Since Aidbox version 2412, to enable OrgBAC in , use:
BOX_FEATURES_ORGBAC_ENABLE=true
If your Aidbox version is lower or you do not use FHIRSchema mode, use and import aidbox.multitenancy.v1.fhir-r4or aidbox.multitenancy.v1.fhir-r5namespace.
Add aidbox.multitenancy.v1.fhir-r4 to the import section.
Use Aidbox UI Rest Console to create nested Organization resources.
Root organization
status: 201 (created)
PUT /fhir/Organization/org-a
name: Organization A
Child organization
status: 201 (created)
PUT /fhir/Organization/org-b
partOf:
reference: Organization/org-a
name: Organization B
Grant-child organization
status: 201 (created)
PUT /fhir/Organization/org-c
partOf:
reference: Organization/org-b
name: Organization C
You should have 3 nested organizations for now
org-a
└── org-b
└── org-c
Create resource in the Organization B
Use Aidbox UI Rest Console to create Patient resource in the organization B.
status: 201 (created)
PUT /Organization/org-b/fhir/Patient/pt-1
Check access control works
Patient is visible from the Organization above (org-a)
status: 200
GET /Organization/org-a/fhir/Patient/pt-1
Patient is visible from its Organization (org-b)
status: 200
GET /Organization/org-b/fhir/Patient/pt-1
Patient is not visible from the nested Organization (org-c)
status: 403
GET /Organization/org-c/fhir/Patient/pt-1
Configuring AccessPolicies
To allow some user/client to interact with a organization-based resources, AccessPolicy should be configured to check organization id from the https://aidbox.app/tenant-organization-id extension of User/Client resource.
This example allows org-based user (created by PUT /Organization/<org-id>/fhir/User) to see patients that are also created by OrgBAC.
PUT /AccessPolicy/as-user-allow-org-patients
description: A user should be able to get every patient in their organization.
engine: matcho
matcho:
params:
resource/type: Patient
request-method: get
user:
meta:
extension:
$contains:
url: https://aidbox.app/tenant-organization-id
value:
Reference:
id: .params.organization/id