Location Based Access Control - v0.1.0 Released

Hello @mksd

Thanks very much for this. I have been following your viewpoint on this topic regarding data segregation strategy and data security and protection. I too believe Data filter module is the way to go but there isnt much end-user documentation on how to implement this. If there is, aside what has already been shared earlier, i would appreciate a pointed direction.

Use-Case

Trying to use data filter 1.x on OpenMRS 2.1* version

Hospital A, Hospital B locations - Registra, Nurse & Doctor and patients - for each location. How do we use data filter to achieve this?

What i read was about adding a new person attribute of Location and configuring that to the respective users? any pointers would be greatly appreciate. Looking forward to your anticipated swift response.

Many thanks for all the great work and the communiity.

@banji the wiki documentation is unfortunately outdated :disappointed: At the time of the documentation we were envisioning that a patient would be mapped to one location, and that this one association would be made through a person attribute.

This has changed and now patients are mapped to locations (as many as needed) through entries in the entity_basis_map table as well.

This mapping is created automatically upon patient registration through an Hibernate interceptor. This happens here. It is documented here as such:

This interceptor links every newly created patient to the current userā€™s session location This is a very basic implementation that makes the assumptions below:

  • No nested transactions
  • Exactly one patient is created in a session
  • There is a session location set on the user context
1 Like

Dear @mksd Dimitri,

Many thanks for the revert!

We will digest this and revert accordingly !

Many thanks for all the great work!

Best Regards!

Many thanks @mksd and the community.

Pardon me if this question has been answered somewhere else ( cant seem to find it, if one knows where it is, a direction would be much appreciated ) - what is the best way to achieve simulated multi-tenancy/multi-practice ( as its known that true mult-tenancy isnt possible without openMRS core modification ) on Bahmni? Is this possible using Data filter? ( LBAC ?)

Did you get a chance to evaluate this? Bahmni as Multi-Tenant SAAS solution - #3 by angshuonline

Hi @dkayiwa , many thanks for all your great work and support! . I have been reading your posts with rapt attention. Just want to appreciate you for all that you are doing. It is truly phenomenal.

Yes , we evaluated that solution but it is a bit too complex for our current deployment in the sense that we are looking to deploy the solution for about 400+ hospitals and clinics so are looking for something more lightweight hence the Data filter module LBAC route as a walkaround

Current Set-up - data filter 1.x on OpenMRS 2.1* version

Hospital A, Hospital B locations - Registra, Nurse & Doctor and patients - for each location

We created the users and created the patients from the current users sessions but could still see the patients from cross users sessions. I believe i am not getting something right here. Any help would be much appreciated @mksd . ( Please note, i am not a programmer so please forgive me if i am getting something wrong. I yearn to implement this properly - datafilter module for our use-case )

Another observation recorded was that each user account could login to each defined location ( which isnt an issue per-se as data filter should restrict what they should be able to see based on the pre-configured location ) but found no way to tie a user/provider to a specific location. We tried using the provider attribute but that did not work at the admin interface, the app did not effect the change to set provider location to a specific location after adding the attribute to the provider )

Still tinkering with the solution and would surely provide any updates on any success recorded in this direction.

Again , many thanks to the community for making this great solution available to the OSS community . It is truly a wonderful solution

Thanks @mksd I have done this but not sure of this particular line. Is this set somewhere else? or is effected once the user/provider logs in to the configured location? I tried setting the provider location through attribute from provider management but it did not take effect at the admin panel - i.e trying to set/fix a provider to a specific location.

And also when we logged in the provider account and created a patient, I did not seem to achieve the data segregation as i could see other patients created from the other user/provider session location created

image This is where I tried to set the user location context but it took no effect after clicking save

From the datafilter moduleā€™s ā€˜littleā€™ documentation here, to link users and patients to locations, you need to do it by entering rows in the datafilter_entity_basis_map table, the basis is the same for all i.e. location and the filtered entities in your case are user and patient. You can also do this programmatically via the DatafilterService.grantAccess method.

Datafilter will auto link patients to the login location upon registration, so you will only need to link previously registered users before the module was installed.

3 Likes

Also note that filters donā€™t apply to super users i.e. users with the system developer role, so to properly test datafilter you have to be logged in as a non super user

2 Likes

Many thanks Boss.

You have said it all.

Many thanks for all the great work .

We appreciate you.

Many thanks to @mksd too!

Thanks very much @wyclif, any particular reason why this wouldnt happen? iā€™ve installed the filter and provider login to location and register patient ( Bahmni ) but when i check the table, its empty. - iā€™m thinking i have to do this from openMRS itself but there is no login location on openMRS?

Currently trying to do this manually for POC purposes. Many much thanks for your anticipated reply with regards

Also, if we can get a sample how the table structure should look like for LBAC for two locations, two patients in those locations and two separate providers tied to those locations this would greatly help as we cannot seem to get the implementation right - still trying though

There is a global property named datafilter.patientLocationLinkingInterceptor.enabled that you need to set to true for the auto linking to work, sorry I forgot to mention this. You will need to be running an instance of OpenMRS that lets you select a login location, the reference application has this feature anyways.

The module has test data linking patients and user to locations, here we are linking users and here we are linking patients

1 Like

Many thanks @wyclif ! will do this and revert accordingly. No need to apologize smiles :slight_smile:

please do have a look at this table when you are free , i did the insert by hand for two patients tied to two locations and two users ( providers tied to those location ) but the filter did not seem to kick-in. I am suspecting that i missed the last uuid in the INSERT command, what does that uuid stand for? random generated? cos we see that the last uuid must be unique to each row.

Much thanks, each of your words brings us closer to mastering your great work!

Thanks very much @wyclif , this is very very helpful. I can see what the parameters mean now .

@banji actually basis_identifier and entity_indentifier column values are supposed to be entity primary key values and NOT uuids, in the future we want to improve this to support uuids too.

1 Like

I just set the value to true and created new patients from the current logged in user in location ( iā€™m using Bahmni ) but the datafilter table is empty. Do i need a restart ? or it doesnt work with Bahmni?

You might want to look at the logs, if auto linking is enabled and the module canā€™t find the location on the user context, it throws an exception, can you verify if no exception is thrown from the application logs when you create a new patient?

1 Like

Can you also append org.openmrs.module.datafilter:debug to the value of the global property named log.level? Donā€™t forget the comma as the separator. This will help you get more context of whatā€™s going on from the debug logs

1 Like

ok iā€™ll do this and revert accordingly

Datafilter 1.x releases require atleast OpenMRS version 2.3.1, I see you are running 2.1.x, it might not work for you well

1 Like