Label-based Access Control
This pages explains how security labels access control works in Aidbox
Last updated
Was this helpful?
This pages explains how security labels access control works in Aidbox
Last updated
Was this helpful?
A security label is a concept attached to a resource or bundle that provides specific security metadata about the information it is fixed to.
Label-based Access Control engine provides a mechanism to restrict access to bundles, resources, or resource elements depending on permissions associated with a request. When security labels are included in the request context, they allow the requester to access information in accordance with those labels.
Two security label code systems are currently supported:
There are two ways the security labels appear in the request context:
From the scope
claim of a JWT.
From the Aidbox User’s property securityLabel
.
Aidbox parses the scope
claim and fetches security labels. There can be multiple security labels on the scope in format.
A security label must be defined using the pattern system|code
.
Claim scope example: "http://terminology.hl7.org/CodeSystem/v3-ActCode|PSY https://terminology.hl7.org/CodeSystem/v3-Confidentiality|M"
If the request context is associated with an Aidbox user, Aidbox tries to get security labels from the User.securityLabel
.
For example, the user resource contains two security labels.
For example, the R code expands to R, N, M, L, and U.
Security Labels access control is done in two steps:
Resource-level access control. Decides whether a resource itself is accessible to a requester.
Resource-element level access (masking). Decides whether some elements of the resource should be hidden from the requester. Masking is applied only if the resource-level access control permits access to the resource.
If the security labels of the request context intersect with the security labels of the resource, the requester can access the resource. Otherwise, there is no access. Consider marking non-sensitive data with the security label U (unrestricted).
If a resource has no security labels, no one can access the resource.
Confidentiality: V
Confidentiality: R
no access
Confidentiality: R
Confidentiality: R
available
Confidentiality: L
Confidentiality: R
available
Confidentiality: R Sensitivity: PSY
Confidentiality: R
available
Sensitivity: PSY
Confidentiality: R
no access
Sensitivity: HIV
Confidentiality: R
no access
no security labels
Confidentiality: R
no access
Confidentiality: V
Confidentiality: R Sensitivity: PSY
no access
Confidentiality: R
Confidentiality: R Sensitivity: PSY
available
Confidentiality: L
Confidentiality: R Sensitivity: PSY
available
Confidentiality: R Sensitivity: PSY
Confidentiality: R Sensitivity: PSY
available
Sensitivity: PSY
Confidentiality: R Sensitivity: PSY
available
Sensitivity: HIV
Confidentiality: R Sensitivity: PSY
no access
no security labels
Confidentiality: R Sensitivity: PSY
no access
Confidentiality: V
Sensitivity: PSY
no access
Confidentiality: R
Sensitivity: PSY
no access
Confidentiality: L
Sensitivity: PSY
no access
Confidentiality: R Sensitivity: PSY
Sensitivity: PSY
available
Sensitivity: PSY
Sensitivity: PSY
available
Sensitivity: HIV
Sensitivity: PSY
no access
no security labels
Sensitivity: PSY
no access
To perform masking:
The resource itself should have the http://terminology.hl7.org/CodeSystem/v3-ActCode|PROCESSINLINELABEL
security label in its meta.
The requestor has access to all Encounter
fields but the subject
.
To prevent security labels from appearing in the outcome, set the strip labels
env:
Stripping examples
The security labels from meta.security
and _status
fields have been removed from the outcome.
The security label for confidentiality is . The code may contain several others.
The resource properties should be tagged with the extension.
As mentioned , resources without security labels cannot be accessed. This can affect the functionality of the Aidbox UI console, making resources like User, Client, Access Policy, etc. inaccessible until they are labeled.
To avoid the need to label all resources displayed in the UI console, use the superadmin
Role.
Create a Role
resource with the name superadmin
and reference to the User used to log in to the UI console before enabling Label-based Access Control.