Role-Based Access Control (RBAC)
This article shows how to create a user for a practitioner and allow practitioners to read patients data.
Aidbox provides role-based access control mechanism based on access policies and
Role
resource.Each
Role
resource assigns a role to a User.
AccessPolicy
resource has an optional roleName
property. Aidbox applies access policy with roleName
specified only to users which have the corresponding role assigned.POST /Patient
id: pt-1
resourceType: Patient
name:
- given:
- John
Create a user containing
practitioner
role.POST /User
id: user-1
resourceType: User
roles:
- value: practitioner
Create an access policy which allows practitioners to read patients data.
POST /AccessPolicy
id: practitioner-role
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
- value: practitioner
uri: '#/Patient/.*'
request-method: get
Please note that if you like to add multiple request methods when using matcho engine you should use
$one-of
notation:request-method:
$one-of:
- get
- post
- put
Log in as
user-1
.Read patient data
GET /Patient/pt-1
Aidbox will return you a Patient resource.
When you make a query
GET /Patient/pt-1
Aidbox router stores data in the request object:
- Uri
/Patient/pt-1
in theuri
property. - Method
get
in therequest-method
property. - User data in
user
property. In particularuser.roles[].value
contains user roles.
Access policy engine evaluates request object. And here it checks that
user.roles[].value
property contains practitioner
string.Last modified 18d ago