Security & Access Control | Aidbox User Docs

Aidbox User Docs

Run Aidbox locally Run Aidbox in Sandbox Talk to us Ask community

Security & Access Control settings

Grant page URL

URL of consent screen. A consent screen is an interface presented to a user during the authorization code grant flow.

Enable FHIR audit log

Generates structured audit logs in FHIR AuditEvent format.

Enable access control for mapping

Enable access control for /Mapping/<mapping-id>/$apply operation. If enabled, access control will be applied to the resulting transaction. If disabled, only access to $apply endpoints are verified.

Encryption API secret

Allow CORS requests

Enable Cross-Origin Resource Sharing (CORS) request handling.

Allow CORS requests from origins

Comma separated list of origins [schema]://[domain]:[port] Default is wildcard value "*"

Content security policy header

Defines the Content Security Policy (CSP) header to enhance security by restricting resource loading. It specifies the policies for loading scripts, styles, media, fonts, and other resources.

Recommended value:

Skip JWT validation

Skip JWT token validation process.

JWT public key

RS256 signing algorithm expects providing private key for signing JWT and public key for verifying it.

JWT private key

RS256 signing algorithm expects providing private key for signing JWT and public key for verifying it.

JWT secret

HS256 signing algorithm needs only having a secret for both operations.

Auto-create users from foreign tokens

Creates local user accounts automatically when valid external JWT tokens are presented but no matching user exists.

Auth with non-validated JWT

This configuration is used when skip-jwt-validation setting is enabled. It's a string that contains EDN object with :headers and :user-id-paths keys. For example: {:headers #{"authorization" "x-client-token"}, :user-id-paths #{[:authorization :user_id] [:my-client-token :user :id]}}

Enable LBAC

Label-based Access Control engine provides a mechanism to restrict access to bundles, resources, or resource elements depending on permissions associated with a request.

Strip security labels

Removes security labels from resource responses before returning them to clients. When enabled, prevents sensitive security metadata from being exposed in API responses while maintaining access control enforcement internally. Useful for hiding security implementation details from end users.

Enable organization-based hierarchical access control

Activates hierarchical access control based on organizational structure. Restricts user access to resources based on their organizational affiliation and hierarchy position.

Enable SU header

This setting enables SU header functionality. SU header allows a user to substitute User ID for the duration of the request. Only the administrator is allowed to use the SU header.

Enable Aidbox developer mode

Activates debugging features for access policy development, including the _debug=policy URL parameter. Returns detailed policy evaluation traces showing why requests were allowed or denied. For development environments only - not recommended for production systems.

default-src 'self'; script-src 'report-sample' 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; frame-ancestors 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'self';