User GuideAPI Reference
ProductUse CasesResource CenterFAQAbout UsBook a DemoSign Up - It's Free
User Guide
ProductUse CasesResource CenterFAQAbout UsBook a DemoSign Up - It's Free

Attribute Based Access Control

Suggest Edits

BioT utilizes two authorization measures to control API access and data permissions:

  1. Static Access Control: The JWT token issued upon login determines which APIs a user can access
  2. Attribute Based Access Control (ABAC). This security mechanism controls the specific data a user can access.

BioT first applies Static Access Control. If authorized, Attribute-Based Access Control is then evaluated.

For example, once logged in, ABAC prevents patients from creating other patient profiles and restricts non-caregiver users from accessing protected health information PHI they shouldn't see.

The system is composed of a global service that monitors all incoming API traffic to the platform. Each request is scanned to make sure that the only authorized data is accessed, manipulated and returned as part of the API response.

The platform arrives with a default ABAC implementation that can serve as a basis to reduce the configuration required by the system administrator. Here are the details of the default implementation:

The platform also arrives with a single organization for the manufacturer. Other organization entities, representing care provider organizations, may be created.

Static Access Control

Each user can access different APIs in BioT.

  • Manufacturer Admin: Can access all APIs in the platform.
  • Manufacturer Operator: can access all APIs with PROTECTED_API permission. (Each APi permission can be found in it's documentation page)
  • Organization Admin: can access all APIs with PROTECTED_API permission and the resend invitation API.
  • Organization Operator: can access all APIs with PROTECTED_API.
  • Caregiver: can access all APIs with PROTECTED_API.

Attribute Based Access Control

As a rule of thumb PHI data fields can only be accessed by the patient him/her self and by the caregiver of the same organization. An exception to the rule is the manufacturer's organization (the organization that is automatically created as part of a new deployment), where user can access non-PHI data of other organizations.

You may download the following table that lists all the operation that are allowed to be done by the different user types in the platform.

📘

Note

it’s possible to change the access control rules based on your system needs. Please contact BioT support if you would like to do so.

Updated about 2 months ago