HomeForumsDevelopersGeneral developer's discussion

[OpenVPMS Developers] User permissions, security (roles, categories).. how are they all related?

Submitted by Guest on Sat, 02/05/2009 - 09:00
in
Hi folks,

Just a couple of questions.

- How can you restrict user access? - Is there a way to audit who did what to which record? - How is roles and categories related in the administration->user workspace?

-- Albert T. Wong VetAnyware, Veterinary Business Software Solutions

‹ [OpenVPMS Developers] [JIRA] (OVPMS-1092) Price batch update workspace [OpenVPMS Developers] [JIRA] (OVPMS-1091) Add rounding at the level of invoice items ›

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Re: [OpenVPMS Developers] User permissions, security (roles, cat

Submitted by tanderson on Sun, 03/05/2009 - 00:00.
If you mean how do you prevent a particular user signing on, just delete or deactivate the user in Administration -> Users. If you want to restrict what they can do, you need to assign them roles. A role (Administration -> Roles) is a collection of authorities. An authority (Administration -> Authorities) determines what archetypes a user can create, save, or remove. Currently, there are only 3 predefined authorities, create.all, save.all, and remove.all.

Roles relate to archetype create, save, and remove permissions. Categories relate to what type a user is. E.g a clinician, administrator, nurse etc. At the moment, the "CLINICIAN" and "ADMINISTRATOR" categories are the only ones required by the app.

There is an audit service, but its not enabled by default. See the applicationContext.xml file. The auditServiceAdvisor interceptorNames needs to be uncommented.

class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">

archetypeService auditServiceAdvisor auditServiceAdvisor

class="org.springframework.aop.support.RegexpMethodPointcutAdvisor">

.*ArchetypeService\.save .*ArchetypeService\.remove

The audit service isn't complete. It can't audit the IArchetypeService.save(Collection) methods.

-Tim

Albert T. Wong wrote:

> Hi folks, > > Just a couple of questions. > > - How can you restrict user access? > - Is there a way to audit who did what to which record? > - How is roles and categories related in the administration->user > workspace? > > -- > Albert T. Wong > VetAnyware, Veterinary Business Software Solutions >

_______________________________________________ OpenVPMS Developers Mailing List developers@lists.openvpms.org To unsubscribe or change your subscription visit: http://lists.openvpms.org/listinfo/developers Posts from this mailing list can be viewed online and replied to in the OpenVPMS Developer's forum- http://tinyurl.com/openvdf

Re: [OpenVPMS Developers] User permissions, security (roles, cat

Submitted by atwong (not verified) on Sun, 03/05/2009 - 06:00.
>> An authority (Administration -> Authorities) determines what archetypes a

user can create, save, or remove.

Am I to assume that "read" is an authorities that all roles have? Can I also assume that "save.all" means updating an existing entry?

>> Roles relate to archetype create, save, and remove permissions.

So I can only limit permissions to anything that is defined as an archetype?

>>There is an audit service, but its not enabled by default.

Is the goal of the audit service to provide a way to find out who has edited/changed what EHR records or changed any information within the system?

On Sat, May 2, 2009 at 6:23 AM, Tim Anderson wrote:

> If you mean how do you prevent a particular user signing on, just delete or > deactivate the user in Administration -> Users. > If you want to restrict what they can do, you need to assign them roles. > A role (Administration -> Roles) is a collection of authorities. > An authority (Administration -> Authorities) determines what archetypes a > user can create, save, or remove. > Currently, there are only 3 predefined authorities, create.all, save.all, > and remove.all. > > Roles relate to archetype create, save, and remove permissions. > Categories relate to what type a user is. E.g a clinician, administrator, > nurse etc. > At the moment, the "CLINICIAN" and "ADMINISTRATOR" categories are the only > ones required by the app. > > There is an audit service, but its not enabled by default. See the > applicationContext.xml file. > The auditServiceAdvisor interceptorNames needs to be uncommented. > > > > class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator"> > > > archetypeService > > >

> > auditServiceAdvisor > > > > auditServiceAdvisor > >

> > >

> > > class="org.springframework.aop.support.RegexpMethodPointcutAdvisor"> > > > > .*ArchetypeService\.save > .*ArchetypeService\.remove > > > > > The audit service isn't complete. It can't audit the > IArchetypeService.save(Collection) methods. > > -Tim > > > Albert T. Wong wrote: > >> Hi folks, >> >> Just a couple of questions. >> >> - How can you restrict user access? >> - Is there a way to audit who did what to which record? >> - How is roles and categories related in the administration->user >> workspace? >> >> -- >> Albert T. Wong >> VetAnyware, Veterinary Business Software Solutions >> >> _______________________________________________ > OpenVPMS Developers Mailing List > developers@lists.openvpms.org > To unsubscribe or change your subscription visit: > http://lists.openvpms.org/listinfo/developers > Posts from this mailing list can be viewed online and replied to in the > OpenVPMS Developer's forum- http://tinyurl.com/openvdf >

-- Albert T. Wong VetAnyware, Veterinary Business Software Solutions

Re: [OpenVPMS Developers] User permissions, security (roles, cat

Submitted by tanderson on Sun, 03/05/2009 - 12:00.
_______________________________________________ OpenVPMS Developers Mailing List developers@lists.openvpms.org To unsubscribe or change your subscription visit: http://lists.openvpms.org/listinfo/developers Posts from this mailing list can be viewed online and replied to in the OpenVPMS Developer's forum- http://tinyurl.com/openvdf

Re: [OpenVPMS Developers] User permissions, security (roles, cat

Submitted by pstadler (not verified) on Fri, 18/11/2011 - 00:02.

Hi Tim,

I was reading through this old thread here, wondering if there's any change in the more recent code. We've become concerned about doctors' ability to change records in the past. My current solution is to just run lots of back-ups... to be able to recreate past images of the database, but an auditing service is probably a better solution.

Reading above, I wasn't sure what "IArchetypeService.save(Collection)" means. What items would not be logged by the audit service as a result of the limitation?

Cheers, Paul

Re: [OpenVPMS Developers] User permissions, security (roles, cat

Submitted by tanderson on Sat, 19/11/2011 - 09:48.

The audit service is very limited. It has never been developed beyond prototype phase. As such, it doesn't audit all of the operations performed on the database nor does it log the user that performed the operation.
It works by intercepting calls to the archetype service - as the post above states, it doesn't intercept the method where multiple objects are saved at once.

This method is used in many places, including:
* lookup merging
* customer merging
* invoice/credit reversals
* document generation
* customer balance updates
* till clearing

If you want to try it out, you need to edit applicationContext.xml located in <TOMCAT_HOME>/webapps/openvpms/WEB-INF/ and uncomment auditServiceAdvisor:
 

     <bean id="autoProxyCreator"
          class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
        <property name="beanNames">
            <list>
                <value>archetypeService</value>
            </list>
        </property>
        <property name="interceptorNames">
            <list>
                <value>auditServiceAdvisor</value>
            </list>
        </property>
    </bean>

 

-Tim

Re: [OpenVPMS Developers] User permissions, security (roles, cat

Submitted by pstadler (not verified) on Sat, 19/11/2011 - 11:49.

Thanks Tim,

I guess the thing we're most concerned about is legal items (in this litigious environment). Hence, one primary concern is medical records. It sounds like those might be covered correct?

It still sounds like creating database logs over time might be a safer route. I'm not sure if MySQL has an equivalent of WAL logs (a postgres thing?). If it does, we can record all changes per day to the database. That would surely satisfy any legal inquiries...

Cheers, Paul

Re: [OpenVPMS Developers] User permissions, security (roles, cat

Submitted by tanderson on Sat, 19/11/2011 - 14:29.

It will log that a medical record has changed, but not who changed it, or what changed (like I said, it never got past the prototype stage).

There's a few approaches that could be taken:

1. expand the audit service to log what changed, who changed it, and when

2. implement audit logging using triggers

The first approach needs to be implemented in OpenVPMS. This is my preferred approach, as it can be enabled and disabled as necessary, and is easier to deploy.

The second you could implement yourself according to your own requirements. A quick google search turns up quite a few resources for implementing audit logging in MySQL.

Regards,

Tim

Syndicate content