Attribute Based Access Control

For authorization purposes, BioT uses Attribute Based Access Control (ABAC) in it's platform. This security mechanism is used to prevent patient from creating other patients or non caregiver users from accessing PHI that they are not allowed to access.

The system is composed of a global plugin that monitors all incoming API traffic to the platform. Each request is scanned to make sure that the only authorized data is accessed, manipulated and returned as part of the API response.

The platform arrives with a default ABAC implementation that should fit most customers needs.
The platform arrives with a single organization for the manufacturer. This Organization should only be used to create more manufacturer users.

For the manufacturer to be able to manage patients (for example in a clinical trial), he should create his own organization and manage all the patients, caregivers and organization users in this organization.

As a rule of thumb PHI data fields can only be accessed by the patient him/her self and by the caregiver of the same organization. An exception to the rule is the manufacturer's default organization where no user can access PHI data.

You may download the following table that lists all the operation that are allowed to be done by the different user types in the platform.

📘

Note

it’s possible to change the access control rules based on your system needs. Please contact BioT support if you would like to do so.