User GuideAPI Reference
ProductUse CasesResource CenterFAQAbout UsBook a DemoSign Up - It's Free
User Guide
ProductUse CasesResource CenterFAQAbout UsBook a DemoSign Up - It's Free
Start typing to search…

Attribute Based Access Control (ABAC)

BioT uses two layers of authorization to control both API access and which data a user can see:

  1. Static Access Control: Based on the JWT you get at login, the system decides which APIs you’re allowed to call.
  2. Attribute Based Access Control (ABAC). This security mechanism controls the specific data a user can access.

The flow is simple: BioT first checks the static permissions. If the user is allowed to call the API, ABAC then makes sure the user can only access data they’re supposed to.

For example, even after logging in, ABAC makes sure a patient can’t create other patient profiles, and users who aren’t caregivers can’t view PHI they shouldn’t have access to.

BioT includes a global service that inspects every incoming API request and validates that the request only reads, updates, or returns data the user is authorized to work with.

The platform comes with a default ABAC setup to reduce the amount of configuration needed from the system admin. It also starts with a single manufacturer organization, and you can create additional organizations for care providers.

Static Access Control

Each user can access different APIs in BioT.

  • Manufacturer Admin: Full access to all APIs.
  • Manufacturer Operator: Access to all APIs marked as PROTECTED_API permission (each API’s permission appears in its documentation).
  • Organization Admin: Access to all PROTECTED_API APIs + the resend invitation API.
  • Organization Operator: Access to all PROTECTED_API APIs..
  • Caregiver: Access to all PROTECTED_API APIs..

Attribute Based Access Control (ABAC)

As a general rule, PHI fields can be accessed only by the patient themselves and caregivers from the same organization. A special case is the manufacturer organization, which can access non-PHI data of other organizations.

You can download a table listing all allowed operations per user type.

How to read the table:

  • Each column represents a user type.
  • Each row represents an API operation.
  • The colors and text in each cell show the permission for that user for that API.
  • Below the table, you’ll find the legend explaining all the symbols and colors.
📘

Note

it’s possible to change the access control rules based on your system needs. Please contact BioT support if you would like to do so.

Updated 15 days ago