Projects
Medplum Projects
are the primary mechanism of access control. Projects
are isolated containers of FHIR resources that are administered separately, and which can have different settings.
Medplum Projects
enable the following use cases:
-
Development vs. Production: A common requirement for development teams to have a separate
Project
, with non-protected data, for testing and debugging, before deploying workflow changes to production. A common Medplum usage pattern is to create a "development", "staging", and "production"Project
. -
Multi-tenancy: In B2B2C environments, a service provider may partner with multiple healthcare organizations to deliver care to patients.
Projects
can provide each of these partners their own isolated environments, that have their own patient data, log-in flows, and project administrators. Medplum uses a multi-tenant instance for our hosted offering.
Isolation Model
Medplum Projects
create a hard boundary between FHIR resources, and resources within one project cannot reference resources in another.
Additionally, Projects
each have their own user administration. A user can be a member of one, or multiple Projects
, with different privileges in each. See our User Administration Guide for more information.
Projects
can each be configured with own global settings and secrets (see Project Settings below).
Project Linking
Sometimes it is useful to share a common set of resources with multiple projects.
Medplum super administrators can create shared projects and link them into multiple target projects. Users of those target projects get a a read-only view of all resources in the shared projects.
When a project is linked, all resources from the linked project appear alongside the target project's resources in search results and queries.
Common Use Cases
- Sharing large
CodeSystems
andValueSets
for standard terminology. For example the Medplum UMLS integration: ICD-10, RxNORM, LOINC, SNOMED - Sharing FHIR profiles (
StructureDefinition
resources) for a specific clincal domain - Sharing common data sets (e.g. Medplum Payor Directory, Medplum Lab Directory)
- Sharing Bots
Certain Medplum features, including first-party integrations, require access to shared sets of resources, such as CodeSystem
, ValueSet
, and Organization
.
Viewing Linked Projects
You can see linked Projects in the Medplum App by:
- Navigating to app.medplum.com/Project
- Selecting your Project
- Selecting the "Details" tab
Best Practices
When working with linked projects:
- Be aware that queries like
medplum.searchresources()
will return the first matching resource across all accessible projects (both local and linked) - If you need to distinguish between local and linked resources, consider adding additional search parameters, such as the
_compartment
search parameter.
The SuperAdmin Project
The main exception to this isolation model is the "Super Admin" project. This is a special project that provides a global view over all the resources on the Medplum server. See our SuperAdmin Guide for more information.
The SuperAdmin has the following privileges:
- Access to protected resources
- Ability to overwrite the
id
of a resource, which is normally server generated - Ability to overwrite fields in the
meta
element of resources such asauthor
,lastUpdated
, etc.
Logging into the Super Admin project allows for potentially dangerous operations and is only intended for server administrators
To switch to the SuperAdmin project or check if you are already in it, you can use the profile selector.
Creating a Project
Medplum App
- Visit the https://app.medplum.com/register or visit https://app.medplum.com/signin and click the "Register" link
- Sign in with an existing user, or enter the details for a new user account
- Enter your project name
Project Settings
Project-level settings can be used to configure server behavior for different groups of users. A subset of the available settings related to authentication and access control are shown below; see the full Project Settings documentation for more information.
Setting | Description | Default |
---|---|---|
superAdmin | Whether this project is the super administrator project (see above). | false |
features | A list of optional features that are enabled for the project. Values related to access control include:
| |
defaultPatientAccessPolicy | The default AccessPolicy applied to all Patient Users invited to this Project . This is required to enable open patient registration. |
Project Secrets
Each Project
can store a set of key/value pairs to store configuration values, such as API keys, needed by Bots.
See Bot Secrets for more information.
Cloning and Expunging Projects
Self-hosted users have two advanced project administration operations available to them:
$clone
- Make a copy of an existingProject
and all its resources.$expunge
- Perform a "hard delete" ofProject
and all its resources. This will remove all the related resource rows from the database.
For more information, refer to the Super Admin Project Management guide