Aidbox
Aidbox
Aidbox.Dev
Aidbox.Cloud
Aidbox.One
Fhirbase
Aidbox
Features
Editions & Pricing
Release Notes
Installation
Basics
Advanced
Auth
Access Control
Access Policies
Role-Based Access Policies
🎓 Access Control
Terminology
Aidbox SDK
Tutorials
Administration
Powered by GitBook

Role-Based Access Policies

User can interact with system in some context. For example as a Patient. You need resource to store this context information (i.e. patient_id or practitioner_id for example). The simplest approach store this info in User resource, by extending it or using generic User.data element. This information will be available for AccessPolicies, because user resource is a part of request context. Here is example access policy for patient/user:

---
resourceType: User
id: user-1
data:
  patient_id: pt-1
​
---  
resourceType: Policy
engine: matcho
matcho:
  uri: '#/Patient/.*'
  request-method: get
  params:
    # this is parameter. which is set into resource.id
    resource/id: .user.data.patient_id

The problem with this approach can appear, if you want to allow user update his User resource. Or for multi-tenant systems, where users can be part of multiple organisations or departments, he/she can potentially interact with a system in different roles. You can imagine Outpatient EHR with multiple locations and physicians, who can work in some of this locations. Aidbox provides you with Role resource, which can keep this context information and integrated with Access Control engine in a sophisticated way. Let's say we have multi-organisation system with users, who can play different roles in different organisations.

​

Previous
Access Policies
Next
🎓 Access Control
Last updated 1 week ago