# SOP: Role Policy Assignment

## Summary

Whenever a role needs to be granted (or denied) permission to perform an action, access data, or use fields the policy decision point will use the policies assigned to the active roles to determine appropriate action.

### Use Procedure When

* [ ] There is a new policy which needs to be granted or denied from an existing group
* [ ] There is a formal request to block types of data or actions from members of an existing group
* [ ] The legislative or policy environment has changed and policies on roles need to be modified.

## Procedure

### Before Beginning

* [ ] Ensure that the policy and role assignment are documented in a knowledgebase
* [ ] Ensure that the policy has been created&#x20;
* [ ] Ensure that the administrative design matches the desired policy assignment (i.e. should this really be an assignment to an existing group, or should it be an assignment to a new group)&#x20;
* [ ] Familiarize yourself with the [Security Architecture](/santedb/security-architecture.md)
* [ ] Your account has the **Alter Role** security permission

### Procedures / Tasks

1. Access the SanteDB Administrative Portal by[Logging In](/operations/cdr-administration/santedb-administration-panel/logging-in.md)
2. Access the [Security Administration](/operations/cdr-administration/santedb-administration-panel/security-administration.md) menu item
3. Access the [Managing Groups](/operations/cdr-administration/santedb-administration-panel/security-administration/managing-groups.md#group-list)
4. Locate the group to which the policies are being assigned/removed and click `Edit`&#x20;
5. Locate the policy (documented in [Managing Groups](/operations/cdr-administration/santedb-administration-panel/security-administration/managing-groups.md#assigning-policies)) and press the `Add` button
6. Search for the assigned policy
7. Select the appropriate enforcement permission:
   1. **Grant** - Members of the group should be allowed to access data tagged with the policy or perform actions demanding the policy
   2. **Deny** - Members of the group should not be allowed to access data tagged with the policy or perform actions demanding the policy
   3. **Elevate** - Members of the group may access data or perform actions tagged with the policy, however only after re-authenticating themselves.

### After Completion

* [ ] Close the ticket which was create to assign the policy
* [ ] Notify the manager / most responsible person for the group that the assignment has been changed.

## Summary Information

**Current Status:** Example\
**Reviewed By:** SanteSuite Team

### **Revision History**

<table><thead><tr><th width="150">Author</th><th width="245">Date</th><th>Changes</th></tr></thead><tbody><tr><td>Justin Fyfe (SanteSuite)</td><td>2022-03-15</td><td>Initial Version</td></tr><tr><td></td><td></td><td></td></tr><tr><td></td><td></td><td></td></tr></tbody></table>

### See Also

{% content-ref url="/spaces/-LZ0\_pjgTp\_kx4hqTZ3a/pages/-MFla\_YxU1vKxg\_XUEuf" %}
[Security Architecture](/santedb/security-architecture.md)
{% endcontent-ref %}

{% content-ref url="/spaces/-LZ0\_pjgTp\_kx4hqTZ3a/pages/-MYD52LcR-11YKpuBDnj" %}
[Privacy Architecture](/santedb/privacy-architecture.md)
{% endcontent-ref %}

{% content-ref url="/spaces/-LZ0\_pjgTp\_kx4hqTZ3a/pages/GyPcKlCnRlQAjNqj2cYK" %}
[Managing Policies](/operations/cdr-administration/santedb-administration-panel/security-administration/managing-policies.md)
{% endcontent-ref %}

{% content-ref url="/spaces/-LZ0\_pjgTp\_kx4hqTZ3a/pages/fYV7V8FXz7ky9h03OZbj" %}
[Managing Groups](/operations/cdr-administration/santedb-administration-panel/security-administration/managing-groups.md)
{% endcontent-ref %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.santesuite.org/operations/standard-operating-procedures/role-management-sops/sop-role-policy-assignment.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.