Attribute Based Access Control

For authorization purposes, BioT uses Attribute Based Access Control (ABAC) in it's platform. This security mechanism is used to prevent patient from creating other patients or non caregiver users from accessing PHI that they are not allowed to access.

The system is composed of a global plugin that monitors all incoming API traffic to the platform. Each request is scanned to make sure that the only authorized data is accessed, manipulated and returned as part of the API response.

The platform arrives with a default ABAC implementation that can serve as a basis to reduce the configuration required by the system administrator. Here are the details of the default implementation:

The platform arrives with a single organization for the manufacturer. Other organization entities, representing care provider organizations, may be created.

As a rule of thumb PHI data fields can only be accessed by the patient him/her self and by the caregiver of the same organization. An exception to the rule is the manufacturer's organization (the organization that is automatically created as part of a new deployment), where user can access non-PHI data of other organizations.

You may download the following table that lists all the operation that are allowed to be done by the different user types in the platform.



it’s possible to change the access control rules based on your system needs. Please contact BioT support if you would like to do so.