Role-Based Access Control
Aidbox provides role-based access control mechanism based on access policies and Role resource.
Each Role resource assigns a role to a user. Access Policy resource has an optional roleName
property. Aidbox applies access policy with roleName
specified only to users which have the corresponding role assigned.
This article demonstrates how to create a user for a practitioner and allow practitioners to read their own data.
Create a practitioner
Create a user
Aidbox does not store any role information in a User resource. So create a user as usual.
Create a Role resource
Role name is a string that defines role. You don't need to declare it explicitly. Role resource links a role and a user.
Role resource has an optional links property which specifies related resources. Aidbox does not assign any special meaning to this property. Additionally, Role is an open resource so you can add any information to it.
You can put any additional data into context
property.
Create a Role resource which assigns a role to the user we created.
If you need to assign same role to multiple users then just create multiple Role resources with same name
property.
Create an access policy
AccessPolicy resource has a roleName
property. This property specifies the role name for the policy. Access policy with a role name is applied only users with the corresponding role.
Create an access policy which allows practitioners to read their own data
Try it
Log in as user-1
.
Read your data
Aidbox will return you a Practitioner resource.
What's going on here
When you make a query
Aidbox router stores data in the request object:
Uri
/Practitioner/pr-1
in theuri
property.Method
get
in therequest-method
property.path parameter
pr-1
in theparams.resource/id
property.
Aidbox applies access policy with roleName
property only if a role with corresponding name
is assigned to user. In this case Aidbox adds the corresponding Role resource to the role
property of the request object.
Access policy engine evaluates request object. And here it checks that params.resource/id
property is equal to role.links.practitioner.id
property.
You can inspect request object using __debug
query parameter.
Role resource schema
Last updated