Comparison

Fire Arrow vs building RBAC in your own API

Authorization in healthcare quickly outgrows simple role checks. Patients, clinicians, organisations, CareTeams, and service accounts each need different rules, and those rules must apply consistently across REST, GraphQL, and search. Fire Arrow expresses this as configuration; building it yourself is mostly an exercise in keeping the rules consistent.

Review Fire Arrow editions Book an architecture comparison

Who this is for

Architects, CTOs, staff engineers, and product leaders evaluating FHIR infrastructure options.

Clinical applicability

A multi-clinic SaaS cannot rely on client-side organisation filters when FHIR search remains global. The backend must narrow searches to the caller's clinic and respect cross-clinic CareTeam relationships, and it must do so consistently for REST, GraphQL, and bulk operations.

Capability comparison

Capability Fire Arrow building RBAC in your own API
Role + resource + operation matching Built-in Build per route
Compartment validators (Patient/Practitioner/RelatedPerson/Device) Built-in Build
LegitimateInterest (org-scoped) Built-in, additive across roles Build
CareTeam (cross-org patient-scoped) Built-in Build
Identity filters (FHIRPath) Built-in Build
Property filters with side-channel protection Built-in (NullFilter, RandomFilter, blocked-search-params) Build per response and per search
Search narrowing (REST and GraphQL) Built-in at query time Build into each path
Rule debugger X-Fire-Arrow-Debug header Build

When to choose building RBAC in your own API

Your access model is small, stable, not strongly tied to FHIR relationships, and unlikely to grow new roles or cross-organisation patterns.

When to choose Fire Arrow

Your access model depends on patient compartments, practitioner roles, organisations, CareTeams, identity-conditional rules, property filters, and consistent search narrowing across REST and GraphQL.

Related docs

Related pages

FAQ

What is the worst-case failure of building it ourselves?

Inconsistency across access paths. A rule enforced on REST search but missed on GraphQL search is the canonical bug, and it tends to surface in production. Fire Arrow's model evaluates rules in a single layer that all access paths flow through.

Can we adopt Fire Arrow's rules incrementally?

Yes. You can start by granting `Allowed` for roles you have not yet modelled and tighten rules as you add validators and identity filters. The deny-by-default mode is a switch that you flip when the rule set is complete.