Stage 4 — GOVERN
When consent.fail-closed: true (the default), any consent service failure — timeout, network error, 5xx — generates MSA|AE and stops the pipeline. No data is written without a confirmed consent permit. Do not change this for production deployments.
What happens
Before any FHIR write occurs, JamConnectClient.checkConsent() calls AJ Consent Manager through JamConnect:
POST /jamconnect/consent/check
Host: jamconnect:8091
{
"patientRef": "Patient/GOLDEN-00441",
"actorRef": "Organization/org-br01-001",
"resourceType": "Patient",
"action": "write",
"purpose": "TREAT"
}
Response handling
{"permitted": true, "policyRef": "Consent/chain-consent-00441"}
→ Pipeline continues to Stage 5.
{"permitted": false, "reason": "Patient has withdrawn consent for this actor"}
→ JamBridge generates MSA|AE, writes an ATNA AuditEvent with outcome=8, stops.
Fail-closed
When consent.fail-closed: true:
| Condition | Result |
|---|---|
permitted: true | Continue |
permitted: false | NACK, audit outcome=8 |
| HTTP timeout (>3s) | NACK, audit outcome=8 |
| JamConnect 5xx | NACK, audit outcome=8 |
| JamConnect unreachable | NACK, audit outcome=8 |
No data is ever written without a confirmed consent permit. This is the correct default for clinical data.
FHIR Consent model
AJ Consent Manager uses FHIR R4 Consent resources. The provision element controls what is permitted:
{
"resourceType": "Consent",
"provision": {
"type": "permit",
"actor": [{"reference": {"reference": "Organization/org-br01-001"}}],
"class": [{"code": "Patient"}, {"code": "Encounter"}],
"purpose": [{"code": "TREAT"}]
}
}
A patient can deny access to specific resource types, specific actors, or specific purposes — without revoking all access.