Relationship-based access control
Learn how to enable ReBAC in Aidbox with AccessPolicy
Last updated
Was this helpful?
Learn how to enable ReBAC in Aidbox with AccessPolicy
Last updated
Was this helpful?
This tutorial is using zen and it is outdated.
Throughout this tutorial, we’ll walk you through the implementation of basic relationship-based access control model in Aidbox. We’ll assume you have Aidbox up & running already or .
In this tutorial we will
model authorization for our sample application called Research Study Repository
implement that authorization model in Aidbox with AccessPolicy engine.
We will model access for an example application called Research study repository. The system is going to give researchers an access to research studies and related patient records.
Our security policy says:
User has access to all studies they collaborate on and to all patient records within those studies.
Authorization model that best suits our task is (ReBAC). It states that 'subject's permission to access a resource is defined by the presence of relationships between those subjects and resources'.
We will focus only on read access, expecting that all data is uploaded. We will upload prepared sample data later on implementation section.
But before we dive into defining authorization, let's discuss our data model and UI we are going to provide our users. Good data model and UI leads to easier authorization.
The core entity of our application will be a research study. There is , which describes 'a process where a researcher or organization plans and then executes a series of steps intended to increase the field of healthcare-related knowledge'.
ResearchStudy doesn't have references to collaborators. So, we will introduce one and make a linkage with Aidbox User.
As ResearchStudy resource is a core of our model, it's reasonable to make the list of available studies a starting point on UI. So we may imagine user's flow within UI.
Researcher enters the system and see the list of studies, they involved into as a collaborator.
They can drill down to a study to see details and search over related patients and observations.
Once we defined our data model, UI pages and FHIR requests, we may start implementing this.
As we mentioned earlier, FHIR ResearchStudy doesn't have references to collaborators. It's good to start with enabling this reference.
Aidbox is ready to store our data, and we prepared data samples, so we could test our access policies. You can use the request below to upload sample data.
The picture below, demonstrates the key data we uploaded. Jane has access to 'Smoking research', and both users have access to 'Diet research'.
Now, we are ready to define available enpoints and write AccessPolicy for them.
The endpoint to fetch all user's research studies is
AccessPolicy:
Let's check it.
The endpoint to fetch research study details is
It's not possible find out if current user is a collaborator on this study or not by only research study id . Fortunately, Aidbox AccessPolicy supports sql engine, which allows you to make your authorization decisions based on data you have.
Let's check it.
We have secured one more endpoint. There are only two left.
The endpoint to fetch all patients by group is
You may have a lot of questions to this request.
what does mean _has:Group:member:_id and
where do we know group id if we don't have access to Group resource?
_has:Group:member:_id?The
_hasparameter provides limited support for reverse chaining - that is, selecting resources based on the properties of resources that refer to them...
This requests the server to return Patient resources, where the patient resource is referred to by at least one Group with id <group-id>, and where the Group refers to the patient resource in the member search parameter.
Technically we don't need to have access to Group resource, we need only to know group id. And group id is available from ResearchStudy resource, we already have access to.
Thus, we may conclude the request is suitable for our needs. the AccessPolicy should check existence of ResearchStudy with that <group-id> and user-id in collaborators.
Let's check it.
Search for patient endpoint is secured. The only one is left.
The endpoint to fetch all observation by group is
There is no group search parameter for Observation in FHIR. And there is no way to define our parameter with SearchParameter resource.
The AccessPolicy will be very similar to previous one, we made for Patient search.
Let's check it.
Search for observation endpoint is secured for now. All endpoints are secured.
Let's recap, what we have done. There was a security policy, which stated:
User has access to all studies they collaborate on and to all patient records within those studies.
And we met this requirement using ReBAC authorization model. In order to achieve this we
defined domain model resources, UI pages and FHIR endpoints for our application,
and we developed access policies in Aidbox to secured the endpoints.
ResearchStudy references to Group of patients invloved in the research with element. Patient record is represented by two resources Patient and Observation.
There are many ways you can customize your data model with Aidbox. We will do this by creating .
There is an HTTP request below for creating Attribute/ResearchStudy.collaborator. You can perform this request in .
If you use zen profiles, Attribute resources will be disabled. Thus, you will need to define your attributes in .
FHIR doesn't have search parameter collaborator. Aidbox allows you to define one with .
Read more on .
We have secured endpoint for fetching list of studies. Note, that all is also available.
The _has parameter is a one of standard search parameters in FHIR, called . FHIR specification says:
The _has parameter always goes with , which specify the search parameter. Let's get back and read the request we have.
To enable complex search parameters, Aidbox provides resource. We will specify one for search Observations by group:
FHIR R5 is going to introduce chained-search support for . So, our request would look like the following
Writing access policies may be tricky some time, Aidbox has tooling to .
