Snow Owl security features enable you to easily secure your terminology server. You can password-protect your data as well as implement more advanced security measures such as role-based access control and auditing.


By default, Snow Owl comes without any security features enabled and all read and write operations are unprotected. To configure a security realm, you can choose from the following built-in identity providers:


After configuring at least one security realm, Snow Owl will authenticate all incoming requests to ensure that the sender of the request is allowed to access the terminology server and its contents. To authenticate a request, the client must send an HTTP Basic or Bearer Authorization header with the request. The value should be a user/pass pair in case of using Basic authentication or a JWT token generated by Snow Owl if using the Bearer method.

NOTE: It is recommended in production environments that all communication between a client and Snow Owl is performed through a secure connection.

Snow Owl sends a HTTP 401 Unauthorized response if a request needs to be authenticated.


If supported by the security realm, Snow Owl will also check whether an authenticated user is permitted to perform the requested action on a given resource.

Within an organization, roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members, staff, or other system users are assigned particular roles, and through those role assignments acquire the permissions needed to perform particular system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account; this simplifies common operations, such as adding a user or changing a user's department.


  1. Role assignment: A subject can exercise a permission only if the subject has selected or been assigned a role.

  2. Permission authorization: A subject can exercise a permission only if the permission is authorized for the subject's active role.

With rules 1 and 2, it is ensured that users can exercise only permissions for which they are authorized.

S = Subject = A person or automated agent R = Role = Job function or title which defines an authority level P = Permissions = An approval of a mode of access to a resource


In Snow Owl a permission is a single value that represents both the operation the user would like to perform and the resource that is being accessed. The format is the following: <operation>:<resource>

Currently there are 7 operations supported by Snow Owl:

  • browse - read the contents of a resource

  • edit - write the contents of the resource, delete the resource

  • import - import from external content and formats

  • export - export to external content and formats

  • version - create a version in a Code System, create a release

  • promote - merge content from isolated branch environments to a Code System's development version

  • classify - run classifiers and save their results

Resources represent the content that is being accessed by a client. A resource can be anything that can be resolved to a database entry. Currently, the following resource formats are allowed to be used in a permission:

  • <repositoryId> - access the entire content available in a terminology repository

  • <repositoryId>/<branch> - access the content available on a branch in a terminology repository

  • <codeSystemId> - access all content of a Code System, including both the latest development and all previous releases

  • <codeSystemId>/<versionId> - access a specific release of a Code System

There is a special * wild card character that can be used for both the operation and resource parts in a permission value to allow any operation to be performed on any or selected resources, or to allow certain operations to be performed on any available resources.


  • browse:snomedStore - browse all SNOMED CT Code Systems and their content

  • edit:SNOMEDCT-UK-CL - edit the SNOMEDCT-UK-CL Code System

  • export:SNOMEDCT-US/2019-03-01 - export the 2019-03-01 US Extension release

  • *:SNOMEDCT - allow any operations to be performed on the SNOMEDCT Code System

  • browse:* - allow read operations on all available resources

  • *:* - administrator permission, the user can do anything with any of the available resources

Last updated