You should have Docker and Docker Compose installed before going further. To get it installed, follow the .
Start Aidbox locally
1. Create a directory
mkdir aidbox && cd aidbox
2. Run Aidbox on Docker
curl -JO https://aidbox.app/runme && docker compose up
3. Access Aidbox
Open in browser
4. Activate your Aidbox instance
Using AidboxID AidboxID is a unique identifier within the Aidbox ecosystem used for product activation
Using Aidbox license Aidbox license can be issued on the . More about Aidbox licenses .
If you’re using an Aidbox license, you’ll be prompted for a username (or email) and password. Use the admin username and retrieve the password from the AIDBOX_ADMIN_PASSWORD environment variable in the docker-compose.yaml file. For security, Aidbox generates a unique password for each instance.
Enable security labels access control
To enable LBAC, use Aidbox UI -> Settings -> Enable LBAC. You don't have to restart the instance if you use Aidbox UI.
Also, you can update environment variables
.env
# if true, security label feature is enabled
BOX_SECURITY_LBAC_ENABLED=true
# if true, removes security labels from the resource
BOX_SECURITY_LBAC_STRIP_LABELS=true
...
Superadmin Role with Label-based Access Control
POST /Role
content-type: text/yaml
accept: text/yaml
name: superadmin
user:
id: <user-id>
resourceType: User
GET /fhir/Patient/pt-1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20iLCJzY29wZSI6Imh0dHA6Ly90ZXJtaW5vbG9neS5obDcub3JnL0NvZGVTeXN0ZW0vdjMtQ29uZmlkZW50aWFsaXR5fFIgaHR0cDovL3Rlcm1pbm9sb2d5LmhsNy5vcmcvQ29kZVN5c3RlbS92My1BY3RDb2RlfFBTWSBodHRwOi8vdGVybWlub2xvZ3kuaGw3Lm9yZy9Db2RlU3lzdGVtL3YzLUFjdENvZGV8Q1RDT01QVCJ9.7QZ65gtJPjiWVYjtvtuatvhq6262Sth3z4un_8rDdQg
Provider has access to the Patient because there is overlap between the Patient labels and the Provider labels.
Patient is labeled with:
Provider is allowed:
Provider's access to the Encounter
status: 200 OK
GET /fhir/Encounter/enc-1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20iLCJzY29wZSI6Imh0dHA6Ly90ZXJtaW5vbG9neS5obDcub3JnL0NvZGVTeXN0ZW0vdjMtQ29uZmlkZW50aWFsaXR5fFIgaHR0cDovL3Rlcm1pbm9sb2d5LmhsNy5vcmcvQ29kZVN5c3RlbS92My1BY3RDb2RlfFBTWSBodHRwOi8vdGVybWlub2xvZ3kuaGw3Lm9yZy9Db2RlU3lzdGVtL3YzLUFjdENvZGV8Q1RDT01QVCJ9.7QZ65gtJPjiWVYjtvtuatvhq6262Sth3z4un_8rDdQg
Provider has access to the Encounter because there is overlap between the Encounter labels and the Provider labels.
Encounter is labeled with:
Provider is allowed:
Provider's access to the Observation
status: 200 OK
GET /fhir/Observation/obs-1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20iLCJzY29wZSI6Imh0dHA6Ly90ZXJtaW5vbG9neS5obDcub3JnL0NvZGVTeXN0ZW0vdjMtQ29uZmlkZW50aWFsaXR5fFIgaHR0cDovL3Rlcm1pbm9sb2d5LmhsNy5vcmcvQ29kZVN5c3RlbS92My1BY3RDb2RlfFBTWSBodHRwOi8vdGVybWlub2xvZ3kuaGw3Lm9yZy9Db2RlU3lzdGVtL3YzLUFjdENvZGV8Q1RDT01QVCJ9.7QZ65gtJPjiWVYjtvtuatvhq6262Sth3z4un_8rDdQg
Provider has access to the Observation because there is overlap between the Observation labels and the Provider labels.
Observation is labeled with:
Provider is allowed:
Finance's access to the Patient
status: 200 OK
GET /fhir/Patient/pt-1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20iLCJzY29wZSI6Imh0dHA6Ly90ZXJtaW5vbG9neS5obDcub3JnL0NvZGVTeXN0ZW0vdjMtQ29uZmlkZW50aWFsaXR5fE0gaHR0cDovL3Rlcm1pbm9sb2d5LmhsNy5vcmcvQ29kZVN5c3RlbS92My1BY3RDb2RlfFJFU0NPTVBUIn0.j7WY0I0s2rl6T2Bje1gadRKquuSf-_K9JH1T3T0vvcE
Finance has access to the Patient because there is overlap between the Patient labels and the Finance labels.
Patient is labeled with:
Finance is allowed:
Finance's access to the Encounter
status: 200 OK
GET /fhir/Encounter/enc-1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20iLCJzY29wZSI6Imh0dHA6Ly90ZXJtaW5vbG9neS5obDcub3JnL0NvZGVTeXN0ZW0vdjMtQ29uZmlkZW50aWFsaXR5fE0gaHR0cDovL3Rlcm1pbm9sb2d5LmhsNy5vcmcvQ29kZVN5c3RlbS92My1BY3RDb2RlfFJFU0NPTVBUIn0.j7WY0I0s2rl6T2Bje1gadRKquuSf-_K9JH1T3T0vvcE
Finance has access to the Encounter because there is overlap between the Encounter labels and the Finance labels.
Encounter is labeled with:
Finance is allowed:
status: 403 Forbidden
GET /fhir/Observation/obs-1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20iLCJzY29wZSI6Imh0dHA6Ly90ZXJtaW5vbG9neS5obDcub3JnL0NvZGVTeXN0ZW0vdjMtQ29uZmlkZW50aWFsaXR5fE0gaHR0cDovL3Rlcm1pbm9sb2d5LmhsNy5vcmcvQ29kZVN5c3RlbS92My1BY3RDb2RlfFJFU0NPTVBUIn0.j7WY0I0s2rl6T2Bje1gadRKquuSf-_K9JH1T3T0vvcE
Finance does not have access to the Observation because there is no overlap between the Observation labels and the Finance labels.
Observation is labeled with:
Finance is only allowed:
Check resource-element access control works
Provider
Provider has access to all the fields within the Encounter resource.
As mentioned , resources without security labels cannot be accessed. This can affect the functionality of the Aidbox UI console, making resources like User, Client, Access Policy, etc., inaccessible until they are labeled.
To avoid the need to label all resources displayed in the UI console, use the superadmin Role.
Create a Role resource with the name superadmin and reference to the User used to log in to the UI console before enabling Label-based Access Control.
To make Aidbox trust JWT issued by external server token introspection is used, run the following request in the .
To create the access policy, run the following request in the .
To create the Patient, run the following request in the .
To create the Encounter, run the following request in the .
To create the Observation, run the following request in the .
To view the content of a JWT, copy and paste it to
