How to enable hierarchical access control
This guide explains how multi-tenancy on the Organization resources can be enabled
Since Aidbox version 2412, to enable OrgBAC in FHIRSchema mode, use:
BOX_FEATURES_ORGBAC_ENABLE=true
If your Aidbox version is lower or you do not use FHIRSchema mode, use the Aidbox Configuration project and import aidbox.multitenancy.v1.fhir-r4or aidbox.multitenancy.v1.fhir-r5namespace.
Add aidbox.multitenancy.v1.fhir-r4 to the import section.
Ensure the hierarchical access control works
Create nested Organization resources
Use Aidbox UI Rest Console to create nested Organization resources.
Root organization
Child organization
Grant-child organization
You should have 3 nested organizations for now
org-a
└── org-b
└── org-c
Create resource in the Organization B
Use Aidbox UI Rest Console to create Patient resource in the organization B.
Check access control works
Patient is visible from the Organization above (org-a)
Patient is visible from its Organization (org-b)
Patient is not visible from the nested Organization (org-c)
Configuring AccessPolicies
To allow some user/client to interact with a organization-based resources, AccessPolicy should be configured to check the organization id from the https://aidbox.app/tenant-organization-id extension of the User/Client resource.
This example allows an org-based user (created by PUT /Organization/<org-id>/fhir/User) to see patients that are also created in the same organization.
PUT /AccessPolicy/as-user-allow-org-patients
description: A user should be able to get every patient in their organization.
engine: matcho
matcho:
params:
resource/type: Patient
request-method: get
user:
meta:
extension:
$contains:
url: https://aidbox.app/tenant-organization-id
value:
Reference:
id: .params.organization/id
Last updated 2025-08-07T12:18:32Z