SMART: Scopes for Limiting Access
Last updated
Was this helpful?
Last updated
Was this helpful?
Aidbox fully supports of SMART on FHIR scopes:
And support everything except search parameters in of SMART on FHIR scopes:
If a requested operation is not permitted by the scopes, Aidbox will deny access. If access is granted, Aidbox will retrieve and return only the data allowed by the specified scopes and context.
To enable scope checking in the Access Control layer, the JWT access token must contain the following claims:
atv
*
fixed value
Access Token Version
Fixed value - 2
scope
*
valueString
String with scopes separated by space.
context.patient
valueString
Patient ID.
* - required claim
Parsed valid JWT access token:
Denied request based on allowed scopes:
Permitted request based on allowed scopes:
Patient-level access control in Aidbox enables restricting data access to resources associated with a specific patient. When users interact with the FHIR API, they can access only the resources that belong to that patient.
To achieve this behavior, the request must include:
Only patient-level scopes ( patient/...
).
The patient ID in the context.patient
claim.
For scope checking, Aidbox accepts any valid JWT tokens issued by if they contain the specified scopes and Aidbox can issue its own JWT tokens with all the required claims.
SMART does not define specific scopes for interactions. Aidbox allows Bundle requests regardless of scopes and applies Access Control restrictions to each element within Bundle.entry
. This means that while the Bundle as a whole is accepted, Aidbox enforces scope Access Control restrictions on each entry in the Bundle.
A valid
Aidbox will limit access and filter retrieved data based on .