How to enable hierarchical access control

Since Aidbox version 2412, to enable OrgBAC in FHIRSchema mode, use:

BOX_SECURITY_ORGBAC_ENABLED=true

The Zen configuration approach below is deprecated. For new projects, use the environment variable above.

If your Aidbox version is lower or you do not use FHIRSchema mode, use the Aidbox Configuration project and import aidbox.multitenancy.v1.fhir-r4or aidbox.multitenancy.v1.fhir-r5namespace.

Add aidbox.multitenancy.v1.fhir-r4 to the import section.

zrc/main.edn
{ns main
 import #{aidbox
          aidbox.multitenancy.v1.fhir-r4 ;; import multitenancy
          config}
 
 box
 {:zen/tags #{aidbox/system}
  :config   config/base-config
  :services {:admin-user-seed config/admin-user-seed
             :root-client-seed config/root-client-seed}}}

Add aidbox.multitenancy.v1.fhir-r5 to the import section.

zrc/main.edn
{ns main
 import #{aidbox
          aidbox.multitenancy.v1.fhir-r5 ;; import multitenancy
          config}
 
 box
 {:zen/tags #{aidbox/system}
  :config   config/base-config
  :services {:admin-user-seed config/admin-user-seed
             :root-client-seed config/root-client-seed}}}

Ensure the hierarchical access control works

Create nested Organization resources

Use Aidbox UI Rest Console to create nested Organization resources.

Root organization

status: 201 (created)
PUT /fhir/Organization/org-a

name: Organization A

Child organization

status: 201 (created)
PUT /fhir/Organization/org-b

partOf:
  reference: Organization/org-a
name: Organization B

Grant-child organization

status: 201 (created)
PUT /fhir/Organization/org-c

partOf:
  reference: Organization/org-b
name: Organization C

You should have 3 nested organizations for now

org-a
└── org-b
   └── org-c

Create resource in the Organization B

Use Aidbox UI Rest Console to create Patient resource in the organization B.

status: 201 (created)
PUT /Organization/org-b/fhir/Patient/pt-1

Check access control works

Patient is visible from the Organization above (org-a)

status: 200
GET /Organization/org-a/fhir/Patient/pt-1

Patient is visible from its Organization (org-b)

status: 200
GET /Organization/org-b/fhir/Patient/pt-1

Patient is not visible from the nested Organization (org-c)

status: 403
GET /Organization/org-c/fhir/Patient/pt-1

Configuring AccessPolicies

To allow some user/client to interact with a organization-based resources, AccessPolicy should be configured to check the organization id from the https://aidbox.app/tenant-organization-id extension of the User/Client resource.

This example allows an org-based user (created by PUT /Organization/<org-id>/fhir/User) to see patients that are also created in the same organization.

PUT /AccessPolicy/as-user-allow-org-patients

description: A user should be able to get every patient in their organization.
engine: matcho
matcho:
  params:
    resource/type: Patient
  request-method: get
  user:
    meta:
      extension:
        $contains:
          url: https://aidbox.app/tenant-organization-id
          value:
            Reference:
              id: .params.organization/id

We do not recommend setting Correct Aidbox format to false.

PUT /AccessPolicy/as-user-allow-org-patients

description: A user should be able to get every patient in their organization.
engine: matcho
matcho:
  params:
    resource/type: Patient
  request-method: get
  user:
    meta:
      extension:
        $contains:
          url: https://aidbox.app/tenant-organization-id
          valueReference:
            $reference:
              id: .params.organization/id

Last updated: 2026-01-12T12:13:08Z