AccessPolicy resources are used to check request objects against a set of rules

Resource structure

AccessPolicy resource has the following structure:
resourceType: AccessPolicy
description: policy description text
# type of evaluation engine
engine: allow | json-schema | sql | matcho | complex | allow-rpc | matcho-rpc
# engine specific fields
# e.g. `schema` for `json-schema` engine
schema: {}
# References to either Client, User or Operation resources
- { resourceType: Operation, id: op-id }
- { resourceType: User, id: user-1 }
- { resourceType: Client, id: client-1 }
It supports various evaluation engines: Allow, JSON Schema, SQL, Matcho and Complex as well as Allow-RPC and Matcho-RPC. They specify how checks are implemented — with an SQL statement, with a JSON Schema or as a list of allowed endpoints.

Request object structure

Aidbox evaluates AccessPolicy against a request object which represents incoming HTTP request. It has the following structure:
# Request method (get/post/put/delete)
request-method: get
# Request scheme (http or https)
scheme: http
# Request URI (no query string)
uri: /fhir/Patient
# Query string
query-string: __debug=policy
# Parsed query-string params merged with URL params extracted by routing engine
params: {__debug: policy, type: Patient}
# Request body (for POST, PUT or PATCH)
body: null
# Parsed JWT claims (if any)
jwt: {sub: xxxxxxx, jti: xxxxxxx, iss: aidbox,
iat: 15409xxxxx, exp: 15409xxxxxa
# Object containing current User resource (if any)
patient_id: 42
id: b66bc7c5-1a56-422f-8cf8-e64469135ce2
lastUpdated: '2018-10-31T13:43:18.566Z'
- code: updated
versionId: '6'
phone: 123-123-123
resourceType: User
# Client’s IP address
# Client resource (if any)
id: b4930671-410c-462b-8b12-23cdef91af0c
lastUpdated: '2018-10-31T13:38:08.982Z'
- code: created
versionId: '4'
resourceType: Client
# Request headers
headers: {x-original-uri: '/fhir/Patient?__debug=policy', origin: '',
x-forwarded-host:, host:, user-agent: 'Mozilla/5.0
(Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100
Safari/537.36', content-type: 'text/yaml, application/json', x-forwarded-port: '443',
referer: '', connection: close, accept: text/yaml, accept-language: 'en-US,en;q=0.9,ru;q=0.8',
authorization: Bearer xxxxxx,
x-forwarded-for:, accept-encoding: 'gzip, deflate, br', x-forwarded-proto: https,
x-scheme: https, x-real-ip:}

Request authorization logic

AccessPolicy instance can be linked to User, Client or Operation resources with attribute. If AccessPolicy has no links, it’s considered a global policy. To authorize a request, Aidbox uses global policies in additiion to all AccessPolicy rules linked to User, Client and Operation associated with the current request.
It iterates through them, evaluating each AccessPolicy against the request object. As soon as one of them passes the validation (evaluation result is true), the request is considered authorized and Aidbox stops further policies evaluation. If all policies fail to validate it (all of them evaluate to false), then Aidbox denies the request and responds with 403 Unauthorized.
Performance consideration Link your policy to User, Client or Operation. Otherwise it will be evaluated for every request increasing the number of checks.
If there are no AccessPolicy resources defined for a box, all requests will be denied.

Signed RPC policy token

You can create policy-token to access rpc without creating AccessPolicy resource
To do that call aidbox.policy/create-policy-token RPC method:
POST {{base}}/rpc
method: aidbox.policy/create-policy-token
expiration: 3
id: doc-1
id: doc-1
This RPC method will return you a JWT token, which can be used only to call two methods with params you described:
  • aidbox.sdc/read-document
  • aidbox.sdc/save-document
To make a call RPC with this token just pass it in body:
POST {{base}}/rpc
method: aidbox.sdc/read-document
id: doc-1
policy: <token from previous step>