How to enable hierarchical access control

This guide explains how multi-tenancy on the Organization resources can be enabled

Since Aidbox version 2412, to enable OrgBAC in FHIRSchema mode, use:

BOX_FEATURES_ORGBAC_ENABLE=true

If your Aidbox version is lower or you do not use FHIRSchema mode, use the Aidbox Configuration project and import aidbox.multitenancy.v1.fhir-r4or aidbox.multitenancy.v1.fhir-r5namespace.

Add aidbox.multitenancy.v1.fhir-r4 to the import section.

zrc/main.edn

{ns main
 import #{aidbox
          aidbox.multitenancy.v1.fhir-r4 ;; import multitenancy
          config}
 
 box
 {:zen/tags #{aidbox/system}
  :config   config/base-config
  :services {:admin-user-seed config/admin-user-seed
             :root-client-seed config/root-client-seed}}}

Add aidbox.multitenancy.v1.fhir-r5 to the import section.

zrc/main.edn

{ns main
 import #{aidbox
          aidbox.multitenancy.v1.fhir-r5 ;; import multitenancy
          config}
 
 box
 {:zen/tags #{aidbox/system}
  :config   config/base-config
  :services {:admin-user-seed config/admin-user-seed
             :root-client-seed config/root-client-seed}}}

Ensure the hierarchical access control works

Create nested Organization resources

Use Aidbox UI Rest Console to create nested Organization resources.

Root organization

status: 201 (created)

PUT /fhir/Organization/org-a

name: Organization A

Child organization

status: 201 (created)

PUT /fhir/Organization/org-b

partOf:
  reference: Organization/org-a
name: Organization B

Grant-child organization

status: 201 (created)

PUT /fhir/Organization/org-c

partOf:
  reference: Organization/org-b
name: Organization C

You should have 3 nested organizations for now

org-a
└── org-b
   └── org-c

Create resource in the Organization B

Use Aidbox UI Rest Console to create Patient resource in the organization B.

status: 201 (created)

PUT /Organization/org-b/fhir/Patient/pt-1

Check access control works

Patient is visible from the Organization above (org-a)

status: 200

GET /Organization/org-a/fhir/Patient/pt-1

Patient is visible from its Organization (org-b)

status: 200

GET /Organization/org-b/fhir/Patient/pt-1

Patient is not visible from the nested Organization (org-c)

status: 403

GET /Organization/org-c/fhir/Patient/pt-1

Configuring AccessPolicies

To allow some user/client to interact with a organization-based resources, AccessPolicy should be configured to check organization id from the https://aidbox.app/tenant-organization-id extension of User/Client resource.

This example allows org-based user (created by PUT /Organization/<org-id>/fhir/User) to see patients that are also created by OrgBAC.

PUT /AccessPolicy/as-user-allow-org-patients

description: A user should be able to get every patient in their organization.
engine: matcho
matcho:
  params:
    resource/type: Patient
  request-method: get
  user:
    meta:
      extension:
        $contains:
          url: https://aidbox.app/tenant-organization-id
          value:
            Reference:
              id: .params.organization/id

PreviousOrganization-based hierarchical access control NextPatient data access API

Last updated 1 month ago