description |
---|
This article shows how to create a user for a practitioner and allow practitioners to read patients data. |
Aidbox provides role-based access control mechanism based on access policies and Role
resource.
Each Role
resource assigns a role to a User.
AccessPolicy
resource has an optional roleName
property. Aidbox applies access policy with roleName
specified only to users which have the corresponding role assigned.
{% content-ref url="../how-to-guides/rbac/role-based-access-policies.md" %} role-based-access-policies.md {% endcontent-ref %}
POST /Patient
id: pt-1
resourceType: Patient
name:
- given:
- John
Create a user containing practitioner
role.
POST /User
id: user-1
resourceType: User
roles:
- value: practitioner
Create an access policy which allows practitioners to read patients data.
POST /AccessPolicy
id: practitioner-role
resourceType: AccessPolicy
engine: matcho
matcho:
user:
roles:
- value: practitioner
uri: '#/Patient/.*'
request-method: get
{% hint style="info" %}
Please note that if you like to add multiple request methods when using matcho engine you should use $one-of
notation:
request-method:
$one-of:
- get
- post
- put
{% endhint %}
Log in as user-1
.
Read patient data
GET /Patient/pt-1
Aidbox will return you a Patient resource.
When you make a query
GET /Patient/pt-1
Aidbox router stores data in the request object:
- Uri
/Patient/pt-1
in theuri
property. - Method
get
in therequest-method
property. - User data in
user
property. In particularuser.roles[].value
contains user roles.
Access policy engine evaluates request object. And here it checks that user.roles[].value
property contains practitioner
string.
You can inspect request object using __debug
query parameter.