMENT_CHECKIN |
| No-show recorded | APPOINTMENT_NOSHOW |
| Double-booking override | APPOINTMENT_DOUBLE_BOOKING_OVERRIDE |
| Schedule created/updated | SCHEDULE_MODIFIED |
| Waitlist fulfilled | WAITLIST_FULFILLED |
All audit events include tenantId, actorId, patientId, appointmentId, action, timestamp.
4. GDPR Participation
| Right | Implementation |
|---|---|
| Right to access | All appointments for a patient available via GET /appointments?patientId= |
| Right to erasure | Logical deletion only; physical purge via data governance workflow |
| Data minimization | Reminders contain only appointment date/time and facility; no clinical reason by default |
| Consent for reminders | Consent flags from registration-service honored before dispatching SMS/email |
5. Module Entitlement
All routes guarded by ModuleEntitlementGuard for ehr.scheduling. 403 with stable module error code on missing license.