You can test access policies with Postman.
Access the Auth Clients tab and create new client.
resourceType: Clientid: postmansecret: secretgrant_types: ['basic']
Access the Access Control tab and create new access policy with the code below. Let's consider the work of this policy. In this schema, two constraints are introduced:
it is allowed to use only the GET method;
it is allowed to use only request URIs starting with "/fhir/".
resourceType: AccessPolicyid: policy-for-postmanengine: json-schemaschema:required:- client- uri- request-methodproperties:uri:type: stringpattern: '^/fhir/.*'client:required:- idproperties:id:const: postmanrequest-method:const: get
# or matcho engine versionengine: matchomatcho:client: { id: postman }uri: '^./fhir/.*'request-method: get
Now, let's execute requests in Postman.
A request succeeds if at least one of the policies is valid for it.
GET {{base}}/fhir/Patient
POST {{base}}/fhir/Patient
Let's use the parameter __debug=policy in requests to see which JSON-schema validation returned true/false.
GET {{base}}/fhir/Patient
POST {{base}}/fhir/Patient
See the full documentation Access Policies.
Previously, we tested access control for clients using Postman as a client. Now, let's create and test access policies for users. We will still need our client credentials.
First, we need to create a couple of users.
Access the Users tab and create two users in Aidbox.Cloud.
data:name: Camila Harringtonroles:- Administrator- Doctoremail: user1@health-samurai.iopassword: password1id: user1resourceType: User
data:name: Jazmin Holmesroles:- Patientemail: user2@health-samurai.iopassword: password2id: user2resourceType: User
Now, let's define read-only access for the 'Patient' role. Create an access policy with the code below.
# matcho versionresourceType: AccessPolicyid: policy-for-postman-users-role-patientengine: matchomatcho:user:data: { roles: {$contains: Patient} }client: { id: postman }request-method: get
resourceType: AccessPolicyid: policy-for-postman-users-role-patientengine: json-schemaschema:required:- client- user- request-methodproperties:user:required:- dataproperties:data:required:- rolesproperties:roles:not:items:not:enum:- Patienttype: arrayclient:required:- idproperties:id:const: postmanrequest-method:const: getdescription: Read-only access for users with role Patient from client Postman​
Let's set access rights for administrators.
# matcho versionengine: matchomatcho:request-method: {$enum: ['get','post','put','delete','patch']}user:data: {roles: {$contains: 'Administrator'}}client: { id: postman }
engine: json-schemaschema:required:- client- user- request-methodproperties:user:required:- dataproperties:data:required:- rolesproperties:roles:not:items:not:enum:- Administratortype: arrayclient:required:- idproperties:id:const: postmanrequest-method:enum:- get- post- put- delete- option- patch- headdescription: Full access for users with role Administrator from client Postmanid: policy-for-postman-users-role-administratorresourceType: AccessPolicy
Now, let's test the policies in Postman.
First, we need to get bearer token for our user and client.
This line grant_type: password
should not be changed.
POST {{base}}/auth/token​client_id: postmanclient_secret: <your-client-password>username: user1@health-samurai.iopassword: <your-user1-password>grant_type: password
Execute the request and copy the received access_token
value. Paste it to your test request in the Authorization header with the word Bearer
before it.
E.g. you got the access_token:
{"access_token": "45ab638d-9a3a-492b-b2df-0d8295c108fc","refresh_token": "eyJzZXNzaW9uX2lkIjoiODJhYjYzOGQtOWEzYS00OTJiLWIyZGYtMGQ4Mjk1YzEwOGZjIiwidXNlcl123456InVzZXIxIiwiaWF0IjoxNTQyMDMxODkyfQpvbjE4SUxtRXhVQWJmcl8zZUVGNTZUTl9vV0E","token_type": "bearer"}
Your authorization header will be: Bearer 45ab638d-9a3a-492b-b2df-0d8295c108fc
.
Now, let's execute requests from users to test their access.
Test user request with GET
GET {{base}}/fhir/Patient?__debug=policy
Test user request with POST
POST {{base}}/fhir/Patient?__debug=policy
The results of schema validation should be the following:
Request/User | User 1 (Administrator) | User 2 (Patient) |
GET | True | True |
POST | True | False |
​
See the full documentation Resource Owner Credentials Grant.