Skip to content

Latest commit

 

History

History
98 lines (68 loc) · 1.9 KB

simple-role-based-access-control.md

File metadata and controls

98 lines (68 loc) · 1.9 KB

Role-Based Access Control (RBAC)

Aidbox provides a role-based access control mechanism based on access policies and User resource.

Create a user

Create a user containing practitioner role.

POST /User

id: user-1
resourceType: User
password: password
roles: 
  - value: practitioner

Create an access policy

Create an access policy that allows practitioners to read patients' data.

POST /AccessPolicy

id: practitioner-role
resourceType: AccessPolicy
engine: matcho
matcho:
  user:
    roles:
      - value: practitioner
  uri: '#/Patient/.*'
  request-method: get

{% hint style="info" %} Please note that if you like to add multiple request methods when using matcho engine you should use $one-of notation:

request-method:
  $one-of:
  - get
  - post
  - put

{% endhint %}

Try it

Create a patient

POST /Patient

id: pt-1
resourceType: Patient

name:
  - given:
      - John

Log in as user-1

Click "Logout" in the AidboxUI navigation. Log in using user-1 credentials (user-1 /password).

Read patient data

GET /Patient/pt-1

Aidbox will return you a Patient resource.

What's going on here

When you make a query

GET /Patient/pt-1

Aidbox router stores data in the request object:

  • Uri /Patient/pt-1 in the uri property.
  • Method get in the request-method property.
  • User data in user property. In particular user.roles[].value contains user roles.

Access policy engine evaluates request object. And here it checks that user.roles[].value property contains practitioner string.

You can inspect request object using __debug query parameter.

Guide: flexible RBAC

{% content-ref url="../readme-1-1/rbac/role-based-access-policies.md" %} role-based-access-policies.md {% endcontent-ref %}