| description |
|---|
This guide shows how to create and test access policies in Aidbox |
You can test access policies with Postman.
Access the Auth Clients tab and create a new client.
resourceType: Client
id: postman
secret: secret
grant_types: ['basic']Access the Access Control tab and create new access policy with the code below. Let's consider the work of this policy. In this schema, two constraints are introduced:
- it is allowed to use only the GET method;
- it is allowed to use only request URIs starting with "/fhir/".
resourceType: AccessPolicy
id: policy-for-postman
engine: json-schema
schema:
required:
- client
- uri
- request-method
properties:
uri:
type: string
pattern: '^/fhir/.*'
client:
required:
- id
properties:
id:
const: postman
request-method:
const: getresourceType: AccessPolicy
id: policy-for-postman
engine: matcho
matcho:
client:
id: postman
uri: '#^/fhir/.*'
request-method: getNow, let's execute requests in Postman.
{% hint style="info" %} A request succeeds if at least one of the policies is valid for it. {% endhint %}
GET {{base}}/fhir/Patient.png)
POST {{base}}/fhir/Patient.png)
Let's use the parameter __debug=policy in requests to see which JSON-schema validation returned true/false.
GET {{base}}/fhir/Patient
POST {{base}}/fhir/Patient
See the full documentation Access Policies.
Previously, we tested access control for clients using Postman as a client. Now, let's create and test access policies for users. We will still need our client credentials.
First, we need to create a couple of users.
Access the Users tab and create two users in Aidbox.Cloud.
data:
name: Camila Harrington
roles:
- Administrator
- Doctor
email: [email protected]
password: password1
id: user1
resourceType: Userdata:
name: Jazmin Holmes
roles:
- Patient
email: [email protected]
password: password2
id: user2
resourceType: UserNow, let's define read-only access for the 'Patient' role. Create an access policy with the code below.
# matcho version
resourceType: AccessPolicy
id: policy-for-postman-users-role-patient
engine: matcho
matcho:
user:
data: { roles: {$contains: Patient} }
client: { id: postman }
request-method: getresourceType: AccessPolicy
id: policy-for-postman-users-role-patient
engine: json-schema
schema:
required:
- client
- user
- request-method
properties:
user:
required:
- data
properties:
data:
required:
- roles
properties:
roles:
not:
items:
not:
enum:
- Patient
type: array
client:
required:
- id
properties:
id:
const: postman
request-method:
const: get
description: Read-only access for users with role Patient from client PostmanLet's set access rights for administrators.
# matcho version
engine: matcho
matcho:
request-method: {$enum: ['get','post','put','delete','patch']}
user:
data: {roles: {$contains: 'Administrator'}}
client: { id: postman }engine: json-schema
schema:
required:
- client
- user
- request-method
properties:
user:
required:
- data
properties:
data:
required:
- roles
properties:
roles:
not:
items:
not:
enum:
- Administrator
type: array
client:
required:
- id
properties:
id:
const: postman
request-method:
enum:
- get
- post
- put
- delete
- option
- patch
- head
description: Full access for users with role Administrator from client Postman
id: policy-for-postman-users-role-administrator
resourceType: AccessPolicyNow, let's test the policies in Postman.
First, we need to get bearer token for a user and a client.
{% hint style="info" %}
This line grant_type: password should not be changed.
{% endhint %}
POST {{base}}/auth/token
client_id: postman
client_secret: <your-client-password>
username: [email protected]
password: <your-user1-password>
grant_type: passwordExecute the request and copy the received access_token value. Paste it to your test request in the Authorization header with the word Bearer before it.
E.g. you got the access_token:
{
"access_token": "45ab638d-9a3a-492b-b2df-0d8295c108fc",
"refresh_token": "eyJzZXNzaW9uX2lkIjoiODJhYjYzOGQtOWEzYS00OTJiLWIyZGYtMGQ4Mjk1YzEwOGZjIiwidXNlcl123456InVzZXIxIiwiaWF0IjoxNTQyMDMxODkyfQpvbjE4SUxtRXhVQWJmcl8zZUVGNTZUTl9vV0E",
"token_type": "bearer"
}Your authorization header will be: Bearer 45ab638d-9a3a-492b-b2df-0d8295c108fc.
Now, let's execute requests from users to test their access.
Test user request with GET
GET {{base}}/fhir/Patient?__debug=policyTest user request with POST
POST {{base}}/fhir/Patient?__debug=policyThe results of the schema validation should be the following:
| Request/User | User 1 (Administrator) | User 2 (Patient) |
|---|---|---|
| GET | True | True |
| POST | True | False |
See the full documentation Resource Owner Credentials Grant.
You can create policy-token to access rpc without creating AccessPolicy resource
To do that call aidbox.policy/create-policy-token RPC method:
POST {{base}}/rpc
method: aidbox.policy/create-policy-token
params:
expiration: 3
methods:
aidbox.sdc/read-document:
params:
id: doc-1
aidbox.sdc/save-document:
params:
id: doc-1This RPC method will return you a JWT token, which can be used only to call two methods with params you described:
aidbox.sdc/read-documentaidbox.sdc/save-document
To make a call RPC with this token just pass it in body:
POST {{base}}/rpc
method: aidbox.sdc/read-document
params:
id: doc-1
policy: <token from previous step>