Flexible RBAC built-in to Aidbox

Run Aidbox locally Run Aidbox in Sandbox Talk to us Ask community

Last updated 3 months ago

Aidbox provides role-based access control mechanism based on access policies and custom Role resource.

Each Role resource assigns a role to a User. AccessPolicy resource has an optional roleName property. Aidbox applies access policy with roleName specified only to users which have the corresponding role assigned.

Create a practitioner

Create a user

Aidbox does not store any role information in a User resource. So create a user as usual.

Create a Role resource

Role name is a string that defines role. You don't need to declare it explicitly. Role resource links a role and a user.

Role resource has an optional links property which specifies related resources. Aidbox does not assign any special meaning to this property. Additionally, Role is an open resource so you can add any information to it.

You can put any additional data into context property.

Create a Role resource which assigns a role to the user we created.

If you need to assign same role to multiple users then just create multiple Role resources with same name property.

Create an access policy

AccessPolicy resource has a roleName property. This property specifies the role name for the policy. Access policy with a role name is applied only users with the corresponding role.

Create an AccessPolicy which allows practitioners to read their own data

Try it

Read your data

Aidbox returns you a Practitioner resource.

What's going on here

When you make a query

Aidbox router stores data in the request object:

Uri /Practitioner/pr-1 in the uri property.
Method get in the request-method property.
path parameter pr-1 in the params.resource/id property.

Aidbox applies access policy with roleName property only if a role with corresponding name is assigned to user. In this case Aidbox adds the corresponding Role resource to the role property of the request object.

Access policy engine evaluates request object. And here it checks that params.resource/id property is equal to role.links.practitioner.id property.

Role resource schema