Limiting Access of Notes to User Who Created Them

Is there was a way to limiting the ability to view notes/observations so that only the provider who created the note can view it, or limiting the ability to view patients to only their assigned provider?

If this is not currently possible, I was wondering if anyone had any suggestions in how I could approach implementing this.

Thank you for your time.

Are you looking for something like this? Relationship-Based Access Control for OpenMRS

Yes, that’s exactly what I was looking for. Would this be possible to implement within openMRS 2.6?

My experience writting Java is minimal, and I’m still familarizing myself with openMRS development, but I’m willing to take this on if need be.

Thank you again.

You should be able to implement this in a module that you can install on the OpenMRS platform versions that you want.

I would say that the specific approach Daniel linked to would require a lot of work (though it’s probably a good thing to do in the long run, and would be helpful for a lot of use cases).

I think you can probably achieve your specific goal with less work in a less general-purpose way. It would help to start by listing the specific screens where behavior needs to change.

If it is possible to acheive the goal with less work, even if temporarily while I work on a better solution, that would be great.

Regarding specific screens, I’m not fully sure I understand the question. I’d say the provider dashboard, any searches, reports, or any other way in which written observation notes for a patient may be made accessible. Ideally the patient would not show up at all, and at minimum any observation notes would not be accessible by anyone other than the provider and their direct supervisor.

Thank you again for your time.

Hello, I implemented Relationship-Based Access Control (ReBAC) into and older version of OpenMRS. If someone is taking on this project and implementing a similar access control model as a module, I would be more than happy to share my experience and help out. Unfortunately, I can’t take on the project myself.


Hi Zain, I’m currently working on an attempt to apply the work you did to the current stable version of OpenMRS. So far I’m making decent progress, mostly by comparing the diffs between 1.10, your fork, and the current one. This is also giving me an oppurtunity to get a better understanding of the code behind both openMRS and the ReBAC implementation.

Ideally I’d like to help implement it as a module once I have a better understanding and more experience working with the openMRS code base.

Any advice or tips would of course be greatly appreciated of course.

Thank you very much.

I know that looking at the diff might a bit of challenge in this case (at least it is for me), because it contained about 25700 lines. From what I recall, I tackled this project by dividing it into smaller chunks; 1- Adding the new classes to the code base and making sure they functioned properly. 2- Updating the web application to incorporate the new classes, and creating the admin pages. 3- Updating the authorization scheme. 4- Adding the administrative actions component.

It might help to read the conference paper that came out of this project. It can be found on my website, under the Publications heading. Website: Paper title: Relationship-Based Access Control for an Open Source Medical Records System

(Unfortunately, I don’t think I’m freely allowed to post that document online.)

Thanks, Zain