Policies

Overview

Policy is a JSON schema filtering REST requests. A request succeeds if at least one of the policies is valid for it.

Policies UI Guide

General Information

Let's consider the work of the Basic template. Here is the JSON schema of the template:

{  "type": "object",  "properties": {    "method": {      "constant": "GET"    },    "uri": {      "type": "string",      "pattern": "/fhir.*"    }  } }

In this schema two constraints are introduced:

  1. it is allowed to use only the GET method;
  2. it is allowed to use only request URIs starting with "/fhir".

Below the template selection element there is a tool for debugging. This tool consists of the following elements:

  • HTTP-method selection (GET, POST, PUT, DELETE);
  • command line for entering address, starting with /fhir (implying the base server address going before the slash);
  • the Debug button;
  • the Request Body area.

The Request Body area is used for displaying the request, the schema and the result with errors and warnings if any. 

For debugging the magic key __debug=true is used, so only request validation is performed, and the requests themselves are not executed. 

Let's perform the following tests to check our Basic template:

Positive:

  1. select the GET method
  2. enter the URI /fhir/Patient
  3. click the Debug button
clojure.lang.LazySeq@4380bb9a
clojure.lang.LazySeq@4380bb9a
  1. Part 'result' shows that there are no errors
clojure.lang.LazySeq@4380bb9a

Negative:

  1. select the POST method
  2. enter the URI /users
  3. click the Debug button
clojure.lang.LazySeq@4380bb9a
  1. Part result shows that there are two errors:
  • POST method is used and only GET method is allowed
  • URI should start with /fhir, but it starts with /users
clojure.lang.LazySeq@4380bb9a

How to add a new policy rule

  1. Open the Policies tab
  2. Click the 'Create new item' button
clojure.lang.LazySeq@4380bb9a
  1. Fill in the fields Id, Title, Type, Policy. The 'Policy' field is used to enter a JSON schema. By default the Policy field is preset to the Basic template, you can select another template from available Basic, Advanced and Pro templates
  2. Click the Create button
clojure.lang.LazySeq@4380bb9a

Built-in Help

  1. Click the Help button to get information about possible schema parameters
clojure.lang.LazySeq@4380bb9a
  1. Click the Close button to return to editing policy
clojure.lang.LazySeq@4380bb9a

Search by policy rule

  1. To search by policy rule, simply enter the search text in the filter field.
clojure.lang.LazySeq@4380bb9a
  1. Records in the list will be immediately filtered according to your entry.
clojure.lang.LazySeq@4380bb9a

How to edit a policy rule

  1. Select required policy rule record in the list
  2. Perform necessary editing
  3. Click the Save button
clojure.lang.LazySeq@4380bb9a
clojure.lang.LazySeq@4380bb9a

How to delete a policy rule

  1. Select required policy rule record in the list
  2. Click the Delete button
  3. The record will be deleted without confirmation
clojure.lang.LazySeq@4380bb9a
clojure.lang.LazySeq@4380bb9a

Note: A request succeeds if at least one of the policies is valid for it.

Examples

Allow everything

_Note:_Empty schema allows everything and is not recommended to use.

{}

Read-only access to everything

{  "type" : "object",  "properties" : {   "title" : "Read-only access to everything",    "method" : {      "enum" : [ "GET" ]    }  } }

Access for a client with client_id = site

{ "required" : [ "client" ], "properties" : {   "client" : {     "type" : "object",     "properties" : {       "client_id" : {         "constant" : "site"       }     }   } } }

Allow access for the 'Users' group

{  "required" : [ "user" ],  "properties" : {    "uri" : {      "type" : "string",      "anyOf" : [ {        "pattern" : "/users"      }, {        "pattern" : "/fhir/.+"      } ]    },    "user" : {      "type" : "object",      "required" : [ "groups" ],      "properties" : {        "groups" : {          "not" : {            "items" : {              "properties" : {                "name" : {                  "not" : {                    "enum" : [ "Users" ]                  }                }              }            }          },          "type" : "array",          "items" : {            "type" : "object",            "required" : [ "name" ]          },          "minItems" : 1        }      }    },    "method" : {      "enum" : [ "GET" ]    }  } }

Allow access for all clients

{  "required" : [ "client" ],  "properties" : {    "client" : {      "type" : "object"    }  } }

Checks that user has specific email and at least one group

{  "type" : "object",  "required" : [ "user" ],  "properties" : {    "user" : {      "required" : [ "email", "groups" ],      "properties" : {        "email" : {          "enum" : [ "boxuser1@gmail.com" ]        },        "groups" : {          "type" : "array",          "minItems" : 1        }      }    }  } }

Checks that user has at least one group

{  "required" : [ "user" ],  "properties" : {    "user" : {      "type" : "object",      "required" : [ "groups" ],      "properties" : {        "groups" : {          "type" : "array",          "minItems" : 1        }      }    }  } }

Set access rights for administrators

{  "required" : [ "user" ],  "properties" : {    "uri" : {      "type" : "string",      "title" : "Any string",      "pattern" : ".+"    },    "user" : {      "type" : "object",      "required" : [ "groups" ],      "properties" : {        "groups" : {          "not" : {            "items" : {              "required" : [ "name" ],              "properties" : {                "name" : {                  "not" : {                    "enum" : [ "Administrators" ]                  }                }              }            }          },          "description" : "Should be in Administrators group"        }      }    },    "method" : {      "enum" : [ "GET", "POST", "PUT", "DELETE", "OPTION", "PATCH", "HEAD" ]    }  } }