I have an asset called MedicalFile which contains a reference to an organization. The participant HealthCareProfessional also belongs to an organization.

Now I'd like to define an ACL rule which limits the health care professional to only view medical files which MedicalFile's are connected to his organisation.

I came up with the following rule:

rule OrganisationMedicalFilePermission {
    description: "An organisation may updates a medical file which they have permission from"
    participant(h): "nl.epd.blockchain.HealthCareProfessional"
    operation: ALL
    resource(m): "nl.epd.blockchain.MedicalFile"
    condition: (m.organisations.includes(h.organisation))
    action: ALLOW

}

This results in an empty array once I invoke the RESTful API with Loopback. I'm authenticated as a health care professional.

Assets & Participant:

asset Organisation identified by id {
      o String id
      o String name
      o String city
      o String zipCode
      o String street
      o String houseNumber
      o String houseNumberExtra optional
      o OrganisationType organisationType
}

asset MedicalFile identified by bsn {
  o String                 bsn
  --> Patient              owner
  --> Patient[]            mentors optional
  --> Organisation[]       organisations optional
  o Visit[]                visits optional
  o String[]               allergies optional
  o Treatment[]            treatments optional
  o Medicine[]             medicine optional
}

participant HealthCareProfessional identified by bsn {
  o String bsn
  o String firstName
  o String namePrefix optional
  o String lastName
  --> Organisation organisation
}

My question is if it's possible to create a condition which validates this problem. If not, what are my options?