How to enable hierarchical access control

This guide explains how multi-tenancy on the Organization resources can be enabled

Prerequisites

Docker and Docker Compose

You should have Docker and Docker Compose installed before go further. To get it installed follow the instructions.

Aidbox license

To get the Aidbox License:

Go the Aidbox user portal https://aidbox.app
Login to the portal
Create new self-hosted Aidbox License or use the license that you already have

Create Aidbox project

Aidbox is configured by the Aidbox Configuration Projects. To create sample project run command below

git clone \
  --branch=main \
  --depth=1 \
  https://github.com/Aidbox/aidbox-project-template.git \
  aidbox-project && \
  cd aidbox-project && \
  rm -rf .git

git clone \
  --branch=fhir-r5 \
  --depth=1 \
  https://github.com/Aidbox/aidbox-project-template.git \
  aidbox-project && \
  cd aidbox-project && \
  rm -rf .git

See more details related the running Aidbox locally

Apply the license

Populate the .env file with the Aidbox License.

.env

AIDBOX_LICENSE=YOUR_AIDBOX_LICENSE_KEY

...

Enable multi-tenancy

To enable hierarchical access control (multi-tenancy on Organization resources) add necessary imports to the zrc/main.edn file.

Add aidbox.multitenancy.v1.fhir-r4 to the import section.

zrc/main.edn

{ns main
 import #{aidbox
          aidbox.multitenancy.v1.fhir-r4 ;; import multitenancy
          config}
 
 box
 {:zen/tags #{aidbox/system}
  :config   config/base-config
  :services {:admin-user-seed config/admin-user-seed
             :root-client-seed config/root-client-seed}}}

Add aidbox.multitenancy.v1.fhir-r5 to the import section.

zrc/main.edn

{ns main
 import #{aidbox
          aidbox.multitenancy.v1.fhir-r5 ;; import multitenancy
          config}
 
 box
 {:zen/tags #{aidbox/system}
  :config   config/base-config
  :services {:admin-user-seed config/admin-user-seed
             :root-client-seed config/root-client-seed}}}

Start Aidbox with Docker Compose

To start Aidbox run the command in the aidbox-project directory.

docker compose up --force-recreate

When Aidbox starts, navigate to the http://localhost:8888 and sign in to the Aidbox UI using the credentials admin / password.

Ensure the hierarchical access control works

Create nested Organization resources

Use Aidbox UI Rest Console to create nested Organization resources.

Root organization

status: 201 (created)

PUT /fhir/Organization/org-a

Child organization

status: 201 (created)

PUT /fhir/Organization/org-b

partOf:
  resourceType: Organization
  id: org-a

Grant-child organization

status: 201 (created)

PUT /fhir/Organization/org-c

partOf:
  resourceType: Organization
  id: org-b

You should have 3 nested organizations for now

org-a
└── org-b
   └── org-c

Create resource in the Organization B

Use Aidbox UI Rest Console to create Patient resource in the organization B.

status: 201 (created)

PUT /Organization/org-b/fhir/Patient/pt-1

status: 201 (created)

PUT /Organization/org-b/aidbox/Patient/pt-1

Check access control works

Patient is visible from the Organization above (org-a)

status: 200

GET /Organization/org-a/fhir/Patient/pt-1

status: 200

GET /Organization/org-a/aidbox/Patient/pt-1

Patient is visible from its Organization (org-b)

status: 200

GET /Organization/org-b/fhir/Patient/pt-1

status: 200

GET /Organization/org-b/aidbox/Patient/pt-1

Patient is not visible from the nested Organization (org-c)

status: 403

GET /Organization/org-c/fhir/Patient/pt-1

status: 403

GET /Organization/org-c/aidbox/Patient/pt-1

Last updated 1 month ago