Debug access control

This guide explains how Access control debug tools work
Aidbox offers multiple ways to debug access policies.

Access policy dev tool

Access policy dev tool simplifies development & debugging AccessPolicy resources. It was introduced in March v2303 release of Aidbox.
Access policy dev tool UI

__debug query-string parameter

There is a special query-string parameter __debug=policy you can pass to every Aidbox request. It will toggle debug mode for Request Authorization Layer, and in this mode instead of actual response client will get an object containing:
  • full request object;
  • an array of existing AccessPolicies;
  • evaluation result for every AccessPolicy (under AccessPolicy.evalResult).
Define AIDBOX_DEV_MODE to enable __debug parameter

x-debug: policy request header

For requests with the x-debug: policy header, details of access policy evaluation will be logged.
GET /Patient
x-debug: policy
# in aidbox logs
# :auth/trace-policy {:access-policy-id :policy-1, :policy-type "sql", ...
# :auth/trace-policy {:access-policy-id :policy-2, :policy-type "json-schema",...

su request header

su header allows to switch user on behalf of whom request is executed. Use su=<user/client id> to check how access control works for that user.
su header functionality can be enabled with box_debug_su_enable env
su header is only available to admin users, who have at least one AccessPolicy with engine = allow linked to them.


# Request as an admin:
GET /fhir/Patient
# Response:
Status: 200
# Request on behalf of `myid` User who has no access to Patient search:
GET /fhir/Patient
su: myid
# Response
Status: 403

/auth/test-policy Operation

You can use a special operation POST /auth/test-policy to design policy without creating an AccessPolicy resource and for different users and clients. Post on the /auth/test-policy with a simulated request attribute (you can provide existing user-id and client-id — Aidbox will find and populate request) and temporal policy in the policy attribute. If you want to test JWT auth, put your token in the headers.authorization with the Bearer prefix — the token will be parsed and its claims appear in the request.jwt. JWT in a header is parsed but not validated. This allows you to test JWT policy without TokenIntrospector registration.
The response contains a result of evaluated policy.
POST /auth/test-policy
-- simulate request document
uri: '/Patient'
request-method: get
authorization: Bearer <your-jwt>
data: {role: 'admin'}
-- or
-- user-id: 'user-1' -- aidbox will find user in database
id: basic
grant_types: ['basic']
-- or
-- client-id: 'client-1' -- aidbox will find client in database
engine: sql
query: 'SELECT {{user.role}} FROM {{!params.resource/type}}'
-- response
uri: /Patient
request-method: get
user: {role: admin}
params: {resource/type: Patient}
#jwt: ...jwt-claims
- get
- {name: resource/type}
action: proto.operations/search
module: proto
id: Search
-- original policy
engine: sql
sql: {query: 'SELECT {{user.role}} FROM {{!params.resource/type}}'}
-- result of policy evaluation
eval-result: false
query: ['SELECT ? FROM "patient"', admin]
Last modified 5mo ago