Security and Access Control

Security & Access Control settings

Grant page URL

URL of consent screen. A consent screen is an interface presented to a user during the authorization code grant flow.

IDsecurity.grant-page-url
TypeString
Default value/auth/grant
Environment variableBOX_SECURITY_GRANT_PAGE_URL
Deprecated environment variablesBOX_AUTH_GRANT__PAGE__URL
Sensitivefalse — value will be visible in plaintext in Admin UI
Set viaAdmin UI → Settings
Environment variables
Hot reloadtrue — setting can be changed at runtime

Enable FHIR Audit Log

Generates structured audit logs in FHIR R4 AuditEvent format (with other FHIR versions will not be generated).

IDsecurity.audit-log.enabled
TypeBool
Default valuefalse
Environment variableBOX_SECURITY_AUDIT_LOG_ENABLED
Deprecated environment variablesAIDBOX_SECURITY_AUDIT__LOG_ENABLED
Sensitivefalse — value will be visible in plaintext in Admin UI
Set viaAdmin UI → Settings
Environment variables
Hot reloadfalse — setting requires system restart

Audit Log repository URL

Full URL of the external destination where Aidbox streams all audit events. Before setting the URL, you must enable the audit log in Aidbox. If audit log is enabled, repository URL not specified, Aidbox will store Audit Event in the PostgreSQL database.

IDsecurity.audit-log.repository-url
TypeString
Default value(no default)
Environment variableBOX_SECURITY_AUDIT_LOG_REPOSITORY_URL
Available from2506
Sensitivefalse — value will be visible in plaintext in Admin UI
Set viaAdmin UI → Settings
Environment variables
Hot reloadfalse — setting requires system restart

Audit Log flush interval

Interval time in ms to flush audit events to Audit Log Repository

IDsecurity.audit-log.flush-interval
TypeInt
Default value5000
Environment variableBOX_SECURITY_AUDIT_LOG_FLUSH_INTERVAL
Available from2506
Sensitivefalse — value will be visible in plaintext in Admin UI
Set viaAdmin UI → Settings
Environment variables
Hot reloadfalse — setting requires system restart

Audit Log maximum flush interval

If sending the audit event to the repository fails, the send interval gradually increases up to this value.

IDsecurity.audit-log.max-flush-interval
TypeInt
Default value60000
Environment variableBOX_SECURITY_AUDIT_LOG_MAX_FLUSH_INTERVAL
Available from2507
Sensitivefalse — value will be visible in plaintext in Admin UI
Set viaAdmin UI → Settings
Environment variables
Hot reloadtrue — setting can be changed at runtime

Audit Log batch count

Max count of Audit Log batch (FHIR bandle entry count).

IDsecurity.audit-log.batch-count
TypeInt
Default value1000
Environment variableBOX_SECURITY_AUDIT_LOG_BATCH_COUNT
Available from2506
Sensitivefalse — value will be visible in plaintext in Admin UI
Set viaAdmin UI → Settings
Environment variables
Hot reloadfalse — setting requires system restart

Audit Log request headers

The headers for Audit Log external repository requests, formatted as HeaderName:HeaderValue\nHeaderName:HeaderValue.

IDsecurity.audit-log.request-headers
TypeString
Default value(no default)
Environment variableBOX_SECURITY_AUDIT_LOG_REQUEST_HEADERS
Available from2506
Sensitivefalse — value will be visible in plaintext in Admin UI
Set viaAdmin UI → Settings
Environment variables
Hot reloadtrue — setting can be changed at runtime

Enable access control for mapping

Enable access control for /Mapping/<mapping-id>/$apply operation. If enabled, access control will be applied to the resulting transaction. If disabled, only access to $apply endpoints are verified.

IDsecurity.iam.mapping.enable-access-control
TypeBool
Default valuefalse
Environment variableBOX_SECURITY_IAM_MAPPING_ENABLE_ACCESS_CONTROL
Deprecated environment variablesBOX_FEATURES_MAPPING_ENABLE__ACCESS__CONTROL
Sensitivefalse — value will be visible in plaintext in Admin UI
Set viaAdmin UI → Settings
Environment variables
Hot reloadtrue — setting can be changed at runtime

Encryption API secret

Secret key for encryption API. Learn more

IDsecurity.encrypt-secret
TypeString
Default value(no default)
Environment variableBOX_SECURITY_ENCRYPT_SECRET
Deprecated environment variablesAIDBOX_ENCRYPT_KEY
Sensitivetrue — value will be masked in Admin UI
Set viaEnvironment variables
Hot reloadtrue — setting can be changed at runtime

Allow CORS requests

Enable Cross-Origin Resource Sharing (CORS) request handling.

IDsecurity.cors.enabled
TypeBool
Default valuetrue
Environment variableBOX_SECURITY_CORS_ENABLED
Deprecated environment variablesBOX_WEB_CORS_ENABLED
Sensitivefalse — value will be visible in plaintext in Admin UI
Set viaAdmin UI → Settings
Environment variables
Hot reloadtrue — setting can be changed at runtime

Allow CORS requests from origins

Comma separated list of origins [schema]://[domain]:[port] Default is wildcard value "*"

IDsecurity.cors.origins
TypeString
Default value*
Environment variableBOX_SECURITY_CORS_ORIGINS
Deprecated environment variablesBOX_WEB_CORS_ORIGINS
Sensitivefalse — value will be visible in plaintext in Admin UI
Set viaAdmin UI → Settings
Environment variables
Hot reloadtrue — setting can be changed at runtime

Content security policy header

Defines the Content Security Policy (CSP) header to enhance security by restricting resource loading. It specifies the policies for loading scripts, styles, media, fonts, and other resources.

Refer to the OWASP Content Security Policy Cheat Sheet

Recommended value:

default-src 'self'; script-src 'report-sample' 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'report-sample' 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; frame-ancestors 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'self';
IDsecurity.content-security-policy-header
TypeString
Default value(no default)
Environment variableBOX_SECURITY_CONTENT_SECURITY_POLICY_HEADER
Deprecated environment variablesAIDBOX_CONTENT_SECURITY_POLICY_HEADER
Sensitivefalse — value will be visible in plaintext in Admin UI
Set viaAdmin UI → Settings
Environment variables
Hot reloadtrue — setting can be changed at runtime

Skip JWT validation

Skip JWT token validation process.

IDsecurity.skip-jwt-validation
TypeBool
Default valuefalse
Environment variableBOX_SECURITY_SKIP_JWT_VALIDATION
Deprecated environment variablesBOX_FEATURES_AUTHENTICATION_SKIP__JWT__VALIDATION
Sensitivefalse — value will be visible in plaintext in Admin UI
Set viaAdmin UI → Settings
Environment variables
Hot reloadtrue — setting can be changed at runtime

JWT public key

RS256 signing algorithm expects providing private key for signing JWT and public key for verifying it.

IDsecurity.auth.keys.public
TypeString
Default value(no default)
Environment variableBOX_SECURITY_AUTH_KEYS_PUBLIC
Deprecated environment variablesBOX_AUTH_KEYS_PUBLIC
Sensitivefalse — value will be visible in plaintext in Admin UI
Set viaAdmin UI → Settings
Environment variables
Hot reloadfalse — setting requires system restart

JWT private key

RS256 signing algorithm expects providing private key for signing JWT and public key for verifying it.

IDsecurity.auth.keys.private
TypeString
Default value(no default)
Environment variableBOX_SECURITY_AUTH_KEYS_PRIVATE
Deprecated environment variablesBOX_AUTH_KEYS_PRIVATE
Sensitivetrue — value will be masked in Admin UI
Set viaEnvironment variables
Hot reloadfalse — setting requires system restart

JWT secret

HS256 signing algorithm needs only having a secret for both operations.

IDsecurity.auth.keys.secret
TypeString
Default value(no default)
Environment variableBOX_SECURITY_AUTH_KEYS_SECRET
Deprecated environment variablesBOX_AUTH_KEYS_SECRET
Sensitivetrue — value will be masked in Admin UI
Set viaEnvironment variables
Hot reloadfalse — setting requires system restart

Auto-create users from foreign tokens

Creates local user accounts automatically when valid external JWT tokens are presented but no matching user exists.

IDsecurity.introspection-create-user
TypeBool
Default valuefalse
Environment variableBOX_SECURITY_INTROSPECTION_CREATE_USER
Deprecated environment variablesBOX_FEATURES_AUTHENTICATION_INTROSPECTION_CREATE__USER
Sensitivefalse — value will be visible in plaintext in Admin UI
Set viaAdmin UI → Settings
Environment variables
Hot reloadtrue — setting can be changed at runtime

Auth with non-validated JWT

This configuration is used when skip-jwt-validation setting is enabled. It's a string that contains EDN object with :headers and :user-id-paths keys. For example: {:headers #{"authorization" "x-client-token"}, :user-id-paths #{[:authorization :user_id] [:my-client-token :user :id]}}

IDsecurity.auth-with-not-validated-jwt
TypeString
Default value(no default)
Environment variableBOX_SECURITY_AUTH_WITH_NOT_VALIDATED_JWT
Deprecated environment variablesBOX_FEATURES_AUTHENTICATION_AUTH__WITH__NOT__VALIDATED__JWT
Sensitivefalse — value will be visible in plaintext in Admin UI
Set viaAdmin UI → Settings
Environment variables
Hot reloadfalse — setting requires system restart

Enable LBAC

Label-based Access Control engine provides a mechanism to restrict access to bundles, resources, or resource elements depending on permissions associated with a request.

IDsecurity.lbac.enabled
TypeBool
Default valuefalse
Environment variableBOX_SECURITY_LBAC_ENABLED
Deprecated environment variablesBOX_FEATURES_SECURITY__LABELS_ENABLE
Sensitivefalse — value will be visible in plaintext in Admin UI
Set viaAdmin UI → Settings
Environment variables
Hot reloadtrue — setting can be changed at runtime

Strip security labels

Removes security labels from resource responses before returning them to clients. When enabled, prevents sensitive security metadata from being exposed in API responses while maintaining access control enforcement internally. Useful for hiding security implementation details from end users.

IDsecurity.lbac.strip-labels
TypeBool
Default valuefalse
Environment variableBOX_SECURITY_LBAC_STRIP_LABELS
Deprecated environment variablesBOX_FEATURES_SECURITY__LABELS_STRIP__LABELS
Sensitivefalse — value will be visible in plaintext in Admin UI
Set viaAdmin UI → Settings
Environment variables
Hot reloadtrue — setting can be changed at runtime

Enable organization-based hierarchical access control

Activates hierarchical access control based on organizational structure. Restricts user access to resources based on their organizational affiliation and hierarchy position.

IDsecurity.orgbac.enabled
TypeBool
Default valuefalse
Environment variableBOX_SECURITY_ORGBAC_ENABLED
Deprecated environment variablesBOX_FEATURES_ORGBAC_ENABLE
Sensitivefalse — value will be visible in plaintext in Admin UI
Set viaAdmin UI → Settings
Environment variables
Hot reloadfalse — setting requires system restart

Enable SU header

This setting enables SU header functionality. SU header allows a user to substitute User ID for the duration of the request. Only the administrator is allowed to use the SU header.

IDsecurity.debug-su-enable
TypeBool
Default valuefalse
Environment variableBOX_SECURITY_DEBUG_SU_ENABLE
Deprecated environment variablesBOX_DEBUG_SU_ENABLE
Sensitivefalse — value will be visible in plaintext in Admin UI
Set viaAdmin UI → Settings
Environment variables
Hot reloadtrue — setting can be changed at runtime

Enable Aidbox developer mode

Activates debugging features for access policy development, including the _debug=policy URL parameter and x-debug header. Returns detailed policy evaluation traces showing why requests were allowed or denied. For development environments only - not recommended for production systems.

IDsecurity.dev-mode
TypeBool
Default valuefalse
Environment variableBOX_SECURITY_DEV_MODE
Deprecated environment variablesAIDBOX_DEV_MODE
Sensitivefalse — value will be visible in plaintext in Admin UI
Set viaAdmin UI → Settings
Environment variables
Hot reloadtrue — setting can be changed at runtime
PreviousFHIR
NextModules

Last updated 2025-08-05T16:35:10Z