Access Control and Row-Level Security
Profound Health uses Azure Entra ID for authentication and Supabase Row-Level Security (RLS) to enforce fine-grained authorization. Roles map to clinical responsibilities and determine which rows a user or service account can access.
Role Model
| Role | Description | Typical Surface |
|---|---|---|
patient | Individuals receiving care. Limited to their own records and educational content. | Patient App |
partner_provider | PCPs and clinic staff at partner organizations. Access limited to their patients. | Partner Provider Portal |
bhcm | Behavioral health care managers employed by Profound Health. | Internal Provider Portal |
psychiatrist | Consulting psychiatrists performing case reviews. | Internal Provider Portal |
internal_ops | Revenue cycle, compliance, and scheduling teams. | Internal Ops Portal |
system_service | Automation actors (billing runs, nightly syncs). | Edge Functions |
RLS Policies
Every table in Supabase is protected by explicit policy statements. Common patterns include:
- Tenant guard:
organization_id = auth.uid()for partner-facing tables. - Patient scope:
patient_id = auth.jwt()->>'sub'for patient-owned resources. - Read vs. write separation: Read policies include shared clinical team members; write policies only include accountable roles.
create policy "BHCM can update active patients" on care.encounters
for update using (
exists (
select 1
from care.panel_assignments pa
where pa.patient_id = care.encounters.patient_id
and pa.user_id = auth.uid()
and pa.role = 'bhcm'
)
);
Policy Drift
All policy definitions live under icp/supabase/schemas. Never edit policies directly in the Supabase dashboard; changes must flow through migrations to stay reproducible.
Delegated Access
- Partner organizations receive scoped service accounts to support EHR integrations. Tokens only expose the endpoints necessary for enrollment and data sync.
- Temporary access (e.g., onboarding support) is managed through Entra Privileged Identity Management with automatic expiration.
Auditing
- Every policy evaluation emits an audit log entry capturing the user, table, action, and decision (allow/deny).
- Denied attempts are surfaced in the Audit Logging dashboard for investigation.
Private Deep Dive
Detailed policy matrices, including SQL excerpts for each schema, live in the private guide RLS Policies with Examples (private).
Strong access controls keep clinical and financial data isolated while enabling collaborative care across distributed teams.
Last updated October 1, 2025 by Profound Health.
