|
| 1 | +# MPI Role-Based Access Control (RBAC) — Current State |
| 2 | + |
| 3 | +> **Note:** RBAC in MPI is minimal and early-stage. It supports only two roles with no granular permissions. We are open to feedback and suggestions on how access control should evolve. |
| 4 | +
|
| 5 | +## How it works |
| 6 | + |
| 7 | +MPI uses a simple **admin / basic** two-tier model. A user is either an **admin** (full access) or a **basic user** (patient search and duplicate matching only). |
| 8 | + |
| 9 | +The role is determined by checking the user's `data.groups` array in Aidbox against the configured `MPI_ADMIN_ROLE` environment variable. |
| 10 | + |
| 11 | +## Configuration |
| 12 | + |
| 13 | +### 1. Environment variables |
| 14 | + |
| 15 | +| Variable | Service | Purpose | Example | |
| 16 | +|----------|---------|---------|---------| |
| 17 | +| `MPI_ADMIN_ROLE` | Backend + Frontend | Group name that grants admin access | `SIT_EMPI_ADMIN_DEV` | |
| 18 | +| `MPI_ENABLE_AUTHENTICATION` | Backend | Enable authentication (`true`/`false`) | `true` | |
| 19 | +| `MPI_ENABLE_AUTHORIZATION` | Backend | Enable authorization (`true`/`false`) | `true` | |
| 20 | +| `AUTH_DISABLED` | Frontend | Disable auth entirely, dev mode (`true`/`false`) | `false` | |
| 21 | + |
| 22 | +### 2. Aidbox User setup |
| 23 | + |
| 24 | +We use `data.groups` (not `data.roles`) because it maps naturally to **Active Directory / LDAP groups**. When Aidbox is connected to an external IdP (Azure AD, ADFS, Okta, etc.), AD group memberships are propagated into `data.groups` automatically — so adding a user to the AD group is enough, no manual Aidbox edits needed. |
| 25 | + |
| 26 | +Add the role string to the `data.groups` array of the Aidbox User resource: |
| 27 | + |
| 28 | +```json |
| 29 | +{ |
| 30 | + "resourceType": "User", |
| 31 | + "id": "my-user", |
| 32 | + "data": { |
| 33 | + "groups": [ |
| 34 | + "SIT_EMPI_ADMIN_DEV" |
| 35 | + ] |
| 36 | + } |
| 37 | +} |
| 38 | +``` |
| 39 | + |
| 40 | +The value in `groups` must match `MPI_ADMIN_ROLE` exactly. If it doesn't match, the user is treated as a basic user. |
| 41 | + |
| 42 | +> For Aidbox **Client** resources (service accounts), the check looks at `details.roles` instead of `data.groups`. |
| 43 | +
|
| 44 | +## What each role can see |
| 45 | + |
| 46 | +| Feature | Admin | Basic user | |
| 47 | +|---------|:-----:|:----------:| |
| 48 | +| Patient search & details | Yes | Yes | |
| 49 | +| Duplicate matching | Yes | Yes | |
| 50 | +| Select matching model | Yes | No | |
| 51 | +| Merges page | Yes | No | |
| 52 | +| Non-duplicates page | Yes | No | |
| 53 | +| Audit logs page | Yes | No | |
| 54 | +| Unmerge operations | Yes | No | |
| 55 | +| Aidbox Resource Browser link | Yes | Hidden | |
| 56 | +| REST API (merge, unmerge, model CRUD, bulk match) | Yes | 403 Forbidden | |
| 57 | + |
| 58 | +Basic users see only the **Patients** tab in the navigation. All other tabs are hidden. |
| 59 | + |
0 commit comments