Location Based Access Control - v0.1.0 Released

@banji thanks, we had an issue with our SMTP servers and long story short I had to unearth your email, but I found it. I’ll connect in private in the next few days.

Another thing, is it 100% clear to you that in the context of an HIS like Ozone, data filtering will only apply to EMR data. There is no such segregation within the other components of the HIS (eg. Odoo, SENAITE, etc)?

1 Like

Yes I understand, that is absolutely clear

@suthagar23 et al,

Good day, trust you are great. please i need help

i set user location at ‘manage accounts’ but when i try to login as the user it gives the error below. Then i press ‘back’ and it logs in the user successfully. But when i try to access other EHR features i get the same error. Please kindly point which configuration i am missing . i have created locations and attached user to location using the "manage accounts’ app. Also is there any other way apart from the ‘manage accounts’ to tie a user to a location ? many thanks for your anticipated swift reply Please note this doesnt happen when i login as admin super user.

image|690x263](upload://gutPvfCaIYPdzkNaf8swcLHDAC3.png)

please note there are two images attached, the first one didnt show but is there

i seem to have figured parts of it out. it has to do with assigning a location either as visit or login or both. Yes correct. i set referenceapplication.locationUserPropertyName to false. now i can select an assigned location done on ‘manage accounts’ as per login location

@banji is there any reason why you are using this instead of the data filter module?

Hello @dkayiwa . Great question!

Originally , we wanted to use Bahmni as it is close to the production architecture we envisioned but found out that data filter module on bahmni has issues with the Hibernate-ORM layer and makes it unstable so thought LBAC with OpenMRS for data segregation. But now that you mention it, i am thinking this might be better using datafilter module which i originally looked at but in the context of using Bahmni.

So i got advice that datafilter with Bahmni type architecture work best with O3 distro like Ozone HIS. So that was the solution marked for use with the data filter module

But now that you mention it, i am thinking data filter module with OpenMRS might be just the thing. I am just pressed for workable solution right now to production and the devs we working with seem to feel more comfortable using the LBAC module . Any of your thoughts for or against this would be much appreciated. LBAC module seems easier to implement and maintain

I would definitely still look at datafilter module with OpenMRS use case

But best use case scenario is having Bahmni with data segregation implementation. We are constrained in this regard

With Regards

Am sure you must have read this: Location based Access

@ggomez what is your experience using the location based access control module in Nigeria?

We did assess this module a long while back when we were exploring data segregation strategies for the ICRC implementation (so a large implementation), and we came to the conclusion that it wouldn’t scale well. And then Data Filter was born :wink:

Data Filter was also designed to enforce very strict segregation of data that is subject to stringent data protection rules, that may or may not be your use case. And importantly it was designed from the onset to cover any segregation use cases, not just location-based access control.


I understand that you are in a tricky spot with this decision, and that the outcome has ramifications that would drastically influence the entire choice of distribution (Bahmni vs O3/Ozone). You wouldn’t be the only one sitting in that spot, other orgs have the exact same problem. IMO this is pointing to something serious about Bahmni’s internal designs (i.e. the systematic use of non-standard/shortcut methods to implement its DAO layer). This kind of tech debt has been identified for a long time already, and nothing was ever being done. So this raises questions about governance, tech strategy and so on (and then, Ozone was born :wink:).

1 Like

Many thanks mksd. I too believe in Ozone’s future in this regard.

Will definitely look at the Datafilter module again as i did before with the ref app. Thanks all for all the great help and assistance. I sincerely appreciate

Yes Daniel. Thanks for the pointer. Very interesting read!

apologies for the delay, alot going on but i’m working on it now with Ozone . will revert. i want to master its implementation and use by testing it thoroughly. Thanks for all the great hard work @wyclif

Hello @wyclif @mksd hope you are great.

Reverting as promised. I am running Datafilter version 2.2.0-SNAPSHOT on Ozone docker install. Please find below my findings.

  1. On installing the module, i could no longer edit a users password from the legacy UI page but when i disabled the module, i was able to do this.

  2. When i installed the module, i could no longer select a location at login. it makes me login twice before successful without giving option to select location. I checked the dev console and found the following errors below

disabling the module did not fix this i.e reverting it back to being able to select location. Also deleting the module did not also revert it back to this. please help

Hi @banji

If this is happening in a non prod environment you probably want to share actual logs and not a screenshot.

You also need to say what version of OpenMRS you are running, am not so familiar with ozone, have you tried a released version rather than a snapshot version? Always try to use a released version if possible.

1 Like

Hello @wyclif

Many thanks for your swift response! Always a pleasure hearing from you.

Will do as you suggested regarding the logs. It’s not a production environment though but a test environment.

It’s currently running on OpenMRS 2.5.9 Build 0

I’m using the docker version ( not sure it’s currently based on a released source ) I hope @mksd and team can confirm though I’ll also look through the source to confirm. ( If you referring to Ozone? ) Or datafilter release version? Looking through it now, I git clone from master and compiled source to omod.

Looking at the things your raised now and will revert asap. Again many thanks for your swift response

NB please try Ozone, its an amazing system!!

i got the datafilter 2.10 version ( no snapshot ) so gonna try that

@wyclif

This is the server log after the module was installed but before org.openmrs.module.datafilter:debug was set and when i access the "manage users’ admin legacy UI and selected a user - i could not see the normal form display ( change password etc )

This is the server log after i enabled org.openmrs.module.datafilter:debug and access the "manage users’ admin legacy UI and selected a user - i could not also see the normal form display and also after i logged out of Ozone and logged back in

One changed i noticed now is that with the datafilter 2.10 version , i no longer have the error reported earlier. I can successfully log in and select location now. I am going to go ahead and try creating patients to location as per the use case. The only issue i see now is that with the module enabled, i cannot see the normal form after i select a use under ‘manager users’.

I would have to disable the module to see it.

But not a show stopper as i can create a new user with all fields showing or edit an existing user.

@wyclif many thanks work is on-going now as per use case, will surely revert with results.

I just have a quick question with respect to creating or modifying a new user’s location from the legacy admin ui wrt to the location hierarchy and how that relates to the datafilter? Because when this is done and i login as the user, i am asked for a location and can select any location so i am thinking what the impact will be, if i select a location on the OpenMRS 3 front end, different from the config done on the legacy admin ui and try to create a patient there. which location will the datafilter module respect? its a mis-use case but will surely test this out pending any expert response.

Update

Just checked the openmrs db table now and its empty

datafilter.patientLocationLinkingInterceptor.enabled is set to ‘true’ ( i created a new patient from a new location and provider account ) also log.level has ‘openmrs.module.datafilter:debug’ included and this is the server log as of last operation datafilter.runInStrictMode is not set.

using datafilter module version 2.1.0 on OpenMRS 2.5.9

i think i should move this to a new forum thread?

Update* Datafilter table now populating after restart though have not created any patients. things seem to working somehow , further testing ongoing

Update

Datafilter working successfully on Ozone. Further testing still on going. Learning about Ozone, OpenMRS 3 Frontend and Core.

Many thanks @wyclif , @mksd we very much appreciate you and the whole community. You will forever have my support.

Update

datafilter module working perfectly for all applicable use case. will study it more to understand others. You can please ignore my question regarding user context location @wyclif , i’ve figured it out. Many many thanks @wyclif . You absolutely rock!! you too @mksd ( and the whole Ozone and OpenMRS team!)

1 Like

Outstanding work @banji. Thanks for sharing your steps, failures and successes with everyone.

@banji the latest version of datafilter module was tested with a 2.4.x OpenMRS platform release, I don’t know if anyone has tested it on later versions, it is possible it could be broken in later OpenMRS versions.

Thank you @mksd it was absolutely my pleasure

Thanks @wyclif I can confirm it’s working perfectly with version 2.5.9. if I encounter any anomaly, I will do well to report.

Many thanks for all the great hard work.

FWIW Ozone (Pro) 1.0.0 will package Data Filter, so as we’re heading to a release candidate we will clear any issues along the way.

1 Like