Access Control

Simple Access Policy
You can test access policies with Postman.
Access the Auth Clients tab and create a new client.
1
resourceType: Client
2
id: postman
3
secret: secret
4
grant_types: ['basic']
Copied!
Access the Access Control tab and create new access policy with the code below.  Let's consider the work of this policy. In this schema, two constraints are introduced:
1.it is allowed to use only the GET method;
2.it is allowed to use only request URIs starting with "/fhir/".
JSON-schema version:
1
resourceType: AccessPolicy
2
id: policy-for-postman
3
engine: json-schema
4
schema:
5
  required:
6
    - client
7
    - uri
8
    - request-method
9
  properties:
10
    uri:
11
      type: string
12
      pattern: '^/fhir/.*'
13
    client:
14
      required:
15
        - id
16
      properties:
17
        id:
18
          const: postman
19
    request-method:
20
      const: get
Copied!
Matcho engine version:
1
resourceType: AccessPolicy
2
id: policy-for-postman
3
engine: matcho
4
matcho:
5
  client:
6
    id: postman
7
  uri: '#^/fhir/.*'
8
  request-method: get
Copied!
Now, let's execute requests in Postman.
 A request succeeds if at least one of the policies is valid for it.
Positive Test
1
GET {{base}}/fhir/Patient
Copied!
Negative Test
1
POST {{base}}/fhir/Patient
Copied!
Policy Debugging
Let's use the parameter  __debug=policy in requests to see which JSON-schema validation returned true/false.
Positive Test
1
GET {{base}}/fhir/Patient
Copied!
Negative Test
1
POST {{base}}/fhir/Patient
Copied!
See the full documentation Access Policies.
Access Policies
Access Policies for Users
Previously, we tested access control for clients using Postman as a client. Now, let's create and test access policies for users. We will still need our client credentials.
First, we need to create a couple of users.
Access the Users tab and create two users in Aidbox.Cloud.
User 1
1
data:
2
  name: Camila Harrington
3
  roles:
4
    - Administrator
5
    - Doctor
6
email: [email protected]-samurai.io
7
password: password1
8
id: user1
9
resourceType: User
Copied!
User 2
1
data:
2
  name: Jazmin Holmes
3
  roles:
4
    - Patient
5
email: [email protected]-samurai.io
6
password: password2
7
id: user2
8
resourceType: User
Copied!
Read-Only Access for Patient Role
Now, let's define read-only access for the 'Patient' role. Create an access policy with the code below.
1
# matcho version
2
resourceType: AccessPolicy
3
id: policy-for-postman-users-role-patient
4
engine: matcho
5
matcho:
6
  user:
7
    data: { roles: {$contains: Patient} }
8
  client: { id: postman }
9
  request-method: get
Copied!
1
resourceType: AccessPolicy
2
id: policy-for-postman-users-role-patient
3
engine: json-schema
4
schema:
5
  required:
6
    - client
7
    - user
8
    - request-method
9
  properties:
10
    user:
11
      required:
12
        - data
13
      properties:
14
        data:
15
          required:
16
            - roles
17
          properties:
18
            roles:
19
              not:
20
                items:
21
                  not:
22
                    enum:
23
                      - Patient
24
              type: array
25
    client:
26
      required:
27
        - id
28
      properties:
29
        id:
30
          const: postman
31
    request-method:
32
      const: get
33
description: Read-only access for users with role Patient from client Postman
34
​
Copied!
Full Access for Administrator Role
Let's set access rights for administrators.
1
# matcho version
2
engine: matcho
3
matcho:
4
  request-method: {$enum: ['get','post','put','delete','patch']}
5
  user:
6
    data: {roles: {$contains: 'Administrator'}}
7
  client: { id: postman }
Copied!
1
engine: json-schema
2
schema:
3
  required:
4
    - client
5
    - user
6
    - request-method
7
  properties:
8
    user:
9
      required:
10
        - data
11
      properties:
12
        data:
13
          required:
14
            - roles
15
          properties:
16
            roles:
17
              not:
18
                items:
19
                  not:
20
                    enum:
21
                      - Administrator
22
              type: array
23
    client:
24
      required:
25
        - id
26
      properties:
27
        id:
28
          const: postman
29
    request-method:
30
      enum:
31
        - get
32
        - post
33
        - put
34
        - delete
35
        - option
36
        - patch
37
        - head
38
description: Full access for users with role Administrator from client Postman
39
id: policy-for-postman-users-role-administrator
40
resourceType: AccessPolicy
Copied!
Test User Access Control
Get Bearer Token for User
Now, let's test the policies in Postman.
First, we need to get bearer token for a user and a client.
This line grant_type: password should not be changed.
1
POST {{base}}/auth/token
2
​
3
client_id: postman
4
client_secret: <your-client-password>
5
username: [email protected]-samurai.io
6
password: <your-user1-password>
7
grant_type: password
Copied!
Execute the request and copy the received access_token value. Paste it to your test request in the Authorization header with the word Bearer before it.
E.g. you got the access_token:
1
{
2
    "access_token": "45ab638d-9a3a-492b-b2df-0d8295c108fc",
3
    "refresh_token": "eyJzZXNzaW9uX2lkIjoiODJhYjYzOGQtOWEzYS00OTJiLWIyZGYtMGQ4Mjk1YzEwOGZjIiwidXNlcl123456InVzZXIxIiwiaWF0IjoxNTQyMDMxODkyfQpvbjE4SUxtRXhVQWJmcl8zZUVGNTZUTl9vV0E",
4
    "token_type": "bearer"
5
}
Copied!
Your authorization header will be: Bearer 45ab638d-9a3a-492b-b2df-0d8295c108fc.
Execute Requests with User Bearer Token
Now, let's execute requests from users to test their access.
Test user request with GET
1
GET {{base}}/fhir/Patient?__debug=policy
Copied!
Test user request with POST
1
POST {{base}}/fhir/Patient?__debug=policy
Copied!
The results of the schema validation should be the following:
Request/User
User 1 (Administrator)
User 2 (Patient)
GET
True
True
POST
True
False
get
POST {{AIDBOX_URL}}/Patients/tortik
See the full documentation Resource Owner Credentials Grant.
Broken link