Aidbox User Docs
Run Aidbox locallyRun Aidbox in SandboxTalk to us Ask community
  • Aidbox FHIR platform documentation
    • Features
    • Architecture
  • Getting Started
    • Run Aidbox in Sandbox
    • Run Aidbox locally
    • Run Aidbox on AWS
    • Upload Sample Data
  • Tutorials
    • CRUD, Search Tutorials
      • Delete data
      • Set up uniqueness in Resource
      • Search Tutorials
        • Custom SearchParameter tutorial
        • Create custom Aidbox Search resource
        • Multilingual search tutorial
        • Migrate from Aidbox SearchParameter to FHIR SearchParameter
        • Change sort order by locale collation
    • Bulk API Tutorials
      • 🎓Synthea by Bulk API
      • 🎓$dump-sql tutorial
    • Security & Access Control Tutorials
      • Allow patients to see their own data
      • Restrict operations on resource type
      • Relationship-based access control
      • Creating user & set up full user access
      • Restricting Access to Patient Data
      • Create and test access control
      • RBAC
        • Flexible RBAC built-in to Aidbox
        • RBAC with JWT containing role
        • RBAC with ACL
      • Set-up token introspection
      • Prohibit user to login
      • Managing Admin Access to the Aidbox UI Using Okta Groups
      • Run Multibox locally
      • How to enable labels-based access control
      • How to enable patient data access API
      • How to enable SMART on FHIR on Patient Access API
      • How to enable hierarchical access control
      • How to configure Audit Log
      • How is an HTTP request processed in Aidbox
      • How to configure SSO with another Aidbox instance to access Aidbox UI
      • How to configure SSO with Okta to access Aidbox UI
      • How to configure sign-in with Apple for access to the Aidbox UI
      • How to configure Azure AD SSO for access to the Aidbox UI
      • How to configure Microsoft AD FS for access to the Aidbox UI
      • How to configure Azure AD SSO with certificate authentication for access to the Aidbox UI
      • How to configure GitHub SSO for access to Aidbox UI
      • How to configure Keycloak for access for AidboxUI
      • How to implement Consent-based Access Control using FHIR Search and Aidbox Access Policy
      • Debug Access Control
      • AccessPolicy best practices
    • Terminology Tutorials
      • Load ICD-10 terminology into Aidbox
      • Uploading IG terminology content to external FHIR terminology server
    • Validation Tutorials
      • Upload FHIR Implementation Guide
        • Environment Variable
        • Aidbox UI
          • IG Package from Aidbox Registry
          • Public URL to IG Package
          • Local IG Package
        • Aidbox FHIR API
        • UploadFIG Tool
      • ISiK
      • Carin BB
      • US Core
      • Davinci Pdex
      • mCode
    • Integration Toolkit Tutorials
      • Postmark integration tutorial
      • Mailgun integration tutorial
    • Subscriptions Tutorials
      • AidboxTopicSubscription NATS tutorial
    • Other tutorials
      • Run Aidbox with FHIR R6
      • Migrate from Multibox to Aidbox
      • SDC with Custom Resources
      • How to create FHIR NPM package
      • Migrate from legacy licence portal to Aidbox portal
      • How to run Aidbox in GCP Cloud Run
  • Overview
    • Licensing and Support
    • Aidbox user portal
      • Projects
      • Licenses
      • Members
    • Aidbox UI
      • Aidbox Notebooks
      • REST Console
      • Database Console
      • Attrs stats
      • DB Tables
      • DB Queries
    • Versioning
    • Release Notes
    • Contact us
  • Configuration
    • Settings
    • Configure Aidbox and Multibox
    • Init Bundle
  • API
    • REST API
      • CRUD
        • Create
        • Read
        • Update
        • Patch
        • Delete
      • FHIR Search
        • SearchParameter
        • Include and Revinclude
        • Chaining
      • Aidbox Search
      • Bundle
      • History
      • $everything on Patient
      • Other
        • Aidbox & FHIR formats
        • Capability Statement
        • $document
        • Observation/$lastn
        • $validate
        • SQL endpoints
        • $matcho
        • $to-format
        • Aidbox version
        • Health check
    • Bulk API
      • Configure Access Policies for Bulk API
      • $dump
      • $dump-sql
      • $dump-csv
      • $export
      • $load & /fhir/$load
      • $import & /fhir/$import
      • aidbox.bulk data import
      • Bulk import from an S3 bucket
    • Batch/Transaction
    • GraphQL API
    • Other APIs
      • Plan API
        • Provider Directory API
          • Practitioner
          • PractitionerRole
          • Organization
          • OrganizationAffiliation
        • Plan API Overview
      • Archive/Restore API
        • create-archive
        • restore-archive
        • prune-archived-data
        • delete-archive
      • ETAG support
      • Cache
      • Changes API
      • RPC API
      • Sequence API
      • Encryption API
      • Batch Upsert
  • Modules
    • Profiling and validation
      • FHIR Schema Validator
        • Aidbox FHIR IGs Registry
        • Setup Aidbox with FHIR Schema validation engine
      • Skip validation of references in resource using request header
      • Asynchronous resource validation
    • Access Control
      • Identity Management
        • User Management
        • Application/Client Management
      • Authentication
        • Basic HTTP Authentication
        • OAuth 2.0
        • Token Introspector
        • SSO with External Identity Provider
      • Authorization
        • Access Policies
        • SMART on FHIR
          • SMART Client Authorization
            • SMART App Launch
            • SMART Backend services
          • SMART Client Authentication
            • SMART: Asymmetric (/"private key JWT") authentication
            • SMART: Symmetric (/"client secret") authentication
          • SMART: Scopes for Limiting Access
          • Pass Inferno tests with Aidbox
          • Example: SMART App Launch using Aidbox and Keycloak
          • Example: SMART App Launch using Smartbox and Keycloak
        • Scoped API
          • Organization-based hierarchical access control
          • Compartments API
          • Patient data access API
        • Label-based Access Control
      • Audit & Logging
    • Observability
      • Getting started
        • Run Aidbox with OpenTelemetry locally
        • How to export telemetry to the OTEL collector
      • Logs
        • How-to guides
          • OpenTelemetry logs
          • Elastic Logs and Monitoring Integration
          • Datadog Log management integration
          • Loki Log management integration
        • Tutorials
          • Log analysis and visualization tutorial
          • Export logs to Datadog tutorial
        • Extending Aidbox Logs
        • Technical reference
          • Log appenders
          • Log transformations
          • Log Schema
          • OTEL logs exporter parameters
      • Metrics
        • How-to guides
          • How to export metrics to the OTEL collector
          • Use Aidbox Metrics Server
          • Set-up Grafana integration
        • Technical reference
          • OpenTelemetry Metrics
          • OTEL metrics exporter parameters
      • Traces
        • How to use tracing
        • OTEL traces exporter parameters
    • Subscriptions
      • Aidbox topic-based subscriptions
        • Kafka AidboxTopicDestination
        • Webhook AidboxTopicDestination
        • GCP Pub/Sub AidboxTopicDestination
        • Tutorial: produce QuestionnaireResponse to Kafka topic
      • Aidbox SubSubscriptions
    • Aidbox Forms
      • Getting started
      • Aidbox Forms Interface
      • Aidbox UI Builder
        • UI Builder Interface
        • Form creation
          • Form Settings
          • Widgets
          • Components
          • Versioning
          • Form customisation in Theme Editor
          • Form signature
          • How-to guides
            • How to: populate forms with data
            • How to extract data from forms
            • How to calculate form filling percentage
          • Multilingual forms
          • FHIRPath Editor
        • Import Questionnaire
        • Form sharing
        • Printing forms
          • Template-based PDF generation
        • FHIR versions
        • Offline forms
        • Embedding
          • Request Interception
        • Configuration
        • Forms multitenancy
        • Building reports using SQL on FHIR
        • Integration with external terminology servers
        • External FHIR servers as a data backend
        • Store attachments in S3-like storages
      • Access Control in Forms
      • Audit Logging in Forms
      • Aidbox Form Gallery
    • Define extensions
      • Extensions using StructureDefinition
      • Extensions using FHIRSchema
    • Custom Resources
      • Custom resources using FHIR Schema
      • Custom resources using StructureDefinition
      • Migrate to FHIR Schema
        • Migrate custom resources defined with Entity & Attributes to FHIR Schema
        • Migrate custom resources defined with Zen to FHIR Schema
    • Aidbox terminology module
      • Concept
        • $translate-concepts
        • Handling hierarchies using ancestors
      • ValueSet
        • ValueSet Expansion
        • ValueSet Code Validation
        • Create a ValueSet
      • CodeSystem
        • CodeSystem Concept Lookup
        • CodeSystem Subsumption testing
        • CodeSystem Code Composition
      • Import external terminologies
        • Import flat file (/CSV)
        • $import operation
        • Ready-to-use terminologies
      • $translate on ConceptMap
    • SQL on FHIR
      • Defining flat views with View Definitions
      • Query data from flat views
      • Reference
    • Integration toolkit
      • C-CDA / FHIR Converter
        • List of supported templates
          • Admission Diagnosis Section (/V3)
          • Advance Directives Section (/entries optional) (/V3)
          • Advance Directives Section (/entries required) (/V3)
          • Allergies and Intolerances Section (/entries optional) (/V3)
          • Allergies and Intolerances Section (/entries required) (/V3)
          • Assessment Section
          • Chief Complaint Section
          • Chief Complaint and Reason for Visit Section
          • Complications Section (/V3)
          • Course of Care Section
          • DICOM Object Catalog Section - DCM 121181
          • Default Section Rules
          • Discharge Diagnosis Section (/V3)
          • Document Header
          • Encounters Section (/entries optional) (/V3)
          • Encounters Section (/entries required) (/V3)
          • Family History Section (/V3)
          • Functional Status Section (/V2)
          • General Status Section
          • Goals Section
          • Health Concerns Section (/V2)
          • History of Present Illness Section
          • Hospital Consultations Section
          • Hospital Course Section
          • Hospital Discharge Instructions Section
          • Hospital Discharge Physical Section
          • Hospital Discharge Studies Summary Section
          • Immunizations Section (/entries optional) (/V3)
          • Immunizations Section (/entries required) (/V3)
          • Medical (/General) History Section
          • Medical Equipment Section (/V2)
          • Medications Administered Section (/V2)
          • Medications Section (/entries optional) (/V2)
          • Medications Section (/entries required) (/V2)
          • Mental Status Section (/V2)
          • Notes
          • Nutrition Section
          • Objective Section
          • Operative Note Fluids Section
          • Operative Note Surgical Procedure Section
          • Past Medical History (/V3)
          • Payers Section (/V3)
          • Plan of Treatment Section (/V2)
          • Postprocedure Diagnosis Section (/V3)
          • Preoperative Diagnosis Section (/V3)
          • Problem Section (/entries optional) (/V3)
          • Problem Section (/entries required) (/V3)
          • Procedure Description Section
          • Procedure Disposition Section
          • Procedure Estimated Blood Loss Section
          • Procedure Implants Section
          • Procedure Specimens Taken Section
          • Procedures Section (/entries optional) (/V2)
          • Procedures Section (/entries required) (/V2)
          • Reason for Visit Section
          • Results Section (/entries optional) (/V3)
          • Results Section (/entries required) (/V3)
          • Review of Systems Section
          • Social History Section (/V3)
          • Vital Signs Section (/entries optional) (/V3)
          • Vital Signs Section (/entries required) (/V3)
        • How to deploy the service
        • Producing C-CDA documents
        • How to customize conversion rules
      • HL7 v2 Integration
        • HL7 v2 integration with Aidbox Project
        • Mappings with lisp/mapping
      • X12 message converter
      • Analytics
        • Power BI
      • Mappings
      • Email Providers integration
        • Setup SMTP provider
    • SMARTbox | FHIR API for EHRs
      • Get started
        • Set up Smartbox locally
        • Deploy Smartbox with Kubernetes
      • (/g)(/10) Standardized API for patient and population services
      • The B11 Decision Support Interventions
        • Source attributes
        • Feedback Sections
      • How-to guides
        • Pass Inferno tests with Smartbox
        • Perform EHR launch
        • Pass Inferno Visual Inspection and Attestation
        • Revoke granted access
        • Set up EHR-level customization
        • Check email templates
        • Setup email provider
        • Register users
        • Set up SSO with Auth0
        • Publish Terms of Use link onto the documentation page
        • Find out what resources were exported during the $export operation
        • Find documentation endpoint
      • Background information
        • Considerations for Testing with Inferno ONC
        • Adding Clients for Inferno tests
        • Multitenancy approach
        • What is Tenant
        • Email templating
    • ePrescription
      • Getting started
      • Authentication with mTLS
      • Pharmacies synchronization
      • Prescribing
        • NewRx Message
        • CancelRx Message
        • How to test Callback
      • Directory
        • DirectoryDownload Message
        • GetProviderLocation Message
        • AddProviderLocation Message
        • UpdateProviderLocation Message
        • DisableProviderLocation Message
      • Medications
        • FDB
      • References
        • Environment Variables
      • Frequently Asked Questions
    • Other modules
      • MDM
        • Train model
        • Configure MDM module
        • Find duplicates: $match
        • Mathematical details
      • MCP
      • AidboxTrigger
  • Database
    • Overview
    • Database schema
    • PostgreSQL Extensions
    • AidboxDB
      • HA AidboxDB
    • Tutorials
      • Migrate to AidboxDB 16
      • Working with pgAgent
  • File storage
    • AWS S3
    • GCP Cloud Storage
    • Azure Blob Storage
    • Oracle Cloud Storage
  • Deployment and maintenance
    • Deploy Aidbox
      • Run Aidbox on Kubernetes
        • Deploy Production-ready Aidbox to Kubernetes
        • Deploy Aidbox with Helm Charts
        • Highly Available Aidbox
        • Self-signed SSL certificates
      • Run Aidbox on managed PostgreSQL
      • How to inject env variables into Init Bundle
    • Backup and Restore
      • Crunchy Operator (/pgBackRest)
      • pg_dump
      • pg_basebackup
      • WAL-G
    • Indexes
      • Get suggested indexes
      • Create indexes manually
  • App development
    • Use Aidbox with React
    • Aidbox SDK
      • Aidbox JavaScript SDK
      • Apps
      • NodeJs SDK
      • Python SDK
    • Examples
  • Reference
    • Matcho DSL reference
    • FHIR Schema reference
    • Settings reference
      • General
      • FHIR
      • Security & Access Control
      • Modules
      • Database
      • Web Server
      • Observability
      • Zen Project
    • Environment variables
      • Aidbox required environment variables
      • Optional environment variables
      • AidboxDB environment variables
    • System resources reference
      • IAM Module Resources
      • SDC Module Resources
      • Base Module Resources
      • Bulk Module Resources
      • AWF Module Resources
      • Cloud Module Resources
      • HL7v2 Module Resources
      • SQL on FHIR Module Resources
    • Email Providers reference
      • Notification resource reference
      • Mailgun environment variables
      • Postmark environment variables
    • Aidbox Forms reference
      • FHIR SDC API
      • Aidbox SDC API
      • Generating Questionnaire from PDF API
    • Aidbox SQL functions
  • Deprecated
    • Deprecated
      • Zen-related
        • RPC reference
          • aidbox
            • mdm
              • aidbox.mdm/update-mdm-tables
              • aidbox.mdm/match
        • FTR
        • Aidbox configuration project
          • Run Aidbox locally using Aidbox Configuraiton project
          • Aidbox configuration project structure
          • Set up and use configuration projects
          • Enable IGs
          • Repository
          • Seed Import
          • Manage Indexes in Zen Project
          • Seed v2
          • 🎓Migrate to git Aidbox Configuration Projects
          • Aidbox Configuration project reference
            • Zen Configuration
            • Aidbox project RPC reference
            • aidbox.config/config
          • Custom resources using Aidbox Project
          • First-Class Extensions using Zen
          • Zen Indexes
        • US Core IG
          • US Core IG support reference
        • Workflow Engine
          • Task
            • Aidbox Built-in Tasks
            • Task Executor API
            • Task User API
          • Workflow
            • Workflow User API
          • Services
          • Monitoring
        • FHIR conformance Deprecated guides
          • Touchstone FHIR 4.0.1 basic server
          • Touchstone FHIR USCore ClinData
          • How to enable US Core IG
            • Start Aidbox locally with US Core IG enabled
            • Add US Core IG to a running Aidbox instance
          • HL7 FHIR Da Vinci PDex Plan Net IG
        • Terminology Deprecated Tutorials
          • Inferno Test-Suite US Core 3.1.1
        • API constructor (/beta)
        • zen-lang validator
          • Write a custom zen profile
          • Load zen profiles into Aidbox
        • FHIR topic-based subscriptions
          • Set up SubscriptionTopic
          • Tutorial: Subscribe to Topic (/R4B)
          • API Reference
            • Subscription API
        • 🏗️FHIR Terminology Repository
          • FTR Specification
          • Create an FTR instance
            • FTR from CSV
            • FTR from FHIR IG
            • FTR from FTR — Direct Dependency
            • FTR from FTR — Supplement
          • FTR Manifest
          • Load SNOMED CT into Aidbox
          • Load LOINC into Aidbox
          • Load ICD-10-CM into Aidbox
          • Load RxNorm into Aidbox
          • Load US VSAC Package to Aidbox
          • Import via FTR
        • Zen Search Parameters
      • Entity / Attribute
        • Entities & Attributes
        • First-Class Extensions using Attribute
        • Custom Resources using Entity
        • Working with Extensions
        • Aidbox Search Parameters
      • Forms
      • Other
        • Custom Search
        • SearchQuery
        • Subscribe to new Patient resource
        • App Development Deprecated Tutorials
          • Receive logs from your app
            • X-Audit header
          • Patient Encounter notification Application
        • Other Deprecated Tutorials
          • Resource generation with map-to-fhir-bundle-task and subscription triggers
          • APM Aidbox
          • Automatically archive AuditEvent resources in GCP storage guide
          • HL7 v2 pipeline with Patient mapping
          • How to migrate to Apline Linux
          • How to migrate transaction id to bigint
          • How to fix broken dates
          • Configure multi-tenancy
        • AidboxProfile
        • GCP Pub/Sub
Powered by GitBook
On this page
  • Overview
  • AccessPolicy
  • AuthConfig
  • Client
  • Grant
  • IdentityProvider
  • Notification
  • NotificationTemplate
  • Registration
  • Role
  • Scope
  • Session
  • TokenIntrospector
  • User

Was this helpful?

Edit on GitHub
  1. Reference
  2. System resources reference

IAM Module Resources

The Identity and Access Management (IAM) module provides a set of resources for managing user authentication, authorization, and access control within the Aidbox.

Overview

IAM module includes the following resource types:

  • AccessPolicy

  • AuthConfig

  • Client

  • Grant

  • IdentityProvider

  • Notification

  • NotificationTemplate

  • Registration

  • Role

  • Scope

  • Session

  • TokenIntrospector

  • User

AccessPolicy

Path
Card.
Type
Description

_source

0..1

string

System Property. DO NOT USE IT.

and

0..*

Object

A list of conditions that must all be satisfied for the policy to grant access.

clj

0..1

string

Clojure code that defines access policy rules. DEPRECATED. DO NOT USE IT.

description

0..1

string

A textual description of the access policy.

engine

0..1

string

Specifies the evaluation engine used for the policy.

Allowed values: json-schema | allow | sql | complex | matcho | clj | matcho-rpc | allow-rpc | signed-rpc | smart-on-fhir

link

0..*

Reference

References to resources associated with this policy.

Allowed references: Client, User, Operation

matcho

0..1

Object

Defines rules using the Matcho pattern-matching syntax.

module

0..1

string

Module that this policy belongs to.

or

0..*

Object

A list of conditions where at least one must be satisfied for the policy to grant access.

roleName

0..1

string

Symbolic link to Role by name

rpc

0..1

Object

Defines rules for Remote Procedure Calls (RPCs).

schema

0..1

Object

JSON Schema used to validate requests against the policy.

sql

0..1

BackboneElement

SQL-based policy definition.

sql.query

0..1

string

SQL query used to evaluate access conditions.

type

0..1

string

The type or category of the access policy.

Allowed values: scope | rest | rpc

AuthConfig

Path
Card.
Type
Description

_source

0..1

string

System Property. DO NOT USE IT.

asidCookieMaxAge

0..1

integer

In Aidbox version v:2402 and later, sessions created through the Aidbox UI log-in are not infinite.The default session expiration time is set to 432000 seconds (5 days).

theme

0..1

BackboneElement

theme.brand

0..1

string

Brand for auth page

theme.title

0..1

string

Title for auth page

theme.styleUrl

0..1

uri

URL to external stylesheet

theme.forgotPasswordUrl

0..1

uri

URL to forgot password page

twoFactor

0..1

BackboneElement

twoFactor.webhook

0..1

BackboneElement

twoFactor.webhook.headers

0..1

Map

Map of HTTP header key-value pairs

twoFactor.webhook.timeout

0..1

integer

Timeout in milliseconds

twoFactor.webhook.endpoint

1..1

string

URL to webhook that supports POST method

twoFactor.issuerName

0..1

string

Issuer name for OTP authenticator app

twoFactor.validPastTokensCount

0..1

integer

Number of past tokens considered valid (useful with webhook since OTP lives ~30s)

Client

Path
Card.
Type
Description

_source

0..1

string

System Property. DO NOT USE IT.

active

0..1

boolean

Indicates whether this client is active and can be used for authentication.

allowed-scopes

0..*

Reference

References to specific Scope resources this client is allowed to request.

Allowed references: Scope

allowedIssuers

0..*

string

List of authorized token issuers for this client.

allowed_origins

0..*

uri

Allowed Origins are URLs that will be allowed to make requests.

auth

0..1

BackboneElement

Authentication configuration for different OAuth flows.

auth.client_credentials

0..1

BackboneElement

Configuration for the client credentials grant type.

auth.client_credentials.token_format

0..1

string

Format of the access token.

Allowed values: jwt

auth.client_credentials.access_token_expiration

0..1

integer

Expiration time for access tokens in seconds.

auth.client_credentials.refresh_token_expiration

0..1

integer

Expiration time for refresh tokens in seconds.

auth.client_credentials.audience

0..*

string

Intended audience for issued tokens. Shows what resource server access is intended for. Aidbox compares the audience of the Client to the audience it receives within aJWT and decides if the access should be granted. The audience attribute can be defined in 2 ways: As a plain string, e.g. https://cmpl.aidbox.app/smart As a Regex. In that case, the audience value should start with the # symbol. For example, #https://cmpl.aidbox.app/tenant/[^\]/smart That validation of the audience happens when SMART on FHIR app launches

auth.client_credentials.client_assertion_types

0..*

string

Supported client assertion types.

Allowed values: urn:ietf:params:oauth:client-assertion-type:jwt-bearer

auth.client_credentials.refresh_token

0..1

boolean

Whether to issue refresh tokens with this grant type.

auth.implicit

0..1

BackboneElement

Configuration for the implicit grant type.

auth.implicit.redirect_uri

0..1

url

Redirect URI for the implicit flow.

auth.implicit.token_format

0..1

string

Format of the access token.

Allowed values: jwt

auth.implicit.audience

0..*

string

Intended audience for issued tokens.

auth.implicit.access_token_expiration

0..1

integer

Expiration time for access tokens in seconds.

auth.password

0..1

BackboneElement

Configuration for the password grant type.

auth.password.secret_required

0..1

boolean

Whether client secret is required for password grant.

auth.password.audience

0..*

string

Intended audience for issued tokens.

auth.password.refresh_token

0..1

boolean

Whether to issue refresh tokens with this grant type.

auth.password.redirect_uri

0..1

url

If present, turn on redirect protection

auth.password.token_format

0..1

string

Format of the access token.

Allowed values: jwt

auth.password.access_token_expiration

0..1

integer

Expiration time for access tokens in seconds.

auth.password.refresh_token_expiration

0..1

integer

Expiration time for refresh tokens in seconds.

auth.authorization_code

0..1

BackboneElement

Configuration for the authorization code grant type.

auth.authorization_code.token_format

0..1

string

Format of the access token.

Allowed values: jwt

auth.authorization_code.audience

0..*

string

Intended audience for issued tokens.

auth.authorization_code.secret_required

0..1

boolean

Whether client secret is required for token exchange.

auth.authorization_code.pkce

0..1

boolean

Whether PKCE (Proof Key for Code Exchange) is required.

auth.authorization_code.redirect_uri

0..1

url

Redirect URI for the authorization code flow.

auth.authorization_code.access_token_expiration

0..1

integer

Expiration time for access tokens in seconds.

auth.authorization_code.refresh_token_expiration

0..1

integer

Expiration time for refresh tokens in seconds.

auth.authorization_code.refresh_token

0..1

boolean

Whether to issue refresh tokens with this grant type.

auth.token_exchange

0..1

BackboneElement

Configuration for the token exchange grant type.

auth.token_exchange.token_format

0..1

string

Format of the access token.

Allowed values: jwt

auth.token_exchange.access_token_expiration

0..1

integer

Expiration time for access tokens in seconds.

auth.token_exchange.refresh_token_expiration

0..1

integer

Expiration time for refresh tokens in seconds.

auth.token_exchange.audience

0..*

string

Intended audience for issued tokens.

auth.token_exchange.refresh_token

0..1

boolean

Whether to issue refresh tokens with this grant type.

description

0..1

string

A description of the client application for administrative purposes.

details

0..1

Object

Additional client details or configuration options.

fhir-base-url

0..1

string

Base URL of the FHIR server this client interacts with.

first_party

0..1

boolean

Indicates whether this is a first-party client.

grant_types

0..*

string

OAuth 2.0 grant types this client is authorized to use.

Allowed values: basic | authorization_code | code | password | client_credentials | implicit | refresh_token | urn:ietf:params:oauth:grant-type:token-exchange

jwks

0..*

BackboneElement

JSON Web Key Set for client authentication and/or verification.

jwks.kid

0..1

string

Key ID that identifies this key.

jwks.kty

0..1

string

Key type.

Allowed values: RSA

jwks.alg

0..1

string

Algorithm used with this key.

Allowed values: RS384

jwks.e

0..1

string

Exponent value for RSA key.

jwks.n

0..1

string

Modulus value for RSA key.

jwks.use

0..1

string

Key usage.

Allowed values: sig

jwks_uri

0..1

url

URI where the client's JSON Web Key Set can be retrieved.

name

0..1

string

Human-readable name of the client application.

scope

0..*

string

List of scopes this client is authorized to request.

scopes

0..*

BackboneElement

Detailed scope configurations with associated policies.

scopes.policy

0..1

Reference

Reference to an AccessPolicy resource for this scope.

Allowed references: AccessPolicy

scopes.parameters

0..1

Object

Parameters to be applied with the scope's policy.

secret

0..1

sha256Hash

Hashed client secret for authentication.

smart

0..1

BackboneElement

SMART on FHIR configuration for this client.

smart.launch_uri

0..1

string

URI to launch the SMART app.

smart.name

0..1

string

Name of the SMART app.

smart.description

0..1

string

Description of the SMART app.

trusted

0..1

boolean

Indicates whether this client is trusted and given special privileges.

type

0..1

string

The type of client application.

Grant

Path
Card.
Type
Description

_source

0..1

string

System Property. DO NOT USE IT.

client

0..1

Reference

Reference to the client application being granted access.

Allowed references: Client

patient

0..1

Reference

Reference to the patient this grant is for (in SMART on FHIR scenarios).

Allowed references: Patient

provided-scope

0..*

string

List of scopes that were actually granted by the user.

requested-scope

0..*

string

List of scopes that were requested by the client.

scope

0..1

string

Space-separated list of granted scopes.

start

0..1

dateTime

Time when this grant was created.

user

0..1

Reference

Reference to the user who granted the access.

Allowed references: User

IdentityProvider

Path
Card.
Type
Description

_source

0..1

string

System Property. DO NOT USE IT.

active

0..1

boolean

Indicates whether this identity provider is active and can be used for authentication.

authorize_endpoint

0..1

string

The URL of the authorization endpoint.

base_url

0..1

uri

client

0..1

BackboneElement

Client configuration for this identity provider.

client.id

0..1

string

Client identifier used for authentication with the identity provider.

client.redirect_uri

0..1

uri

URI where the provider will redirect after authentication.

client.auth-method

0..1

string

Client authentication method.

Allowed values: symmetric | asymmetric

client.secret

0..1

string

Client secret for symmetric authentication.

client.private-key

0..1

string

Private key for asymmetric authentication.

client.certificate

0..1

string

Certificate

client.certificate-thumbprint

0..1

string

Certificate thumbprint.

client.creds-ts

0..1

string

introspection_endpoint

0..1

string

The URL of the token introspection endpoint.

isEmailUniqueness

0..1

boolean

Indicates whether email uniqueness should be enforced for this provider.

isScim

0..1

boolean

Indicates whether this provider supports SCIM protocol.

jwks_uri

0..1

string

URI where the provider's JSON Web Key Set can be retrieved.

kid

0..1

string

Key identifier used for token verification.

organizations

0..*

string

Organizations associated with this identity provider.

registration_endpoint

0..1

string

The URL of the registration endpoint.

revocation_endpoint

0..1

string

The URL of the token revocation endpoint.

scopes

0..*

string

OAuth scopes that should be requested during authentication.

system

0..1

string

System identifier for the identity provider.

team_id

0..1

string

title

0..1

string

A human-readable name for the identity provider.

toScim

0..1

Object

Mapping rules for transforming identity provider data.

token_endpoint

0..1

string

The URL of the token endpoint.

type

0..1

string

The type of identity provider.

Allowed values: aidbox | github | google | OIDC | OAuth | az-dev | yandex | okta | apple

userinfo-source

0..1

string

Source of userinfo details.

Allowed values: id-token | userinfo-endpoint

userinfo_endpoint

0..1

string

The URL of the userinfo endpoint.

userinfo_header

0..1

string

Header to be used when calling the userinfo endpoint.

Notification

Path
Card.
Type
Description

_source

0..1

string

System Property. DO NOT USE IT.

provider

0..1

string

providerData

0..1

Object

status

0..1

string

Status of the notification delivery (delivered or error).

Allowed values: delivered | error

NotificationTemplate

Path
Card.
Type
Description

_source

0..1

string

System Property. DO NOT USE IT.

subject

0..1

string

Subject line for the notification template.

template

0..1

string

Template content used to generate the notification message.

Registration

Path
Card.
Type
Description

_source

0..1

string

System Property. DO NOT USE IT.

params

0..1

Object

resource

0..1

Object

Registration form data

status

0..1

string

Status of the registration process.

Allowed values: activated | active

Role

User role

Path
Card.
Type
Description

_source

0..1

string

System Property. DO NOT USE IT.

context

0..1

Object

description

0..1

string

Text description of the role

links

0..1

BackboneElement

You may list resources here, which can later be granted access for the user with this role via an AccessPolicy resource.

links.patient

0..1

Reference

Reference to Patient resource

Allowed references: Patient

links.practitionerRole

0..1

Reference

Reference to PractitionerRole resource

Allowed references: PractitionerRole

links.practitioner

0..1

Reference

Reference to Practitioner resource

Allowed references: Practitioner

links.organization

0..1

Reference

Reference to Organization resource

Allowed references: Organization

links.person

0..1

Reference

Reference to Person resource

Allowed references: Person

links.relatedPerson

0..1

Reference

Reference to RelatedPerson resource

Allowed references: RelatedPerson

name

1..1

string

Role name is a string that defines role. To assign the same role to multiple users, create multiple Role resources with the same "name". [Search param: name => type string]

user

1..1

Reference

Reference to a User resource for which the role will be applied. [Search param: user => type reference]

Allowed references: User

Scope

Path
Card.
Type
Description

_source

0..1

string

System Property. DO NOT USE IT.

description

0..1

string

When provided, the scope definition is additionally displayed on the consent screen

scope

1..1

string

The value of the scope

title

1..1

string

A user-friendly name for the scope that appears on the consent screen

Session

Path
Card.
Type
Description

_source

0..1

string

System Property. DO NOT USE IT.

access_token

0..1

sha256Hash

Access token hash associated with this session.

active

0..1

boolean

Indicates whether this session is currently active.

audience

0..1

string

Intended audience for tokens issued in this session.

authorization_code

0..1

sha256Hash

Authorization code used to obtain this session.

client

0..1

Reference

Reference to the client application associated with this session.

Allowed references: Client

ctx

0..1

Object

end

0..1

dateTime

Time when the session ended or will end.

exp

0..1

integer

Expiration time for the access token (in seconds since epoch).

jti

0..1

string

on-behalf

0..1

Reference

Reference to a user on whose behalf this session is operating.

Allowed references: User

parent

0..1

Reference

Reference to a parent session if this is a child session.

Allowed references: Session

patient

0..1

Reference

Reference to the patient associated with this session.

Allowed references: Patient

refresh_token

0..1

sha256Hash

Refresh token hash associated with this session.

refresh_token_exp

0..1

integer

Expiration time for the refresh token (in seconds since epoch).

scope

0..*

string

List of OAuth scopes authorized for this session.

start

0..1

dateTime

Time when the session started.

type

0..1

string

Type of session (e.g., authorization_code, password, client_credentials).

user

0..1

Reference

Reference to the user associated with this session.

Allowed references: User

TokenIntrospector

Path
Card.
Type
Description

_source

0..1

string

System Property. DO NOT USE IT.

identity_provider

0..1

Reference

Link to Identity provider associated with the token introspector.

Allowed references: IdentityProvider

introspection_endpoint

0..1

BackboneElement

introspection_endpoint.url

0..1

string

The fully qualified URL of the remote introspection endpoint.

introspection_endpoint.authorization

0..1

string

The authorization header value (e.g. a Basic Auth or Bearer token) used when calling the introspection endpoint. If present it will be included in the request headers.

jwks_uri

0..1

string

A URL pointing to a JSON Web Key Set (JWKS). When type is jwt the introspector retrieves public keys from this URI to validate token signatures.

jwt

0..1

BackboneElement

Configuration for local JWT validation used when type is jwt.

jwt.iss

0..1

string

The expected issuer (iss) claim value for JWTs. The TokenIntrospector ensures that tokens it validates come from this issuer.

jwt.secret

0..1

string

A shared secret key or other signing key material used to verify the JWT's signature.

jwt.keys

0..*

BackboneElement

The set of keys to use for validation.

jwt.keys.k

0..1

string

The asymmetric key to use for validation.

jwt.keys.pub

0..1

string

The asymmetric key to use for validation.

jwt.keys.kty

1..1

string

The key type to use for validation.

Allowed values: RSA | EC | OCT

jwt.keys.alg

1..1

string

The algorithm to use for validation.

Allowed values: RS256 | RS384 | ES256 | HS256

jwt.keys.format

1..1

string

The format of the key to use for validation. 'plain' for symmetric algs (HS256) and 'PEM' for all asymmetric algs

Allowed values: PEM | plain

type

1..1

string

Specifies the type of token to introspect.

Allowed values: opaque | jwt | aspxauth

User

Path
Card.
Type
Description

_source

0..1

string

System Property. DO NOT USE IT.

active

0..1

boolean

NB: this attr is ignored. Indicates the User's administrative status.

addresses

0..*

BackboneElement

A physical mailing address for this User (e.g. 'work', 'home').

addresses.formatted

0..1

string

Full address, formatted for display or mailing label.

addresses.streetAddress

0..1

string

Street address component (may contain newlines).

addresses.locality

0..1

string

City or locality component.

addresses.region

0..1

string

State or region component.

addresses.postalCode

0..1

string

Zip code or postal code.

addresses.country

0..1

string

Country name component.

addresses.type

0..1

string

A label indicating the address type, e.g. 'work' or 'home'.

costCenter

0..1

string

Identifies the name of a cost center.

data

0..1

Object

Arbitrary user-related data.

department

0..1

string

Identifies the name of a department.

displayName

0..1

string

The name of the User, suitable for display to end-users.

division

0..1

string

Identifies the name of a division.

email

0..1

email

Primary email for the user.

emails

0..*

BackboneElement

Email addresses for the user. Values should be canonicalized (e.g. 'bjensen@example.com').

emails.value

0..1

string

An individual email address (canonicalized).

emails.display

0..1

string

A human-readable name for display purposes (READ-ONLY).

emails.type

0..1

string

A label indicating the attribute's function, e.g. 'work', 'home'.

emails.primary

0..1

boolean

Indicates if this is the primary email. Only one primary may be 'true'.

employeeNumber

0..1

string

Numeric or alphanumeric identifier assigned to a person by the organization.

entitlements

0..*

BackboneElement

A list of entitlements for the User that represent a thing the User has.

entitlements.value

0..1

string

The value of an entitlement.

entitlements.display

0..1

string

A human-readable name, primarily used for display purposes (READ-ONLY).

entitlements.type

0..1

string

A label indicating the attribute's function.

entitlements.primary

0..1

boolean

Indicates if this is the primary entitlement. Only one may be 'true'.

fhirUser

0..1

Reference

A reference to a related FHIR resource

Allowed references: Patient, Practitioner, Person

gender

0..1

string

The user's gender.

identifier

0..*

Identifier

A list of identifiers for the user.

ims

0..*

BackboneElement

Instant messaging addresses for the User.

ims.value

0..1

string

Instant messaging address.

ims.display

0..1

string

A human-readable name, primarily for display (READ-ONLY).

ims.type

0..1

string

A label indicating the IM type, e.g. 'aim', 'gtalk'.

ims.primary

0..1

boolean

Indicates if this is the primary IM. Only one may be 'true'.

inactive

0..1

boolean

A Boolean value indicating the User's administrative status.

link

0..*

BackboneElement

A collection of references or links associated with the user.

link.link

0..1

Reference

A referenced resource link.

link.type

0..1

string

A label indicating the link's function.

locale

0..1

string

Indicates the User's default location for localization (e.g., currency, date format).

manager

0..1

Reference

Another User resource who is this User's manager.

Allowed references: User

name

0..1

BackboneElement

The components of the user's real name (formatted, family, given, etc.).

name.formatted

0..1

string

Full name, including titles and suffixes, formatted for display.

name.familyName

0..1

string

Family name (last name in Western languages).

name.givenName

0..1

string

Given name (first name in Western languages).

name.middleName

0..1

string

The middle name(s) of the User.

name.honorificPrefix

0..1

string

Honorific prefix (title), e.g. 'Ms.'.

name.honorificSuffix

0..1

string

Honorific suffix, e.g. 'III'.

organization

0..1

Reference

Identifies the name of an organization.

Allowed references: Organization

password

0..1

password

The User's cleartext password, used for initial or reset scenarios.

phoneNumber

0..1

string

Primary phone number.

phoneNumbers

0..*

BackboneElement

Phone numbers for the User, e.g. 'tel:+1-201-555-0123'.

phoneNumbers.value

0..1

string

The user's phone number.

phoneNumbers.display

0..1

string

A human-readable name for display purposes (READ-ONLY).

phoneNumbers.type

0..1

string

A label for the phone number's function, e.g. 'home', 'work'.

phoneNumbers.primary

0..1

boolean

Indicates if this is the primary phone number. Only one may be 'true'.

photo

0..1

uri

Primary photo for the user.

photos

0..*

BackboneElement

URLs of photos of the user.

photos.value

0..1

uri

URL of a photo of the User.

photos.display

0..1

string

A human-readable name, primarily used for display purposes (READ-ONLY).

photos.type

0..1

string

A label indicating 'photo' or 'thumbnail'.

photos.primary

0..1

boolean

Indicates if this is the primary photo. Only one may be 'true'.

preferredLanguage

0..1

string

The User's preferred written or spoken language, e.g. 'en_US'.

profileUrl

0..1

uri

A fully qualified URL pointing to a page representing the User's online profile.

roles

0..*

BackboneElement

A list of roles for the User that collectively represent who the User is (e.g. 'Student', 'Faculty').

roles.value

0..1

string

The value of a role.

roles.display

0..1

string

A human-readable name, primarily used for display purposes (READ-ONLY).

roles.type

0..1

string

A label indicating the attribute's function.

roles.primary

0..1

boolean

Indicates if this is the primary role. Only one may be 'true'.

securityLabel

0..*

BackboneElement

List of security labes associated to the user

securityLabel.system

0..1

string

Code system

securityLabel.code

0..1

string

Code value

timezone

0..1

string

The User's time zone in the 'Olson' format, e.g. 'America/Los_Angeles'.

title

0..1

string

The user's title, e.g. 'Vice President'.

twoFactor

0..1

BackboneElement

Two factor settings for user

twoFactor.enabled

1..1

boolean

Defines whether two-factor auth is currently enabled.

twoFactor.transport

0..1

string

Transport of 2FA confirmation code (if used).

twoFactor.secretKey

1..1

string

TOTP Secret key.

userName

0..1

string

Unique identifier for the User, typically used to directly authenticate. Must be unique across the service provider's Users.

userType

0..1

string

Identifies the relationship between the organization and the user (e.g. 'Employee', 'Contractor').

x509Certificates

0..*

BackboneElement

A list of certificates issued to the User.

x509Certificates.value

0..1

base64Binary

The value of an X.509 certificate (base64).

x509Certificates.display

0..1

string

A human-readable name, primarily used for display purposes (READ-ONLY).

x509Certificates.type

0..1

string

A label indicating the certificate's function.

x509Certificates.primary

0..1

boolean

Indicates if this is the primary certificate. Only one may be 'true'.

PreviousSystem resources referenceNextSDC Module Resources

Last updated 16 days ago

Was this helpful?